Gitiles
Code Review Sign In
192.168.1.100 / R306 / 824eb0c6ade808c4501e62fbcf0025f4e694cd11 / . / ap / app / zte_comm / zte_mainctrl / net_xfrm.c
blob: cb43e18bde65fc61fc5fc61efdf9a2758a13454b [file] [log] [blame]
yuezonghe824eb0c2024-06-27 02:32:26 -0700[diff] [blame^]1#include "zte_mainctrl.h"
2
3char g_router_nvconfig_buf[ROUTER_NV_ITEM_VALUE_MAX_LEN];
4char defwan_rel[ZTE_ROUTER_WAN_IF_NAME_LEN] = {0};
5
6static char defwan6_rel[ZTE_ROUTER_WAN_IF_NAME_LEN] = {0};
7//static struct url_list old_url_list;
8extern int g_limit_time_flag;
9
10
11/******************************************************
12* Func: system_cmd_ex
13* Desc: do system cmd, but printf it first
14* Input:
15* Output:
16* Return:
17* Others:
18* Modify Date Version Author Modification
19*
20*******************************************************/
21
22void str_vary_dit(char * str, char *result)
23{
24 char ch_num = 0;
25 int i, firstnumber;
26 char *pos = result;
27 char *tmpstr;
28 if (0 == strlen(str)) {
29 result = NULL;
30 return;
31 }
32 tmpstr = (char *)malloc(strlen(str) + 1);
33 if (!tmpstr) {
34 result = NULL;
35 return;
36 }
37 memset(tmpstr, 0x00, strlen(str) + 1);
38 strcpy(tmpstr, str);
39 for (i = 0; i < strlen(str); i ++) {
40 if (str[i] != '.') {
41 continue;
42 }
43 break;
44 }
45 firstnumber = i;
46 for (i = strlen(str) - 1; i >= 0; i --) {
47 if (tmpstr[i] != '.') {
48 ch_num ++;
49 } else {
50 tmpstr[i] = ch_num;
51 ch_num = 0;
52 }
53 }
54 pos = result;
55 sprintf(pos, "%.2x", firstnumber);
56 pos += 2;
57 for (i = 0; i < strlen(str); i ++) {
58 sprintf(pos, "%.2x", tmpstr[i]);
59 pos += 2;
60 }
61 //sprintf(pos, "%.2x", 0);
62 free(tmpstr);
63 tmpstr = NULL;
64}
65
66void system_cmd_ex(char * cmd)
67{
68 int rtn = -1;
69 if (NULL == cmd) {
70 slog(NET_PRINT, SLOG_ERR, "system_cmd_ex: NULL-------------------------------\n");
71 return;
72 }
73
74 rtn = soft_system(cmd);
75
76 if (0 != rtn) {
77 slog(NET_PRINT, SLOG_ERR, "cmd [%s] failed \n", cmd);
78 }
79 return;
80}
81
82int zte_router_nvconfig_read(char *i_item_name)
83{
84 if (NULL == i_item_name) {
85 slog(NET_PRINT, SLOG_ERR, "[zte_router_nvconfig_read] , point null\n");
86 return 0;
87 }
88 memset(g_router_nvconfig_buf, 0, sizeof(g_router_nvconfig_buf));
89 cfg_get_item(i_item_name, g_router_nvconfig_buf, sizeof(g_router_nvconfig_buf));
90
91 return 1;
92
93}
94
95static int isAllNumAndSlash(char *str)
96{
97 int i = 0;
98 int len = 0;
99 if (NULL == str) {
100 slog(NET_PRINT, SLOG_ERR, "isAllNumAndSlash: str in is NULL\n");
101 return 0;
102 }
103 len = (int)strlen(str);
104 for (i = 0; i < len; i++) {
105 if ((str[i] >= '0' && str[i] <= '9') || str[i] == '.' || str[i] == '/')
106 continue;
107 return 0;
108 }
109 return 1;
110}
111static int isNumOnly(char *str)
112{
113 int i = 0;
114 int len = 0;
115 if (NULL == str) {
116 slog(NET_PRINT, SLOG_ERR, "isNumOnly: str in is NULL\n");
117 return 0;
118 }
119 len = (int)strlen(str);
120 for (i = 0; i < len; i++) {
121 if ((str[i] >= '0' && str[i] <= '9'))
122 continue;
123 return 0;
124 }
125 return 1;
126}
127static int isOnlyOneSlash(char *str)
128{
129 int i = 0, count = 0;
130 int len = 0;
131 if (NULL == str) {
132 slog(NET_PRINT, SLOG_ERR, "isOnlyOneSlash: str in is NULL\n");
133 return 0;
134 }
135 len = (int)strlen(str);
136 for (i = 0; i < len; i++)
137 if (str[i] == '/')
138 count++;
139 return count <= 1 ? 1 : 0;
140}
141
142static int isIpValid(char *str)
143{
144 struct in_addr addr; // for examination
145 //if( (! strcmp(T("any"), str)) || (! strcmp(T("any/0"), str)))
146 if ((! strcmp("any", str)) || (! strcmp("any/0", str)))
147 return 1;
148
149 if (!(inet_aton(str, &addr))) {
150 slog(NET_PRINT, SLOG_ERR, "isIpValid(): %s is not a valid IP address.\n", str);
151 return 0;
152 }
153 return 1;
154}
155static int isMacValid(char *str)
156{
157 int i = 0;
158 int len = 0;
159 if (NULL == str) {
160 slog(NET_PRINT, SLOG_ERR, "isMacValid: NULL str ");
161 return 0;
162 }
163 len = (int)strlen(str);
164 if (len != 17)
165 return 0;
166
167 for (i = 0; i < 5; i++) {
168 if ((!isxdigit(str[i * 3])) || (!isxdigit(str[i * 3 + 1])) || (str[i * 3 + 2] != ':'))
169 return 0;
170 }
171 return (isxdigit(str[15]) && isxdigit(str[16])) ? 1 : 0;
172}
173
174static int isIpNetmaskValid(char *s)
175{
176 char str[32] = {0};
177 char *slash;
178 struct in_addr addr; // for examination
179
180 if (!s || !strlen(s)) {
181 return 0;
182 }
183
184 strncpy(str, s, sizeof(str) - 1);
185
186 if ((!strcmp("any", str)) || (!strcmp("any/0", str)))
187 return 1;
188
189 if (!isAllNumAndSlash(str)) {
190 return 0;
191 }
192
193 if (!isOnlyOneSlash(str)) {
194 return 0;
195 }
196
197 slash = strchr(str, '/');
198 if (slash) {
199 int mask;
200
201 *slash = '\0';
202 slash++;
203 if (!strlen(slash)) {
204 return 0;
205 }
206
207 if (!isNumOnly(slash)) {
208 return 0;
209 }
210
211 mask = atoi(slash);
212 if (mask < 0 || mask > 32) {
213 return 0;
214 }
215 }
216
217 if (!(inet_aton(str, &addr))) {
218 slog(NET_PRINT, SLOG_ERR, "isIpNetmaskValid(): %s is not a valid IP address.\n", str);
219 return 0;
220 }
221 return 1;
222}
223
224static void iptablesPortForwardFlush(void)
225{
226 system_cmd_ex("iptables -t nat -F "PORT_FORWARD_CHAIN);
227 return;
228}
229
230/*
231 * substitution of getNthValue which dosen't destroy the original value
232 */
233int getNthValueSafe(int index, char *value, char delimit, char *result, int len)
234{
235 int i = 0, result_len = 0;
236 char *begin = NULL;
237 char *end = NULL;
238 if (!value || !result || !len) {
239 slog(NET_PRINT, SLOG_ERR, "getNthValueSafe: null in\n");
240 return -1;
241 }
242
243 begin = value;
244 end = strchr(begin, delimit);
245
246 while (i < index && end) {
247 begin = end + 1;
248 end = strchr(begin, delimit);
249 i++;
250 }
251
252 //no delimit
253 if (!end) {
254 if (i == index) {
255 end = begin + strlen(begin);
256 result_len = (len - 1) < (end - begin) ? (len - 1) : (end - begin);
257 } else
258 return -1;
259 } else
260 result_len = (len - 1) < (end - begin) ? (len - 1) : (end - begin);
261
262 memcpy(result, begin, result_len);
263 *(result + result_len) = '\0';
264
265 return 0;
266}
267
268void zte_router_ping_diagnostics(void)
269{
270 char cmd[256] = {0};
271 char ip_address[32] = {0};
272 char diag_interface[32] = {0};
273 char repetition_count[20] = {0};
274 char time_out[20] = {0};
275 char data_size[20] = {0};
276 char path_tmp[50] = {0};
277 int len = 0;
278
279 slog(NET_PRINT, SLOG_NORMAL, "zte_router_ping_diagnostics start! \n");
280
281 cfg_get_item("ping_diag_addr", ip_address, sizeof(ip_address));
282 cfg_get_item("ping_repetition_count", repetition_count, sizeof(repetition_count));
283 cfg_get_item("ping_time_out", time_out, sizeof(time_out));
284 cfg_get_item("ping_data_size", data_size, sizeof(data_size));
285 cfg_get_item("ping_diag_interface", diag_interface, sizeof(diag_interface));
286
287 if (!isIpValid(ip_address) || (0 == strlen(ip_address))) {
288 slog(NET_PRINT, SLOG_ERR, "Error: zte_router_ping_diagnostics, %s is not a valid IP address", ip_address);
289 return;
290 }
291
292 system("killall ping");
293
294 //ɾ³ý֮ǰ´æ´¢Îļþ
295 cfg_get_item("path_tmp", path_tmp, sizeof(path_tmp));
296 sprintf(cmd, "rm %s/ping_diagnostics.txt", path_tmp);
297 slog(NET_PRINT, SLOG_NORMAL, "zte_router_ping_diagnostics rm_cmd:%s \n", cmd);
298 system_cmd_ex(cmd);
299
300 //ÖØÐÂping
301 memset(cmd, 0, 256);
302 sprintf(cmd, "ping ");
303 if (strcmp(repetition_count, "") && strcmp(repetition_count, "\0")) {
304 len = strlen(cmd);
305 sprintf(cmd + len, "-c %d ", atoi(repetition_count));
306 }
307
308 if (strcmp(data_size, "") && strcmp(data_size, "\0")) {
309 len = strlen(cmd);
310 sprintf(cmd + len, "-s %d ", atoi(data_size));
311 }
312
313 if (strcmp(time_out, "") && strcmp(time_out, "\0")) {
314 len = strlen(cmd);
315 sprintf(cmd + len, "-w %d ", atoi(time_out));
316 }
317
318 if (strcmp(diag_interface, "") && strcmp(diag_interface, "\0")) {
319 len = strlen(cmd);
320 sprintf(cmd + len, "-I %s ", diag_interface);
321 }
322
323 len = strlen(cmd);
324 slog(NET_PRINT, SLOG_DEBUG, "zte_router_ping_diagnostics cmd:%s, len:%d \n", cmd, len);
325 sprintf(cmd + len, "%s > %s/ping_diagnostics.txt & ", ip_address, path_tmp);
326
327 slog(NET_PRINT, SLOG_NORMAL, "zte_router_ping_diagnostics ping_cmd:%s \n", cmd);
328 system_cmd_ex(cmd);
329}
330
331/******************************************************
332* Function: zte_iptables_make_filter_rule()
333* Description: make filter rules, e.g.
334* iptables -A macipport_filter -m mac --mac-source [mac_address]
335* -s 10.128.48.88
336* -d 192.168.0.2
337* -p tcp --sport 1:80 --dport 40:500
338* -j ACCEPT
339* Input:
340* Output:
341* Return:
342* Others:
343* Modify Date Version Author Modification
344* 2010/12/13 V1.0 MaXiaoliang create
345*******************************************************/
346static void zte_iptables_make_filter_rule(char *buf, int len, char *mac_address,
347 char *sip_1, char *sip_2, int sprf_int, int sprt_int,
348 char *dip_1, char *dip_2, int dprf_int, int dprt_int, int proto, int action)
349{
350 int rc = 0;
351 char *pos = buf;
352
353 rc = snprintf(pos, len - rc,
354 "iptables -A %s ", IPPORT_FILTER_CHAIN);
355 pos = pos + rc;
356
357 // write mac address
358 if (mac_address && strlen(mac_address)) {
359 rc = snprintf(pos, len - rc, "-m mac --mac-source %s ", mac_address);
360 pos = pos + rc;
361 }
362
363 // write source ip
364 if (sip_1 && strlen(sip_1)) {
365 rc = snprintf(pos, len - rc, "-s %s ", sip_1);
366 pos = pos + rc;
367 }
368
369 // write dest ip
370 if (dip_1 && strlen(dip_1)) {
371 rc = snprintf(pos, len - rc, "-d %s ", dip_1);
372 pos = pos + rc;
373 }
374
375 // write protocol type
376 if (proto == PROTO_NONE) {
377 rc = snprintf(pos, len - rc, " ");
378 pos = pos + rc;
379 } else if (proto == PROTO_ICMP) {
380 rc = snprintf(pos, len - rc, "-p icmp ");
381 pos = pos + rc;
382 } else {
383 if (proto == PROTO_TCP)
384 rc = snprintf(pos, len - rc, "-p tcp ");
385 else if (proto == PROTO_UDP)
386 rc = snprintf(pos, len - rc, "-p udp ");
387 pos = pos + rc;
388
389 // write source port
390 if (sprf_int) {
391 if (sprt_int)
392 rc = snprintf(pos, len - rc, "--sport %d:%d ", sprf_int, sprt_int);
393 else
394 rc = snprintf(pos, len - rc, "--sport %d ", sprf_int);
395 pos = pos + rc;
396 }
397
398 // write dest port
399 if (dprf_int) {
400 if (dprt_int)
401 rc = snprintf(pos, len - rc, "--dport %d:%d ", dprf_int, dprt_int);
402 else
403 rc = snprintf(pos, len - rc, "--dport %d ", dprf_int);
404 pos = pos + rc;
405 }
406 }
407
408 switch (action) {
409 case ACTION_DROP: // 1 == ENABLE--DROP mode
410 rc = snprintf(pos, len - rc, "-j DROP");
411 break;
412 case ACTION_ACCEPT: // 2 == ENABLE--ACCEPT mode
413 rc = snprintf(pos, len - rc, "-j ACCEPT");
414 break;
415 default:
416 slog(NET_PRINT, SLOG_ERR, "Unknown action %d.", action);
417 break;
418 }
419}
420/*===========================================================================
421 Function:
422 zte_make_filter_rules_ipv6
423
424 Description:
425 make ipportfilter rules.
426 example:
427 iptables -A macipport_filter
428 -m mac --mac-source 00:11:22:33:44:55
429 -m iprange --src-range 192.168.1.10-192.168.1.50
430 -m iprange --dst-range 10.128.10.10-10.128.10.100
431 -p tcp --sport 10:2000 --dport 4000:5000
432 -j DROP
433
434 Param:
435 buf - cmd buffer to store rule cmd
436 len - length of cmd buffer
437 mac_address - mac address
438 sip_1 - source ip 1
439 sip_2 - source ip 2 (not support now)
440 sprf_int - source ip from port
441 sprt_int - source ip to port
442 dip_1 - dest ip 1
443 dip_2 - dest ip 2 (not support now)
444 dprf_int - dest ip from port
445 dprt_int - dest ip to port
446 proto - protocol
447 action - accept or drop
448
449 Modify Date Version Author Modification
450 2010/07/12 V1.0 zhangyuelong10100551 Create
451 2012/03/15 V1.1 liuweipeng port
452===========================================================================*/
453void zte_make_filter_rules_v6(char *buf, int len, char *mac_address,
454 char *sip_1, char *sip_2, int sprf_int, int sprt_int,
455 char *dip_1, char *dip_2, int dprf_int, int dprt_int, int proto, int action)
456{
457 int rc = 0;
458 char *pos = buf;
459
460 /*begin by zhangyuelong10100551 2010.12.21*/
461 if (NULL == buf) {
462 slog(NET_PRINT, SLOG_ERR, "[ERROR]zte_make_filter_rules_ipv6: buf NULL");
463 return;
464 }
465 /*end by zhangyuelong10100551 2010.12.21*/
466
467 rc = snprintf(pos, len - rc, "ip6tables -t filter -A %s ", IPPORT_FILTER_CHAIN);
468 pos = pos + rc;
469
470 // write mac address
471 if (mac_address && strlen(mac_address)) {
472 rc = snprintf(pos, len - rc, "-m mac --mac-source %s ", mac_address);
473 pos = pos + rc;
474 }
475
476 // write source ip
477 if (sip_1 && strlen(sip_1) > 0) {
478 if (sip_2 && strlen(sip_2) > 0) {
479 rc = snprintf(pos, len - rc, "-m iprange --src-range %s-%s ", sip_1, sip_2);
480 pos = pos + rc;
481 } else {
482 rc = snprintf(pos, len - rc, "-s %s ", sip_1);
483 pos = pos + rc;
484 }
485 } else {
486 rc = snprintf(pos, len - rc, "-s any/0 ");
487 pos = pos + rc;
488 }
489
490 // write dest ip
491 if (dip_1 && strlen(dip_1) > 0) {
492 if (dip_2 && strlen(dip_2) > 0) {
493 rc = snprintf(pos, len - rc, "-m iprange --dst-range %s-%s ", dip_1, dip_2);
494 pos = pos + rc;
495 } else {
496 rc = snprintf(pos, len - rc, "-d %s ", dip_1);
497 pos = pos + rc;
498 }
499 } else {
500 rc = snprintf(pos, len - rc, "-d any/0 ");
501 pos = pos + rc;
502 }
503
504 // write protocol type
505 if (proto == PROTO_NONE) {
506 //rc = snprintf(pos, len-rc, " ");
507 //pos = pos + rc;
508 } else if (proto == PROTO_ICMP) {
509 rc = snprintf(pos, len - rc, "-p icmpv6 ");
510 pos = pos + rc;
511 } else if (proto == PROTO_TCP || proto == PROTO_UDP) {
512 if (proto == PROTO_TCP)
513 rc = snprintf(pos, len - rc, "-p tcp ");
514 else/* if (proto == PROTO_UDP)*/ //kw 3
515 rc = snprintf(pos, len - rc, "-p udp ");
516 pos = pos + rc;
517
518 // write source port
519 if (sprf_int) {
520 if (sprt_int)
521 rc = snprintf(pos, len - rc, "--sport %d:%d ", sprf_int, sprt_int);
522 else
523 rc = snprintf(pos, len - rc, "--sport %d ", sprf_int);
524 pos = pos + rc;
525 }
526
527 // write dest port
528 if (dprf_int) {
529 if (dprt_int)
530 rc = snprintf(pos, len - rc, "--dport %d:%d ", dprf_int, dprt_int);
531 else
532 rc = snprintf(pos, len - rc, "--dport %d ", dprf_int);
533 pos = pos + rc;
534 }
535 }
536
537 switch (action) {
538 case ACTION_DROP: // 1 == ENABLE--DROP mode
539 rc = snprintf(pos, len - rc, "-j DROP");
540 break;
541 case ACTION_ACCEPT: // 2 == ENABLE--ACCEPT mode
542 rc = snprintf(pos, len - rc, "-j ACCEPT");
543 break;
544 default:
545 slog(NET_PRINT, SLOG_ERR, "[ERROR]zte_make_filter_rules_v6: unknown action");
546 break;
547 }
548} /* zte_make_filter_rules_v6() */
549
550//modified by myc for web5.0 2012-12-12 //split the function zte_iptables_filter_run
551void zte_iptables_filter_rule_run(void)
552{
553 char mac_address[32] = {0};
554 char sprf[8] = {0}; /* source port from */
555 char sprt[8] = {0}; /* source port to */
556 char dprf[8] = {0}; /* dest port from */
557 char dprt[8] = {0}; /* dest port to */
558 char sip_1[32] = {0}; /* src ip address */
559 char sip_2[32] = {0};
560 char dip_1[32] = {0}; /* dest ip address */
561 char dip_2[32] = {0};
562 char protocol[8] = {0};
563 char action_str[4] = {0};
564
565 int i = 0;
566 char rec[ROUTER_NV_FW_RULE_MAX_LEN] = {0};
567 char cmd[ROUTER_NV_FW_RULE_MAX_LEN] = {0};
568 //char rule[NV_FW_RULE_MAX_LEN] = {0};
569 char tmp[ROUTER_DEFAULT_LEN] = {0};
570 char sys_cmd_bufer[500] = {0};
571 int sprf_int = 0;
572 int sprt_int = 0;
573 int dprf_int = 0;
574 int dprt_int = 0;
575 int proto = 0;
576 int action = 0;
577
578 for (i = 0; i < RULE_MAX; i++) {
579 sprintf(tmp, "IPPortFilterRules_%d", i);
580 memset(rec, 0, sizeof(rec));
581 //zte_router_nvconfig_read(tmp);
582 //strcpy(rec,g_router_nvconfig_buf);
583 cfg_get_item(tmp, rec, sizeof(rec));
584 // get sip 1
585 if ((getNthValueSafe(0, rec, ',', sip_1, sizeof(sip_1)) == -1)) {
586 continue;
587 }
588 if (!isIpNetmaskValid(sip_1)) {
589 continue;
590 }
591
592 // get source ip port range "from"
593 if ((getNthValueSafe(2, rec, ',', sprf, sizeof(sprf)) == -1)) {
594 continue;
595 }
596 if ((sprf_int = atoi(sprf)) > 65535) {
597 continue;
598 }
599
600 // get dest ip port range "to"
601 if ((getNthValueSafe(3, rec, ',', sprt, sizeof(sprt)) == -1)) {
602 continue;
603 }
604 if ((sprt_int = atoi(sprt)) > 65535) {
605 continue;
606 }
607
608 /* Destination Part */
609 // get dip 1
610 if ((getNthValueSafe(4, rec, ',', dip_1, sizeof(dip_1)) == -1)) {
611 continue;
612 }
613 if (!isIpNetmaskValid(dip_1)) {
614 continue;
615 }
616
617 // get dest ip port range "from"
618 if ((getNthValueSafe(6, rec, ',', dprf, sizeof(dprf)) == -1)) {
619 continue;
620 }
621 if ((dprf_int = atoi(dprf)) > 65535) {
622 continue;
623 }
624
625 // get dest ip port range "to"
626 if ((getNthValueSafe(7, rec, ',', dprt, sizeof(dprt)) == -1)) {
627 continue;
628 }
629 if ((dprt_int = atoi(dprt)) > 65535) {
630 continue;
631 }
632
633 // get protocol
634 if ((getNthValueSafe(8, rec, ',', protocol, sizeof(protocol)) == -1)) {
635 continue;
636 }
637 proto = atoi(protocol);
638
639 // get action
640 if ((getNthValueSafe(9, rec, ',', action_str, sizeof(action_str)) == -1)) {
641 continue;
642 }
643 action = atoi(action_str);
644
645 // getNthValueSafe(10) is "comment".
646
647 // get mac address
648 if ((getNthValueSafe(11, rec, ',', mac_address, sizeof(mac_address)) == -1)) {
649 continue;
650 }
651 if (strlen(mac_address) && !isMacValid(mac_address)) {
652 continue;
653 }
654 if (PROTO_TCP_UDP == proto) {
655 zte_iptables_make_filter_rule(cmd, sizeof(cmd), mac_address, sip_1, sip_2, sprf_int, sprt_int, dip_1, dip_2, dprf_int, dprt_int, PROTO_TCP, action);
656 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
657 sprintf(sys_cmd_bufer, "%s %s", cmd, FMT_ECHO_IPTABLES_CMD);
658 system_cmd_ex(sys_cmd_bufer);
659 zte_iptables_make_filter_rule(cmd, sizeof(cmd), mac_address, sip_1, sip_2, sprf_int, sprt_int, dip_1, dip_2, dprf_int, dprt_int, PROTO_UDP, action);
660 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
661 sprintf(sys_cmd_bufer, "%s %s", cmd, FMT_ECHO_IPTABLES_CMD);
662 system_cmd_ex(sys_cmd_bufer);
663 } else {
664 zte_iptables_make_filter_rule(cmd, sizeof(cmd), mac_address, sip_1, sip_2, sprf_int, sprt_int, dip_1, dip_2, dprf_int, dprt_int, proto, action);
665 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
666 sprintf(sys_cmd_bufer, "%s %s", cmd, FMT_ECHO_IPTABLES_CMD);
667 system_cmd_ex(sys_cmd_bufer);
668 }
669 }
670}
671
672/******************************************************
673* Function: zte_iptables_filter_run()
674* Description: load rules from "IPPortFilterRules", make rules, and run
675* Input:
676* Output:
677* Return:
678* Others:
679* Modify Date Version Author Modification
680* 2010/12/13 V1.0 MaXiaoliang create
681*******************************************************/
682void zte_iptables_filter_run(void)
683{
684
685 char firewall_enable[ROUTER_DEFAULT_LEN] = {0};
686 char default_policy[ROUTER_DEFAULT_LEN] = {0};
687 char sys_cmd_bufer[500] = {0};
688 int filter_enable = 0;
689
690 /*flush filter chain*/
691 sprintf(sys_cmd_bufer, "iptables -F %s %s", IPPORT_FILTER_CHAIN, FMT_ECHO_IPTABLES_CMD);
692 system_cmd_ex(sys_cmd_bufer);
693
694 //zte_router_nvconfig_read("IPPortFilterEnable");
695 //strcpy(firewall_enable , g_router_nvconfig_buf);
696 cfg_get_item("IPPortFilterEnable", firewall_enable, sizeof(firewall_enable));
697
698 if (0 == strlen(firewall_enable)) {
699 slog(NET_PRINT, SLOG_ERR, "IPPortFilter have been disable one .\n");
700 system_cmd_ex("iptables -t filter -P FORWARD ACCEPT");
701 return;
702 }
703 filter_enable = atoi(firewall_enable);
704 /* if firewall is disable, then return directly: 0 mean disable, 1 means enable */
705 if (0 == filter_enable) {
706 system_cmd_ex("iptables -t filter -P FORWARD ACCEPT");
707 slog(NET_PRINT, SLOG_ERR, "IPPortFilter have been disable two .\n");
708 return;
709 }
710
711 /* 0: accept 1: drop */
712 //zte_router_nvconfig_read("DefaultFirewallPolicy");
713 //strcpy(default_policy , g_router_nvconfig_buf);
714 cfg_get_item("DefaultFirewallPolicy", default_policy, sizeof(default_policy));
715
716 if (0 == strlen(default_policy)) {
717 strcpy(default_policy, "0");
718 }
719
720 zte_iptables_filter_rule_run();
721
722 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
723 sprintf(sys_cmd_bufer, "iptables -t filter -A %s -m state --state RELATED,ESTABLISHED -j ACCEPT", IPPORT_FILTER_CHAIN);
724 system_cmd_ex(sys_cmd_bufer);
725
726
727 switch (atoi(default_policy)) {
728 case 0:
729 system_cmd_ex("iptables -t filter -P FORWARD ACCEPT");
730 break;
731 case 1:
732 system_cmd_ex("iptables -t filter -P FORWARD DROP");
733 break;
734 default:
735 slog(NET_PRINT, SLOG_ERR, "Unknown default_policy %d.", atoi(default_policy));
736 break;
737 }
738
739}
740
741/******************************************************
742* Function: zte_iptables_sys_fw_run()
743* Description: make system security rules, then run, e.g.
744* iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-reply -j ACCEPT
745* iptables -t filter -A INPUT -i ppp0 -j DROP // disable remote control
746* iptables -t filter -A INPUT -i ppp0 -p icmp -j DROP // disable ping
747* Input:
748* Output:
749* Return:
750* Others:
751* Modify Date Version Author Modification
752* 2010/12/13 V1.0 MaXiaoliang create
753*******************************************************/
754void zte_iptables_sys_fw_run(void)
755{
756 char rmE[ROUTER_NV_FW_RULE_MAX_LEN] = {0};
757 char wpfE[ROUTER_NV_FW_RULE_MAX_LEN] = {0};
758 char sys_cmd_bufer[500] = {0};
759 //zte_router_nvconfig_read("RemoteManagement");
760 ///strcpy(rmE , g_router_nvconfig_buf);
761 cfg_get_item("RemoteManagement", rmE, sizeof(rmE));
762
763 //zte_router_nvconfig_read("WANPingFilter");
764 //strcpy(wpfE ,g_router_nvconfig_buf);
765 cfg_get_item("WANPingFilter", wpfE, sizeof(wpfE));
766
767
768 /* flush INPUT chain is OK; the macipport_filter chain is in FORWARD chain. */
769 system_cmd_ex("iptables -t filter -F INPUT");
770 /*added by myc for shutdown 1900 and 53 port to wan 2013-05-22 begin*/
771 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
772 sprintf(sys_cmd_bufer, "iptables -t filter -A INPUT -i %s -p tcp --dport 1900 -j DROP ", defwan_rel);
773 system_cmd_ex(sys_cmd_bufer);
774 /*added by myc for shutdown 1900 and 53 port to wam 2013-05-22 end*/
775 /* allow request to dnsmasq from the lan */
776 //system_cmd_ex("iptables -t filter -I INPUT -p udp --sport 53 -j ACCEPT");
777 //system_cmd_ex("iptables -t filter -I INPUT -p udp --dport 53 -j ACCEPT");
778 //system_cmd_ex("iptables -t filter -I INPUT -p tcp --sport 53 -j ACCEPT");
779 //system_cmd_ex("iptables -t filter -I INPUT -p tcp --dport 53 -j ACCEPT");
780
781 /* modify by dlf begin, --2016-09-7 */
782 //ÍøÂ簲ȫÉèÖÃfor lan ssh
783#if 0 //for aq
784 system_cmd_ex("iptables -A INPUT -p tcp --dport 22 -j DROP");
785 system_cmd_ex("iptables -A INPUT -p udp --dport 22 -j DROP");
786 system_cmd_ex("iptables -A INPUT -p tcp --dport 5555 -j DROP");
787 system_cmd_ex("iptables -A INPUT -p udp --dport 5555 -j DROP");
788#endif
789 //ÍøÂ簲ȫÉèÖÃfor wan
790 //disable 22£ºsh
791 /*
792 memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
793 sprintf(sys_cmd_bufer,"iptables -t filter -A INPUT -i %s -p udp --dport 22 -j DROP", defwan_rel);
794 system_cmd_ex(sys_cmd_bufer);
795 memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
796 sprintf(sys_cmd_bufer,"iptables -t filter -A INPUT -i %s -p tcp --dport 22 -j DROP", defwan_rel);
797 system_cmd_ex(sys_cmd_bufer);
798 */
799 //disable 23£ºtelnet
800 /*
801 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
802 sprintf(sys_cmd_bufer, "iptables -t filter -A INPUT -i %s -p udp --dport 23 -j DROP", defwan_rel);
803 system_cmd_ex(sys_cmd_bufer);
804 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
805 sprintf(sys_cmd_bufer, "iptables -t filter -A INPUT -i %s -p tcp --dport 23 -j DROP", defwan_rel);
806 system_cmd_ex(sys_cmd_bufer);
807 */
808 //disable 53£ºdomin
809
810 memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
811 sprintf(sys_cmd_bufer,"iptables -t filter -A INPUT -i %s -p udp --dport 53 -j DROP", defwan_rel);
812 system_cmd_ex(sys_cmd_bufer);
813 memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
814 sprintf(sys_cmd_bufer,"iptables -t filter -A INPUT -i %s -p tcp --dport 53 -j DROP", defwan_rel);
815 system_cmd_ex(sys_cmd_bufer);
816 memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
817 sprintf(sys_cmd_bufer,"ip6tables -t filter -A INPUT -i %s -p udp --dport 53 -j DROP", defwan6_rel);
818 system_cmd_ex(sys_cmd_bufer);
819 memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
820 sprintf(sys_cmd_bufer,"ip6tables -t filter -A INPUT -i %s -p tcp --dport 53 -j DROP", defwan6_rel);
821 system_cmd_ex(sys_cmd_bufer);
822
823 sprintf(sys_cmd_bufer,"iptables -t filter -A INPUT -i %s -p udp --dport 67 -j DROP", defwan_rel);
824 system_cmd_ex(sys_cmd_bufer);
825 memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
826 sprintf(sys_cmd_bufer,"ip6tables -t filter -A INPUT -i %s -p udp --dport 67 -j DROP", defwan6_rel);
827 system_cmd_ex(sys_cmd_bufer);
828
829 //disable 1900£ºupnp
830 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
831 sprintf(sys_cmd_bufer, "iptables -t filter -A INPUT -i %s -p udp --dport 1900 -j DROP", defwan_rel);
832 system_cmd_ex(sys_cmd_bufer);
833 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
834 sprintf(sys_cmd_bufer, "iptables -t filter -A INPUT -i %s -p tcp --dport 1900 -j DROP", defwan_rel);
835 system_cmd_ex(sys_cmd_bufer);
836 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
837 sprintf(sys_cmd_bufer, "ip6tables -t filter -A INPUT -i %s -p udp --dport 1900 -j DROP", defwan_rel);
838 system_cmd_ex(sys_cmd_bufer);
839 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
840 sprintf(sys_cmd_bufer, "ip6tables -t filter -A INPUT -i %s -p tcp --dport 1900 -j DROP", defwan_rel);
841 system_cmd_ex(sys_cmd_bufer);
842 //disable 5555£ºfreeciv
843 /*
844 memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
845 sprintf(sys_cmd_bufer,"iptables -t filter -A INPUT -i %s -p udp --dport 5555 -j DROP", defwan_rel);
846 system_cmd_ex(sys_cmd_bufer);
847 memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
848 sprintf(sys_cmd_bufer,"iptables -t filter -A INPUT -i %s -p tcp --dport 5555 -j DROP", defwan_rel);
849 system_cmd_ex(sys_cmd_bufer);
850 */
851 /* modify by dlf end, --2016-09-7 */
852
853 /* modify by maxl begin, --2011-01-28 */
854 /*added by myc for shutdown 1900 and 53 port to wan 2013-05-22 begin*/
855 //memset(sys_cmd_bufer,0,sizeof(sys_cmd_bufer));
856 //sprintf(sys_cmd_bufer,"iptables -t filter -I INPUT -i %s -p tcp --dport 53 -j DROP ", defwan_rel);
857 // system_cmd_ex(sys_cmd_bufer);
858 /*added by myc for shutdown 1900 and 53 port to wam 2013-05-22 end*/
859 /*open telnet 4719 port*/
860#if 0 //for aq
861 system_cmd_ex("iptables -t filter -I INPUT -p tcp --dport 4719 -j ACCEPT");
862 system_cmd_ex("iptables -t filter -I INPUT -p udp --dport 4719 -j ACCEPT");
863#endif
864 /* modify by maxl end, --2011-01-28 */
865
866 /* allow ping from WAN interface */
867 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
868 sprintf(sys_cmd_bufer, "iptables -A INPUT -i %s -p icmp --icmp-type echo-reply -j ACCEPT", defwan_rel);
869 system_cmd_ex(sys_cmd_bufer);
870
871 system_cmd_ex("ip6tables -t filter -F INPUT");
872 system_cmd_ex("ip6tables -t filter -I INPUT -p udp --sport 53 -j ACCEPT");
873 system_cmd_ex("ip6tables -t filter -I INPUT -p udp --dport 53 -j ACCEPT");
874 system_cmd_ex("ip6tables -t filter -I INPUT -p tcp --sport 53 -j ACCEPT");
875 system_cmd_ex("ip6tables -t filter -I INPUT -p tcp --dport 53 -j ACCEPT");
876 system_cmd_ex("ip6tables -t filter -I INPUT -p tcp --dport 23 -j DROP");
877 system_cmd_ex("ip6tables -t filter -I INPUT -p udp --dport 23 -j DROP");
878 // allow ping from WAN interface
879 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
880 sprintf(sys_cmd_bufer, "ip6tables -A INPUT -i %s -p icmpv6 --icmpv6-type echo-reply -j ACCEPT", defwan6_rel);
881 system_cmd_ex(sys_cmd_bufer);
882
883 /* remote management is enable */
884 if (atoi(rmE) == 1) {
885 /*
886 * The INPUT chain will be flushed every time, and the default policy of INPUT is ACCEPT,
887 * so it needn't to add the rules for RemoteManagement.
888 */
889 } else { /* disable */
890 //system_cmd_ex("iptables -t filter -A INPUT -i %s -j DROP", defwan_rel);
891 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
892 sprintf(sys_cmd_bufer, "iptables -t filter -A INPUT -i %s -p tcp --dport 80 -j DROP", defwan_rel);
893 system_cmd_ex(sys_cmd_bufer);
894
895 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
896 sprintf(sys_cmd_bufer, "ip6tables -t filter -A INPUT -i %s -p tcp --dport 80 -j DROP", defwan6_rel);
897 system_cmd_ex(sys_cmd_bufer);
898
899 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
900 sprintf(sys_cmd_bufer, "iptables -t filter -A INPUT -i %s -p tcp --dport 443 -j DROP", defwan_rel);
901 system_cmd_ex(sys_cmd_bufer);
902
903 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
904 sprintf(sys_cmd_bufer, "ip6tables -t filter -A INPUT -i %s -p tcp --dport 443 -j DROP", defwan6_rel);
905 system_cmd_ex(sys_cmd_bufer);
906 }
907
908 /* allow ping */
909 if (atoi(wpfE) == 1) { /* enable */
910 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
911 sprintf(sys_cmd_bufer, "iptables -t filter -I INPUT -i %s -p icmp -j ACCEPT", defwan_rel);
912 system_cmd_ex(sys_cmd_bufer);
913
914 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
915 sprintf(sys_cmd_bufer, "ip6tables -t filter -I INPUT -i %s -p icmpv6 -j ACCEPT", defwan6_rel);
916 system_cmd_ex(sys_cmd_bufer);
917 } else { /* disable */
918 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
919 sprintf(sys_cmd_bufer, "iptables -t filter -A INPUT -i %s -p icmp -j DROP", defwan_rel);
920 system_cmd_ex(sys_cmd_bufer);
921
922 memset(sys_cmd_bufer, 0, sizeof(sys_cmd_bufer));
923 //sprintf(sys_cmd_bufer, "ip6tables -t filter -A INPUT -i %s -p icmpv6 -j DROP", defwan_rel);
924 sprintf(sys_cmd_bufer, "ip6tables -t filter -A INPUT -i %s -p icmpv6 --icmpv6-type echo-request -j DROP", defwan6_rel);
925 system_cmd_ex(sys_cmd_bufer);
926 }
927
928 // vpn pass through
929 //system_cmd_ex("vpn_pass.sh");
930
931}
932
933
934static void zte_iptables_make_DMZ_Rule(char *buf, int len, char *wan_name, char *ip_address)
935{
936 /* iptables -t nat -A PREROUTING -i br0 -j DNAT --to 5.6.7.8 */
937 //rc = snprintf(buf, len-rc , "iptables -t nat -A %s -j DNAT -i %s -p udp --dport ! %d --to %s", DMZ_CHAIN, wan_name, getGoAHeadServerPort(), ip_address);
938 snprintf(buf, len, "iptables -t nat -A %s -j DNAT -i %s --to %s", DMZ_CHAIN, wan_name, ip_address);
939}
940void zte_iptables_DMZ_Run(void)
941{
942 char cmd[1024] = {0}, ip_address[128] = {0};
943 char dmz_enable[128] = {0};
944
945 /*flush DMZ chain*/
946 memset(cmd, 0, sizeof(cmd));
947 sprintf(cmd, "iptables -t nat -F %s %s", DMZ_CHAIN, FMT_ECHO_IPTABLES_CMD);
948 system_cmd_ex(cmd);
949
950 memset(cmd, 0, sizeof(cmd));
951
952 //zte_router_nvconfig_read("DMZEnable");
953 //strcpy(dmz_enable , g_router_nvconfig_buf);
954 cfg_get_item("DMZEnable", dmz_enable, sizeof(dmz_enable));
955
956 if (0 == strcmp(dmz_enable, "")) {
957 slog(NET_PRINT, SLOG_ERR, "Warning: DMZ have been disable one\n");
958 return;
959 }
960 if (!atoi(dmz_enable)) {
961 slog(NET_PRINT, SLOG_ERR, "Warning: DMZ have been disable two\n");
962 return;
963 }
964
965 //zte_router_nvconfig_read("DMZIPAddress");
966 // strcpy(ip_address , g_router_nvconfig_buf);
967 cfg_get_item("DMZIPAddress", ip_address, sizeof(ip_address));
968
969
970 if (0 == strcmp(ip_address, "")) {
971 slog(NET_PRINT, SLOG_ERR, "Warning: can't find \"DMZIPAddress\" in flash\n");
972 return;
973 }
974 //system_cmd_ex("iptables -t nat -I PREROUTING -i %s -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT",getWanIfNamePPP);
975
976 sprintf(cmd, "iptables -t nat -A %s -j ACCEPT -i %s -p udp --dport 67:68", DMZ_CHAIN, defwan_rel);
977 //ZTE_SYSLOG(6,"zte_mainctrl DMZ:%s",cmd);
978 system_cmd_ex(cmd);
979
980 memset(cmd, 0, sizeof(cmd));
981
982 zte_iptables_make_DMZ_Rule(cmd, sizeof(cmd), defwan_rel, ip_address);
983
984 system_cmd_ex(cmd);
985 return;
986}
987
988
989
990
991//12133
992/******************************************************
993* Function: zte_iptables_make_port_forward_rule()
994* Description: make port forward rules, then run, e.g.
995* iptables -t nat -A port_forward -j DNAT -i ppp0 -p tcp --dport 10:400 --to 192.168.0.100
996* Input:
997* Output:
998* Return:
999* Others:
1000* Modify Date Version Author Modification
1001* 2010/12/13 V1.0 MaXiaoliang create
1002*******************************************************/
1003static void zte_iptables_make_port_forward_rule(char *buf, int len, char *wan_name,
1004 char *ip_address, int proto, int prf_int, int prt_int)
1005{
1006 int rc = 0;
1007 char *pos = buf;
1008
1009 rc = snprintf(pos, len - rc, "iptables -t nat -A %s -j DNAT -i %s ", PORT_FORWARD_CHAIN, wan_name);
1010 pos = pos + rc;
1011
1012 /* protocol type */
1013 if (proto == PROTO_TCP)
1014 rc = snprintf(pos, len - rc, "-p tcp ");
1015 else if (proto == PROTO_UDP)
1016 rc = snprintf(pos, len - rc, "-p udp ");
1017 else if (proto == PROTO_TCP_UDP)
1018 rc = snprintf(pos, len - rc, " ");
1019 pos = pos + rc;
1020
1021 /* port */
1022 if (prt_int != 0)
1023 rc = snprintf(pos, len - rc, "--dport %d:%d ", prf_int, prt_int);
1024 else
1025 rc = snprintf(pos, len - rc, "--dport %d ", prf_int);
1026 pos = pos + rc;
1027
1028 /* dest ip, forward to who */
1029 rc = snprintf(pos, len - rc, "--to %s ", ip_address);
1030}
1031
1032//12134
1033
1034/******************************************************
1035* Function: zte_iptables_port_forward_run()
1036* Description: make port forward rules, then run
1037* Input:
1038* Output:
1039* Return:
1040* Others:
1041* Modify Date Version Author Modification
1042* 2010/12/13 V1.0 MaXiaoliang create
1043*******************************************************/
1044void zte_iptables_port_forward_run(void)
1045{
1046 char forward_enable[10] = {0};
1047 //char rule[NV_FW_RULE_MAX_LEN] = {0};
1048
1049 int i = 0;
1050 char rec[ROUTER_NV_FW_RULE_MAX_LEN] = {0};
1051 char cmd[ROUTER_NV_FW_RULE_MAX_LEN] = {0};
1052
1053 int prf_int;
1054 int prt_int;
1055 int proto;
1056 char ip_address[32] = {0};
1057 char prf[8] = {0};
1058 char prt[8] = {0};
1059 char protocol[8] = {0};
1060 char tmp[ROUTER_DEFAULT_LEN] = {0};
1061 /* if port forward is disabled or PortForwardRules is NULL, then return */
1062 //zte_router_nvconfig_read("PortForwardEnable");
1063 //strcpy(forward_enable , g_router_nvconfig_buf);
1064 cfg_get_item("PortForwardEnable", forward_enable, sizeof(forward_enable));
1065
1066 if (0 == strlen(forward_enable)) {
1067 slog(NET_PRINT, SLOG_ERR, "Warning: PortForward have been disable one \n");
1068 return;
1069 }
1070 //iptablesPortForwardFlush();
1071 system_cmd_ex("iptables -t nat -F "PORT_FORWARD_CHAIN);
1072
1073 /* 0: disable 1: enable */
1074 if (0 == atoi(forward_enable)) {
1075 slog(NET_PRINT, SLOG_ERR, "Warning: PortForward have been disable two \n");
1076 return;
1077 }
1078
1079 sprintf(cmd, "iptables -t nat -A %s -j ACCEPT -i %s -p udp --dport 67:68", PORT_FORWARD_CHAIN, defwan_rel);
1080 //ZTE_SYSLOG(6,"zte_mainctrl port_forward:%s",cmd);
1081 system_cmd_ex(cmd);
1082 memset(cmd, 0, sizeof(cmd));
1083
1084 for (i = 0; i < RULE_MAX; i++) {
1085 sprintf(tmp, "PortForwardRules_%d", i);
1086 memset(rec, 0, sizeof(rec));
1087 //zte_router_nvconfig_read(tmp);
1088 //strcpy(rec , g_router_nvconfig_buf);
1089 cfg_get_item(tmp, rec, sizeof(rec));
1090
1091 // get ip address
1092 if ((getNthValueSafe(0, rec, ',', ip_address, sizeof(ip_address)) == -1)) {
1093 continue;
1094 }
1095 if (!isIpValid(ip_address)) {
1096 continue;
1097 }
1098
1099 // get port range "from"
1100 if ((getNthValueSafe(1, rec, ',', prf, sizeof(prf)) == -1)) {
1101 continue;
1102 }
1103 if ((prf_int = atoi(prf)) == 0 || prf_int > 65535) {
1104 continue;
1105 }
1106
1107 // get port range "to"
1108 if ((getNthValueSafe(2, rec, ',', prt, sizeof(prt)) == -1)) {
1109 continue;
1110 }
1111 if ((prt_int = atoi(prt)) > 65535) {
1112 continue;
1113 }
1114
1115 // get protocol
1116 if ((getNthValueSafe(3, rec, ',', protocol, sizeof(protocol)) == -1)) {
1117 continue;
1118 }
1119 proto = atoi(protocol);
1120
1121 switch (proto) {
1122 case PROTO_TCP:
1123 case PROTO_UDP:
1124 zte_iptables_make_port_forward_rule(cmd, sizeof(cmd), defwan_rel, ip_address, proto, prf_int, prt_int);
1125 system_cmd_ex(cmd);
1126 break;
1127 case PROTO_TCP_UDP:
1128 zte_iptables_make_port_forward_rule(cmd, sizeof(cmd), defwan_rel, ip_address, PROTO_TCP, prf_int, prt_int);
1129 system_cmd_ex(cmd);
1130 zte_iptables_make_port_forward_rule(cmd, sizeof(cmd), defwan_rel, ip_address, PROTO_UDP, prf_int, prt_int);
1131 system_cmd_ex(cmd);
1132 break;
1133
1134 default:
1135 continue;
1136 }
1137 }
1138
1139}
1140
1141/******************************************************
1142* Function: zte_iptables_make_portmap_rule()
1143* Description: make filter rules, e.g.
1144* iptables -t nat -A PREROUTING -p udp --port 77 -j DNAT --to 192.168.8.100:88
1145* Input:
1146* Output:
1147* Return:
1148* Others:
1149* Modify Date Version Author Modification
1150* 2015/08/03 V1.0 gebin create
1151*******************************************************/
1152static void zte_iptables_make_portmap_rule(char *buf, int len, char *wan_name, char *ip, int spr_int, int dpr_int, int proto)
1153{
1154 int rc = 0;
1155 char *pos = buf;
1156
1157 rc = snprintf(pos, len - rc, "iptables -t nat -A %s -j DNAT -i %s ", PORT_MAPPING_CHAIN, wan_name);
1158 //rc = snprintf(pos, len - rc, "iptables -t nat -A PREROUTING ");
1159 pos = pos + rc;
1160
1161 // write protocol type
1162 if (proto == PROTO_TCP)
1163 rc = snprintf(pos, len - rc, "-p tcp ");
1164 else if (proto == PROTO_UDP)
1165 rc = snprintf(pos, len - rc, "-p udp ");
1166 else if (proto == PROTO_TCP_UDP)
1167 rc = snprintf(pos, len - rc, " ");
1168 pos = pos + rc;
1169
1170 // write source port
1171 if (spr_int) {
1172 rc = snprintf(pos, len - rc, "--dport %d ", spr_int);
1173 pos = pos + rc;
1174 }
1175
1176 // write ip
1177 if (ip && strlen(ip)) {
1178 rc = snprintf(pos, len - rc, "--to %s", ip);
1179 pos = pos + rc;
1180 }
1181
1182 // write dest port
1183 if (dpr_int) {
1184 rc = snprintf(pos, len - rc, ":%d", dpr_int);
1185 pos = pos + rc;
1186 }
1187}
1188
1189/******************************************************
1190* Function: zte_iptables_port_map_run()
1191* Description: load rules from "PortMapRules", make rules, and run
1192* Input:
1193* Output:
1194* Return:
1195* Others:
1196* Modify Date Version Author Modification
1197* 2015/08/03 V1.0 gebin create
1198*******************************************************/
1199static void zte_iptables_port_map_run(char *portMapRule)
1200{
1201 //char portmap_enable[CONFIG_DEFAULT_LENGTH] = {0};
1202 char ip[32] = {0}; /* ip address */
1203 char spr[8] = {0}; /* source port from */
1204 char dpr[8] = {0}; /* dest port from */
1205 char protocol[8] = {0};
1206
1207 int spr_int = 0;
1208 int dpr_int = 0;
1209 int proto = 0;
1210 char cmd[300] = {0};
1211
1212 // get ip address
1213 if ((getNthValueSafe(0, portMapRule, ',', ip, sizeof(ip)) == -1)) {
1214 return;
1215 }
1216 if (!isIpNetmaskValid(ip)) {
1217 return;
1218 }
1219
1220 // get source ip port
1221 if ((getNthValueSafe(1, portMapRule, ',', spr, sizeof(spr)) == -1)) {
1222 return;
1223 }
1224 if ((spr_int = atoi(spr)) > 65535) {
1225 return;
1226 }
1227
1228 // get dest ip port
1229 if ((getNthValueSafe(2, portMapRule, ',', dpr, sizeof(dpr)) == -1)) {
1230 return;
1231 }
1232 if ((dpr_int = atoi(dpr)) > 65535) {
1233 return;
1234 }
1235
1236 // get protocol
1237 if ((getNthValueSafe(3, portMapRule, ',', protocol, sizeof(protocol)) == -1)) {
1238 return;
1239 }
1240 proto = atoi(protocol);
1241
1242 /*
1243 # iptables example
1244 # iptables -t nat -A PREROUTING -p udp --port 77 -j DNAT --to 192.168.8.100/88
1245 */
1246 if (PROTO_TCP_UDP == proto) {
1247 zte_iptables_make_portmap_rule(cmd, sizeof(cmd), defwan_rel, ip, spr_int, dpr_int, PROTO_TCP);
1248 system_cmd_ex(cmd);
1249 zte_iptables_make_portmap_rule(cmd, sizeof(cmd), defwan_rel, ip, spr_int, dpr_int, PROTO_UDP);
1250 system_cmd_ex(cmd);
1251 } else {
1252 zte_iptables_make_portmap_rule(cmd, sizeof(cmd), defwan_rel, ip, spr_int, dpr_int, proto);
1253 system_cmd_ex(cmd);
1254 }
1255}
1256
1257/******************************************************
1258* Function: zte_iptables_port_map_all_run()
1259* Description: load rules from "PortMapRules", make rules, and run
1260* Input:
1261* Output:
1262* Return:
1263* Others:
1264* Modify Date Version Author Modification
1265* 2015/08/03 V1.0 gebin create
1266*******************************************************/
1267void zte_iptables_port_map_all_run(void)
1268{
1269 int i = 0;
1270 char PortMapRules[300] = {0};
1271 char PortMapRules_x[50] = {0};
1272 char portmap_enable[64] = {0}; /* 0: Disabled 1: Enabled */
1273 int portmap_int = 0;
1274 char cmd[ROUTER_NV_FW_RULE_MAX_LEN] = {0};
1275
1276 //read port_map setting
1277 cfg_get_item("PortMapEnable", portmap_enable, sizeof(portmap_enable));
1278 slog(NET_PRINT, SLOG_NORMAL, "portmap_enable: %s \n", portmap_enable);
1279 if (0 == strlen(portmap_enable)) {
1280 slog(NET_PRINT, SLOG_ERR, "Error: can't find \"PortMapRules\" in flash.\n"); /*lint !e26*/
1281 return;
1282 }
1283
1284 system_cmd_ex("iptables -t nat -F "PORT_MAPPING_CHAIN);
1285
1286 portmap_int = atoi(portmap_enable);
1287 /* if firewall is disable, then return directly: 0 mean disable, 1 means enable */
1288 if (0 == portmap_int) {
1289 return;
1290 }
1291
1292 sprintf(cmd, "iptables -t nat -A %s -j ACCEPT -i %s -p udp --dport 67:68", PORT_MAPPING_CHAIN, defwan_rel);
1293 system_cmd_ex(cmd);
1294 memset(cmd, 0, sizeof(cmd));
1295
1296 for (i = 0; i <= 9; i++) {
1297 (void)snprintf(PortMapRules_x, 50, "PortMapRules_%d", i);
1298 memset(PortMapRules, 0, sizeof(PortMapRules));
1299 cfg_get_item(PortMapRules_x, PortMapRules, sizeof(PortMapRules));
1300 if (0 == strcmp(PortMapRules, "")) {
1301 continue;
1302 }
1303 zte_iptables_port_map_run(PortMapRules);
1304 slog(NET_PRINT, SLOG_NORMAL, "zte_iptables_port_map_all_run %s: %s", PortMapRules_x, PortMapRules);
1305 }
1306}
1307
1308/*===========================================================================
1309 Function:
1310 zte_iptables_make_filter_rule_v6
1311
1312 Description:
1313 make ipportfilter rules.
1314 example:
1315 iptables -A macipport_filter
1316 -m mac --mac-source 00:11:22:33:44:55
1317 -m iprange --src-range 192.168.1.10-192.168.1.50
1318 -m iprange --dst-range 10.128.10.10-10.128.10.100
1319 -p tcp --sport 10:2000 --dport 4000:5000
1320 -j DROP
1321
1322 Param:
1323 buf - cmd buffer to store rule cmd
1324 len - length of cmd buffer
1325 mac_address - mac address
1326 sip_1 - source ip 1
1327 sip_2 - source ip 2 (not support now)
1328 sprf_int - source ip from port
1329 sprt_int - source ip to port
1330 dip_1 - dest ip 1
1331 dip_2 - dest ip 2 (not support now)
1332 dprf_int - dest ip from port
1333 dprt_int - dest ip to port
1334 proto - protocol
1335 action - accept or drop
1336
1337 Modify Date Version Author Modification
1338 2010/07/12 V1.0 zhangyuelong10100551 Create
1339===========================================================================*/
1340static void zte_iptables_make_filter_rule_v6(char *buf, int len, char *mac_address,
1341 char *sip_1, char *sip_2, int sprf_int, int sprt_int,
1342 char *dip_1, char *dip_2, int dprf_int, int dprt_int, int proto, int action)
1343{
1344 int rc = 0;
1345 char *pos = buf;
1346
1347 if (NULL == buf) {
1348 slog(NET_PRINT, SLOG_ERR, "[zte_iptables_make_filter_rule_v6]: buf NULL");
1349 return;
1350 }
1351
1352 rc = snprintf(pos, len - rc, "ip6tables -A %s ", IPPORT_FILTER_CHAIN);
1353 pos = pos + rc;
1354
1355 // write mac address
1356 if (mac_address && strlen(mac_address)) {
1357 rc = snprintf(pos, len - rc, "-m mac --mac-source %s ", mac_address);
1358 pos = pos + rc;
1359 }
1360
1361 // write source ip
1362 if (sip_1 && strlen(sip_1)) {
1363 if (0 != strcmp("any/0", sip_1)) {
1364 rc = snprintf(pos, len - rc, "-s %s ", sip_1);
1365 pos = pos + rc;
1366 }
1367 }
1368
1369 // write dest ip
1370 if (dip_1 && strlen(dip_1)) {
1371 if (0 != strcmp("any/0", dip_1)) {
1372 rc = snprintf(pos, len - rc, "-d %s ", dip_1);
1373 pos = pos + rc;
1374 }
1375 }
1376
1377 // write protocol type
1378 if (proto == PROTO_NONE) {
1379 //rc = snprintf(pos, len-rc, " ");
1380 //pos = pos + rc;
1381 } else if (proto == PROTO_ICMP) {
1382 rc = snprintf(pos, len - rc, "-p icmpv6 ");
1383 pos = pos + rc;
1384 } else if (proto == PROTO_TCP || proto == PROTO_UDP) {
1385 if (proto == PROTO_TCP)
1386 rc = snprintf(pos, len - rc, "-p tcp ");
1387 else/* if (proto == PROTO_UDP)*/ //kw 3
1388 rc = snprintf(pos, len - rc, "-p udp ");
1389 pos = pos + rc;
1390
1391 // write source port
1392 if (sprf_int) {
1393 if (sprt_int)
1394 rc = snprintf(pos, len - rc, "--sport %d:%d ", sprf_int, sprt_int);
1395 else
1396 rc = snprintf(pos, len - rc, "--sport %d ", sprf_int);
1397 pos = pos + rc;
1398 }
1399
1400 // write dest port
1401 if (dprf_int) {
1402 if (dprt_int)
1403 rc = snprintf(pos, len - rc, "--dport %d:%d ", dprf_int, dprt_int);
1404 else
1405 rc = snprintf(pos, len - rc, "--dport %d ", dprf_int);
1406 pos = pos + rc;
1407 }
1408 }
1409
1410 switch (action) {
1411 case ACTION_DROP: // 1 == ENABLE--DROP mode
1412 rc = snprintf(pos, len - rc, "-j DROP");
1413 break;
1414 case ACTION_ACCEPT: // 2 == ENABLE--ACCEPT mode
1415 rc = snprintf(pos, len - rc, "-j ACCEPT");
1416 break;
1417 default:
1418 slog(NET_PRINT, SLOG_ERR, "[zte_iptables_make_filter_rule_v6]: unknown action", "");
1419 break;
1420 }
1421} /* zte_iptables_make_filter_rule_v6() */
1422void zte_iptables_filter_run_v6(void)
1423{
1424 char filter_flag[ROUTER_DEFAULT_LEN] = {0}, filter_default_policy[ROUTER_DEFAULT_LEN] = {0}, cmd[500] = {0}, each_rule[ROUTER_NV_FW_RULE_MAX_LEN] = {0}, tmp[ROUTER_DEFAULT_LEN] = {0}, dip_2[ZTE_FW_IP_ADDR_LEN_V6] = {0}, protocol[ZTE_ROUTER_FW_FLAG_LEN] = {0}, mac_address[ROUTER_DEFAULT_LEN] = {0},
1425 sip_1[ZTE_FW_IP_ADDR_LEN_V6] = {0}, sip_2[ZTE_FW_IP_ADDR_LEN_V6] = {0}, sprf[ZTE_ROUTER_FW_PORT_LEN] = {0}, sprt[ZTE_ROUTER_FW_PORT_LEN] = {0}, dip_1[ZTE_FW_IP_ADDR_LEN_V6] = {0}, dprf[ZTE_ROUTER_FW_PORT_LEN] = {0}, dprt[ZTE_ROUTER_FW_PORT_LEN] = {0}, action[ZTE_ROUTER_FW_FLAG_LEN] = {0};
1426 int i = 0;
1427
1428 /* flush all filter rules */
1429 system_cmd_ex("ip6tables -F "IPPORT_FILTER_CHAIN);
1430 /* default policy */
1431 system_cmd_ex("ip6tables -t filter -P FORWARD ACCEPT");
1432 system_cmd_ex("ip6tables -t filter -A "IPPORT_FILTER_CHAIN" -m state --state RELATED,ESTABLISHED -j ACCEPT");
1433
1434 /* check whether run filter */
1435 //zte_router_nvconfig_read("IPPortFilterEnable");
1436 //strcpy(filter_flag, g_router_nvconfig_buf);
1437 cfg_get_item("IPPortFilterEnable", filter_flag, sizeof(filter_flag));
1438
1439 if (strlen(filter_flag) == 0 || atoi(filter_flag) == 0) {
1440 return;
1441 }
1442
1443 /* set default policy of filter */
1444 //zte_router_nvconfig_read("DefaultFirewallPolicy");
1445 //strcpy(filter_default_policy, g_router_nvconfig_buf);
1446 cfg_get_item("DefaultFirewallPolicy", filter_default_policy, sizeof(filter_default_policy));
1447
1448 if (strcmp("1", filter_default_policy) == 0) {
1449 system_cmd_ex("ip6tables -t filter -P FORWARD DROP");
1450 } else {
1451 system_cmd_ex("ip6tables -t filter -P FORWARD ACCEPT");
1452 }
1453
1454 for (i = 0; i < RULE_MAX; i++) {
1455 sprintf(tmp, "IPPortFilterRulesv6_%d", i);
1456 memset(each_rule, 0, sizeof(each_rule));
1457 //zte_router_nvconfig_read(tmp);
1458 //strcpy(each_rule, g_router_nvconfig_buf);
1459 cfg_get_item(tmp, each_rule, sizeof(each_rule));
1460
1461 /* source ip range "from" */
1462 if (getNthValueSafe(0, each_rule, ',', sip_1, sizeof(sip_1)) == -1) {
1463 continue;
1464 }
1465 /* source ip range "to" */
1466 if (getNthValueSafe(1, each_rule, ',', sip_2, sizeof(sip_2)) == -1) {
1467 continue;
1468 }
1469 /* source port range "from" */
1470 if ((getNthValueSafe(2, each_rule, ',', sprf, sizeof(sprf)) == -1) || atoi(sprf) > 65535) {
1471 continue;
1472 }
1473 /* source port range "to" */
1474 if ((getNthValueSafe(3, each_rule, ',', sprt, sizeof(sprt)) == -1) || atoi(sprt) > 65535) {
1475 continue;
1476 }
1477 /* dst ip range "from" */
1478 if (getNthValueSafe(4, each_rule, ',', dip_1, sizeof(dip_1)) == -1) {
1479 continue;
1480 }
1481 /* dst ip range "to" */
1482 if (getNthValueSafe(5, each_rule, ',', dip_2, sizeof(dip_2)) == -1) {
1483 continue;
1484 }
1485 /* dst port range "from" */
1486 if ((getNthValueSafe(6, each_rule, ',', dprf, sizeof(dprf)) == -1) || atoi(dprf) > 65535) {
1487 continue;
1488 }
1489 /* dst port range "to" */
1490 if ((getNthValueSafe(7, each_rule, ',', dprt, sizeof(dprt)) == -1) || atoi(dprt) > 65535) {
1491 continue;
1492 }
1493 /* protocol */
1494 if (getNthValueSafe(8, each_rule, ',', protocol, sizeof(protocol)) == -1) {
1495 continue;
1496 }
1497 /* action */
1498 if (getNthValueSafe(9, each_rule, ',', action, sizeof(action)) == -1) {
1499 continue;
1500 }
1501 /* comment */
1502 /* mac_address */
1503 //kw 3
1504 if (getNthValueSafe(11, each_rule, ',', mac_address, sizeof(mac_address)) == -1) {
1505 continue;
1506 }
1507 if (strlen(mac_address) && !isMacValid(mac_address)) {
1508 continue;
1509 }
1510
1511
1512 /* run rules */
1513 if (PROTO_TCP_UDP == atoi(protocol)) {
1514 zte_iptables_make_filter_rule_v6(cmd, sizeof(cmd), mac_address,
1515 sip_1, sip_2, atoi(sprf), atoi(sprt), dip_1, dip_2, atoi(dprf), atoi(dprt), PROTO_TCP, atoi(action));
1516 system_cmd_ex(cmd);
1517
1518 zte_iptables_make_filter_rule_v6(cmd, sizeof(cmd), NULL,
1519 sip_1, sip_2, atoi(sprf), atoi(sprt), dip_1, dip_2, atoi(dprf), atoi(dprt), PROTO_UDP, atoi(action));
1520 system_cmd_ex(cmd);
1521 } else {
1522 zte_iptables_make_filter_rule_v6(cmd, sizeof(cmd), mac_address,
1523 sip_1, sip_2, atoi(sprf), atoi(sprt), dip_1, dip_2, atoi(dprf), atoi(dprt), atoi(protocol), atoi(action));
1524 system_cmd_ex(cmd);
1525 }
1526 }
1527}
1528void zte_iptables_Webs_Filter_Run(void)
1529{
1530 int i = 0;
1531 char url_filter[ZTE_ROUTER_URL_FILTER_LEN] = {0};
1532 char entry[ROUTER_NV_ITEM_VALUE_MAX_LEN] = {0};
1533 char cmd[ROUTER_NV_ITEM_VALUE_MAX_LEN] = {0};
1534 char url_hexstring[ZTE_ROUTER_URL_FILTER_LEN] = {0};
1535
1536 /*
1537 *×¢Ê͵ôÔ­À´µÄ×Ö·û´®Æ¥Å䣬¸ÄΪģºýÆ¥Åä.
1538 *[comlee]:2016Äê 04ÔÂ 08ÈÕ ÐÇÆÚÎå 09:14:07 CST
1539 *
1540 */
1541 char sys_cmd_bufer[500] = {0};
1542
1543 /*flush filter chain*/
1544 sprintf(sys_cmd_bufer, "iptables -F %s %s", WEB_FILTER_CHAIN, FMT_ECHO_IPTABLES_CMD);
1545 system_cmd_ex(sys_cmd_bufer);
1546#if 0
1547 for (i = 0; i < old_url_list.count; i ++) {
1548 sprintf(cmd, "iptables -D INPUT -m string --hex-string \"|%s|\" --algo kmp -j DROP", old_url_list.url_list[i]);
1549 system_cmd_ex(cmd);
1550 }
1551 old_url_list.count = 0;
1552#endif
1553
1554 cfg_get_item("websURLFilters", url_filter, sizeof(url_filter));
1555
1556 i = 0;
1557 while ((getNthValueSafe(i++, url_filter, ';', entry, sizeof(entry)) != -1)) {
1558 if (strlen(entry)) {
1559 if (!strncasecmp(entry, "http://", strlen("http://")))
1560 strncpy(entry, entry + strlen("http://"), sizeof(entry)-1);
1561
1562
1563 memset(cmd, 0, sizeof(cmd));
1564
1565 snprintf(cmd, sizeof(cmd), "iptables -A web_filter -p tcp -m tcp -m webstr --url %s -j REJECT --reject-with tcp-reset", entry);
1566 system_cmd_ex(cmd);
1567
1568 /*
1569 *×¢Ê͵ôÔ­À´µÄ×Ö·û´®Æ¥Å䣬¸ÄΪģºýÆ¥Åä.
1570 *[comlee]:2016Äê 04ÔÂ 08ÈÕ ÐÇÆÚÎå 09:14:07 CST
1571 *
1572 */
1573#if 0
1574 memset(cmd, 0, sizeof(cmd));
1575 memset(url_hexstring, 0, sizeof(url_hexstring));
1576 str_vary_dit(entry, url_hexstring);
1577 sprintf(cmd, "iptables -I INPUT -m string --hex-string \"|%s|\" --algo kmp -j DROP ", url_hexstring);
1578 if (old_url_list.count < MAX_OLD_URLS_COUNT) {
1579 memcpy(old_url_list.url_list[old_url_list.count], url_hexstring, (size_t)ZTE_ROUTER_URL_FILTER_LEN);
1580 old_url_list.count ++;
1581 }
1582 system_cmd_ex(cmd);
1583#endif
1584 }
1585 }
1586
1587 return;
1588}
1589static void zte_iptables_all_filter_run(void)
1590{
1591 zte_iptables_filter_run();
1592 zte_iptables_filter_run_v6();
1593 /* system filter */
1594 zte_iptables_sys_fw_run();
1595 /*url filter*/
1596 zte_iptables_Webs_Filter_Run();
1597
1598 //¼Ò³¤Ä£Ê½¹æÔò
1599
1600 zte_iptables_child_filter_run();
1601
1602}
1603
1604void zte_iptables_child_filter_run()
1605{
1606
1607 system_cmd_ex("iptables -t filter -A INPUT -j children_web_filter");
1608
1609 /* 0:·ÇÏÞÖÆÉÏÍøʱ¼ä¶Î 1:ÏÞÖÆÉÏÍøʱ¼ä¶Î*/
1610 if (g_limit_time_flag == 1) {
1611 zte_children_start_nonet();
1612 } else if (g_limit_time_flag == 0) {
1613 zte_children_stop_nonet();
1614 } else {
1615 return;
1616 }
1617}
1618
1619static void zte_iptables_all_nat_run(void)
1620{
1621 /*port forward*/
1622 zte_iptables_port_forward_run();
1623
1624 /* EC: 616000297057, Ô­Òò: ÍøÂç²»Ö§³Ö¶Ë¿ÚÓ³Éä */
1625 /*port mapping*/
1626 zte_iptables_port_map_all_run();
1627
1628 /*DMZ*/
1629 zte_iptables_DMZ_Run();
1630
1631}
1632
1633
1634void alg_control_fun()
1635{
1636 int sip_enable = 0;
1637 int ftp_enable = 0;
1638 char buf[32];
1639 memset(buf, 0x00, sizeof(buf));
1640
1641 cfg_get_item("alg_sip_enable", buf, sizeof(buf));
1642 sip_enable = atoi(buf);
1643 memset(buf, 0x00, sizeof(buf));
1644 cfg_get_item("alg_ftp_enable", buf, sizeof(buf));
1645 ftp_enable = atoi(buf);
1646 slog(NET_PRINT, SLOG_NORMAL, "into ***** alg_control_fun");
1647 //ALG: sip function control
1648 if (1 == sip_enable) {
1649 slog(NET_PRINT, SLOG_NORMAL, "insmod sip module");
1650 system_cmd_ex("insmod /lib/modules/2.6.21/kernel/net/netfilter/nf_conntrack_sip.ko");
1651 } else {
1652 slog(NET_PRINT, SLOG_NORMAL, "rmmod sip module");
1653 system_cmd_ex("rmmod nf_conntrack_sip");
1654 }
1655 //ALG: ftp service control
1656 system_cmd_ex("iptables -t filter -F ftp_filter");
1657 if (0 == ftp_enable) {
1658 slog(NET_PRINT, SLOG_NORMAL, "shutdown ftp service");
1659 system_cmd_ex("iptables -t filter -N ftp_filter");
1660 system_cmd_ex("iptables -t filter -I FORWARD 2 -j ftp_filter");
1661 //system_cmd_ex("iptables -t filter -A ftp_filter -p tcp --dport 20 -j DROP");
1662 system_cmd_ex("iptables -t filter -A ftp_filter -p tcp --dport 21 -j DROP");
1663 }
1664 //ALG: vpn passthr contrl
1665 system_cmd_ex("vpn_pthr_contrl.sh");
1666 slog(NET_PRINT, SLOG_NORMAL, "end alg_control_fun");
1667}
1668void zte_router_init(void)
1669{
1670 slog(NET_PRINT, SLOG_NORMAL, "===============init firewall=================== \n");
1671 /* init firewall and nat*/
1672 //system_cmd_ex("nat.sh");
1673 //zte_router_MTU_set();
1674 system_cmd_ex("firewall_init.sh");
1675
1676 /* read wan if name */
1677 memset(defwan_rel, 0, sizeof(defwan_rel));
1678 cfg_get_item("default_wan_rel", defwan_rel, sizeof(defwan_rel));
1679
1680 //ZTE_LOG(LOG_DEBUG, "zte_router_init -> defwan_rel:[%s]", defwan_rel);
1681
1682 memset(defwan6_rel, 0, sizeof(defwan6_rel));
1683 cfg_get_item("default_wan6_rel", defwan6_rel, sizeof(defwan6_rel));
1684 zte_iptables_all_filter_run();
1685 zte_iptables_all_nat_run();
1686
1687 slog(NET_PRINT, SLOG_NORMAL, "zte_router_init end \n");
1688}
1689
1690