ASR_BASE
Change-Id: Icf3719cc0afe3eeb3edc7fa80a2eb5199ca9dda1
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
new file mode 100644
index 0000000..108e8b3
--- /dev/null
+++ b/package/network/config/firewall/files/firewall.config
@@ -0,0 +1,266 @@
+config defaults
+ option syn_flood 1
+ option input ACCEPT
+ option output ACCEPT
+ option forward REJECT
+# Uncomment this line to disable ipv6 rules
+# option disable_ipv6 1
+
+config zone
+ option name lan
+ list network 'lan'
+ option input ACCEPT
+ option output ACCEPT
+ option forward ACCEPT
+
+config zone
+ option name wan
+ list network 'wan0'
+ list network 'wan1'
+ list network 'wan2'
+ list network 'wan3'
+ list network 'wan4'
+ list network 'wan5'
+ list network 'wan6'
+ list network 'wan7'
+ list network 'wan8'
+ list network 'wan9'
+ list network 'wan10'
+ list network 'wan11'
+ list network 'wan12'
+ list network 'wan13'
+ list network 'wan14'
+ list network 'wan15'
+ list network 'wan60'
+ list network 'wan61'
+ list network 'wan62'
+ list network 'wan63'
+ list network 'wan64'
+ list network 'wan65'
+ list network 'wan66'
+ list network 'wan67'
+ list network 'wan68'
+ list network 'wan69'
+ list network 'wan610'
+ list network 'wan611'
+ list network 'wan612'
+ list network 'wan613'
+ list network 'wan614'
+ list network 'wan615'
+ list network 'wlan'
+ list network 'wlan6'
+ option input REJECT
+ option output ACCEPT
+ option forward REJECT
+ option masq 1
+ option mtu_fix 1
+
+config forwarding
+ option src lan
+ option dest wan
+
+#IMS needed rules
+config rule
+ option name Allow-SIP
+ option src wan
+ option proto tcpudp
+ option dest_port 5060
+ option target ACCEPT
+
+config rule
+ option name Allow-ESP
+ option src wan
+ option proto esp
+ option target ACCEPT
+
+config rule
+ option name Allow-RTP-port-range
+ option src wan
+ option proto udp
+ option dest_port 4040:4060
+ option target ACCEPT
+
+config rule
+ option name Allow-ipsec-port-range
+ option src wan
+ option proto tcpudp
+ option dest_port 10000:101023
+ option target ACCEPT
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+ option name Allow-DHCP-Renew
+ option src wan
+ option proto udp
+ option dest_port 68
+ option target ACCEPT
+ option family ipv4
+
+# Allow IPv4 ping
+config rule
+ option name Allow-Ping
+ option src wan
+ option proto icmp
+ option icmp_type echo-request
+ option family ipv4
+ option target ACCEPT
+
+config rule
+ option name Allow-IGMP
+ option src wan
+ option proto igmp
+ option family ipv4
+ option target ACCEPT
+
+# Allow DHCPv6 replies
+# see https://github.com/openwrt/openwrt/issues/5066
+config rule
+ option name Allow-DHCPv6
+ option src wan
+ option proto udp
+ option dest_port 546
+ option family ipv6
+ option target ACCEPT
+
+config rule
+ option name Allow-MLD
+ option src wan
+ option proto icmp
+ option src_ip fe80::/10
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family ipv6
+ option target ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+ option name Allow-ICMPv6-Input
+ option src wan
+ option proto icmp
+ list icmp_type echo-request
+ list icmp_type echo-reply
+ list icmp_type destination-unreachable
+ list icmp_type packet-too-big
+ list icmp_type time-exceeded
+ list icmp_type bad-header
+ list icmp_type unknown-header-type
+ list icmp_type router-solicitation
+ list icmp_type neighbour-solicitation
+ list icmp_type router-advertisement
+ list icmp_type neighbour-advertisement
+ option limit 1000/sec
+ option family ipv6
+ option target ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+ option name Allow-ICMPv6-Forward
+ option src wan
+ option dest *
+ option proto icmp
+ list icmp_type echo-request
+ list icmp_type echo-reply
+ list icmp_type destination-unreachable
+ list icmp_type packet-too-big
+ list icmp_type time-exceeded
+ list icmp_type bad-header
+ list icmp_type unknown-header-type
+ option limit 1000/sec
+ option family ipv6
+ option target ACCEPT
+
+config rule
+ option name Allow-IPSec-ESP
+ option src wan
+ option dest lan
+ option proto esp
+ option target ACCEPT
+
+config rule
+ option name Allow-ISAKMP
+ option src wan
+ option dest lan
+ option dest_port 500
+ option proto udp
+ option target ACCEPT
+
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables. if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+ option name Support-UDP-Traceroute
+ option src wan
+ option dest_port 33434:33689
+ option proto udp
+ option family ipv4
+ option target REJECT
+ option enabled false
+
+# include a file with users custom iptables rules
+config include
+ option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option dest wan
+# option proto tcp
+# option target REJECT
+
+# block a specific mac on wan
+#config rule
+# option dest wan
+# option src_mac 00:11:22:33:44:66
+# option target REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+# option src lan
+# option proto ICMP
+# option target DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+# option src wan
+# option src_dport 80
+# option dest lan
+# option dest_ip 192.168.16.235
+# option dest_port 80
+# option proto tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+# option src wan
+# option src_dport 22001
+# option dest lan
+# option dest_port 22
+# option proto tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 80
+# option dest wan
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp
+# option target REJECT
+
+#config redirect
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 1024
+# option src_dport 80
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp
diff --git a/package/network/config/firewall/files/firewall.hotplug b/package/network/config/firewall/files/firewall.hotplug
new file mode 100644
index 0000000..2d8f9a7
--- /dev/null
+++ b/package/network/config/firewall/files/firewall.hotplug
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0
+[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0
+
+ram_getsize()
+{
+ sed 's/^.* mem=//;t n;d;:n;s/M.*//' /proc/cmdline
+}
+[ $(ram_getsize) == 64 ] && echo 3 > /proc/sys/vm/drop_caches
+
+/etc/init.d/firewall enabled || exit 0
+
+fw3 -q network "$INTERFACE" >/dev/null || exit 0
+
+logger -t firewall "Reloading firewall due to $ACTION of $INTERFACE ($DEVICE)"
+fw3 -q reload
diff --git a/package/network/config/firewall/files/firewall.init b/package/network/config/firewall/files/firewall.init
new file mode 100755
index 0000000..a9462a8
--- /dev/null
+++ b/package/network/config/firewall/files/firewall.init
@@ -0,0 +1,97 @@
+#!/bin/sh /etc/rc.common
+
+START=12
+USE_PROCD=1
+QUIET=""
+
+validate_firewall_redirect()
+{
+ uci_validate_section firewall redirect "${1}" \
+ 'proto:or(uinteger, string)' \
+ 'src:string' \
+ 'src_ip:cidr' \
+ 'src_dport:or(port, portrange)' \
+ 'dest:string' \
+ 'dest_ip:cidr' \
+ 'dest_port:or(port, portrange)' \
+ 'target:or("SNAT", "DNAT")'
+}
+
+validate_firewall_rule()
+{
+ uci_validate_section firewall rule "${1}" \
+ 'proto:or(uinteger, string)' \
+ 'src:string' \
+ 'dest:string' \
+ 'src_port:or(port, portrange)' \
+ 'dest_port:or(port, portrange)' \
+ 'target:string'
+}
+
+service_triggers() {
+ procd_add_reload_trigger firewall
+
+ procd_open_validate
+ validate_firewall_redirect
+ validate_firewall_rule
+ procd_close_validate
+}
+
+restart() {
+ fw3 restart
+}
+
+start_service() {
+ fw3 ${QUIET} start
+}
+
+stop_service() {
+ fw3 flush
+}
+
+reload_service() {
+ fw3 reload
+}
+
+boot() {
+ # Be silent on boot, firewall might be started by hotplug already,
+ # so don't complain in syslog.
+ PIPE=`uci get cmdline.PIPE 2> /dev/null`
+ PRODMODE=`uci get cmdline.PROD 2> /dev/null`
+ [ "$PRODMODE" == "0" ] && {
+ for i in $(seq 0 20)
+ do
+ if [ "$PIPE" != "1" ]; then
+ for j in $(seq 0 7)
+ do
+ local var=`ifconfig ccinet$j | grep "inet addr" | awk '{print $2}'`
+ local ipaddr=`echo ${var##*:}`
+ local ip6addr=`ifconfig ccinet$j | grep "inet6 addr" | grep "Global" | awk '{print $3}'`
+ if [ "$ipaddr" -o "$ip6addr" ]; then
+ break
+ fi
+ done
+ if [ "$ipaddr" -o "$ip6addr" ]; then
+ echo "wan$j ipaddr: $ipaddr" > /dev/kmsg
+ echo "wan$j ip6addr: $ip6addr" > /dev/kmsg
+ break
+ else
+ sleep 1
+ fi
+ else
+ local ipaddr=`ifconfig br-lan | grep "inet addr" | awk '{print $2}'`
+ local dhcp_range=`cat /tmp/etc/dnsmasq.conf | grep "dhcp-range"`
+ if [ -z "$ipaddr" -o -z "$dhcp_range" ]; then
+ sleep 1
+ else
+ echo "$ipaddr" > /dev/kmsg
+ echo "$dhcp_range" > /dev/kmsg
+ break
+ fi
+ fi
+ done
+ }
+
+ QUIET=-q
+ start
+}
diff --git a/package/network/config/firewall/files/firewall.user b/package/network/config/firewall/files/firewall.user
new file mode 100644
index 0000000..6f79906
--- /dev/null
+++ b/package/network/config/firewall/files/firewall.user
@@ -0,0 +1,7 @@
+# This file is interpreted as shell script.
+# Put your custom iptables rules here, they will
+# be executed with each firewall (re-)start.
+
+# Internal uci firewall chains are flushed and recreated on reload, so
+# put custom rules into the root chains e.g. INPUT or FORWARD or into the
+# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
diff --git a/package/network/config/firewall/files/firewall_dual_apn.config b/package/network/config/firewall/files/firewall_dual_apn.config
new file mode 100644
index 0000000..478bf0c
--- /dev/null
+++ b/package/network/config/firewall/files/firewall_dual_apn.config
@@ -0,0 +1,252 @@
+config defaults
+ option syn_flood 1
+ option input ACCEPT
+ option output ACCEPT
+ option forward ACCEPT
+# Uncomment this line to disable ipv6 rules
+# option disable_ipv6 1
+
+config zone
+ option name lan
+ list network 'lan'
+ option input ACCEPT
+ option output ACCEPT
+ option forward ACCEPT
+
+config zone
+ option name wan
+ list network 'wan0'
+ list network 'wan1'
+ list network 'wan2'
+ list network 'wan3'
+ list network 'wan4'
+ list network 'wan5'
+ list network 'wan6'
+ list network 'wan7'
+ list network 'wan60'
+ list network 'wan61'
+ list network 'wan62'
+ list network 'wan63'
+ list network 'wan64'
+ list network 'wan65'
+ list network 'wan66'
+ list network 'wan67'
+ list network 'wlan'
+ list network 'wlan6'
+ option input REJECT
+ option output ACCEPT
+ option forward REJECT
+ option masq 1
+ option mtu_fix 1
+
+config forwarding
+ option src lan
+ option dest wan
+
+#IMS needed rules
+config rule
+ option name Allow-SIP
+ option src wan
+ option proto tcpudp
+ option dest_port 5060
+ option target ACCEPT
+
+config rule
+ option name Allow-ESP
+ option src wan
+ option proto esp
+ option target ACCEPT
+
+config rule
+ option name Allow-RTP-port-range
+ option src wan
+ option proto udp
+ option dest_port 4040:4060
+ option target ACCEPT
+
+config rule
+ option name Allow-ipsec-port-range
+ option src wan
+ option proto tcpudp
+ option dest_port 10000:101023
+ option target ACCEPT
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+ option name Allow-DHCP-Renew
+ option src wan
+ option proto udp
+ option dest_port 68
+ option target ACCEPT
+ option family ipv4
+
+# Allow IPv4 ping
+config rule
+ option name Allow-Ping
+ option src wan
+ option proto icmp
+ option icmp_type echo-request
+ option family ipv4
+ option target ACCEPT
+
+config rule
+ option name Allow-IGMP
+ option src wan
+ option proto igmp
+ option family ipv4
+ option target ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+ option name Allow-DHCPv6
+ option src wan
+ option proto udp
+ option src_ip fc00::/6
+ option dest_ip fc00::/6
+ option dest_port 546
+ option family ipv6
+ option target ACCEPT
+
+config rule
+ option name Allow-MLD
+ option src wan
+ option proto icmp
+ option src_ip fe80::/10
+ list icmp_type '130/0'
+ list icmp_type '131/0'
+ list icmp_type '132/0'
+ list icmp_type '143/0'
+ option family ipv6
+ option target ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+ option name Allow-ICMPv6-Input
+ option src wan
+ option proto icmp
+ list icmp_type echo-request
+ list icmp_type echo-reply
+ list icmp_type destination-unreachable
+ list icmp_type packet-too-big
+ list icmp_type time-exceeded
+ list icmp_type bad-header
+ list icmp_type unknown-header-type
+ list icmp_type router-solicitation
+ list icmp_type neighbour-solicitation
+ list icmp_type router-advertisement
+ list icmp_type neighbour-advertisement
+ option limit 1000/sec
+ option family ipv6
+ option target ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+ option name Allow-ICMPv6-Forward
+ option src wan
+ option dest *
+ option proto icmp
+ list icmp_type echo-request
+ list icmp_type echo-reply
+ list icmp_type destination-unreachable
+ list icmp_type packet-too-big
+ list icmp_type time-exceeded
+ list icmp_type bad-header
+ list icmp_type unknown-header-type
+ option limit 1000/sec
+ option family ipv6
+ option target ACCEPT
+
+config rule
+ option name Allow-IPSec-ESP
+ option src wan
+ option dest lan
+ option proto esp
+ option target ACCEPT
+
+config rule
+ option name Allow-ISAKMP
+ option src wan
+ option dest lan
+ option dest_port 500
+ option proto udp
+ option target ACCEPT
+
+# allow interoperability with traceroute classic
+# note that traceroute uses a fixed port range, and depends on getting
+# back ICMP Unreachables. if we're operating in DROP mode, it won't
+# work so we explicitly REJECT packets on these ports.
+config rule
+ option name Support-UDP-Traceroute
+ option src wan
+ option dest_port 33434:33689
+ option proto udp
+ option family ipv4
+ option target REJECT
+ option enabled false
+
+# include a file with users custom iptables rules
+config include
+ option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option dest wan
+# option proto tcp
+# option target REJECT
+
+# block a specific mac on wan
+#config rule
+# option dest wan
+# option src_mac 00:11:22:33:44:66
+# option target REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+# option src lan
+# option proto ICMP
+# option target DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+# option src wan
+# option src_dport 80
+# option dest lan
+# option dest_ip 192.168.16.235
+# option dest_port 80
+# option proto tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+# option src wan
+# option src_dport 22001
+# option dest lan
+# option dest_port 22
+# option proto tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 80
+# option dest wan
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp
+# option target REJECT
+
+#config redirect
+# option src lan
+# option src_ip 192.168.45.2
+# option src_mac 00:11:22:33:44:55
+# option src_port 1024
+# option src_dport 80
+# option dest_ip 194.25.2.129
+# option dest_port 120
+# option proto tcp