firewall: add support for brcm fullconenat

2022-12-01 02:39:31 +08:00 · 2022-12-01 02:39:31 +08:00 · 956d45fcf2
commit 956d45fcf2
parent 0a8ebb3c13
2 changed files with 61 additions and 1 deletions
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@ -9,7 +9,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=firewall
-PKG_RELEASE:=1.1
+PKG_RELEASE:=2

 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
--- a/package/network/config/firewall/patches/101-bcm-fullconenat.patch
+++ b/package/network/config/firewall/patches/101-bcm-fullconenat.patch
@ -0,0 +1,60 @@
+--- a/defaults.c
+++ b/defaults.c
+@@ -49,7 +49,7 @@ const struct fw3_option fw3_flag_opts[]
+ 	FW3_OPT("synflood_rate",       limit,    defaults, syn_flood_rate),
+ 	FW3_OPT("synflood_burst",      int,      defaults, syn_flood_rate.burst),
+ 	
+-	FW3_OPT("fullcone",           bool,     defaults, fullcone),
+	FW3_OPT("fullcone",           int,     defaults, fullcone),
+ 	
+ 	FW3_OPT("tcp_syncookies",      bool,     defaults, tcp_syncookies),
+ 	FW3_OPT("tcp_ecn",             int,      defaults, tcp_ecn),
+--- a/options.h
+++ b/options.h
+@@ -98,6 +98,13 @@ enum fw3_reject_code
+ 	__FW3_REJECT_CODE_MAX
+ };
+ 
+enum fullcone_code
+{
+	FULLCONE_DISABLED = 0,
+	FULLCONE_CHION = 1,
+	FULLCONE_BCM = 2,
+};
+
+ extern const char *fw3_flag_names[__FW3_FLAG_MAX];
+ 
+ 
+@@ -297,7 +304,7 @@ struct fw3_defaults
+ 	enum fw3_reject_code any_reject_code;
+ 
+ 	bool syn_flood;
+-	bool fullcone;
+	int fullcone;
+ 	struct fw3_limit syn_flood_rate;
+ 
+ 	bool tcp_syncookies;
+--- a/zones.c
+++ b/zones.c
+@@ -757,7 +757,7 @@ print_zone_rule(struct fw3_ipt_handle *h
+ 					r = fw3_ipt_rule_new(handle);
+ 					fw3_ipt_rule_src_dest(r, msrc, mdest);
+ 					/*FIXME: Workaround for FULLCONE-NAT*/
+-					if(defs->fullcone)
+					if(defs->fullcone == FULLCONE_CHION)
+ 					{
+ 						warn("%s will enable FULLCONE-NAT", zone->name);
+ 						fw3_ipt_rule_target(r, "FULLCONENAT");
+@@ -767,6 +767,12 @@ print_zone_rule(struct fw3_ipt_handle *h
+ 						fw3_ipt_rule_target(r, "FULLCONENAT");
+ 						fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
+ 					}
+					else if (defs->fullcone == FULLCONE_BCM)
+					{
+						fw3_ipt_rule_target(r, "MASQUERADE");
+						fw3_ipt_rule_extra(r, "--mode fullcone");
+						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+					}
+ 					else
+ 					{
+ 						fw3_ipt_rule_target(r, "MASQUERADE");