[openwrt/openwrt] dropbear: enable configurable port forwarding options

LEDE Commits lede-commits at lists.infradead.org
Mon Dec 8 09:53:45 PST 2025 

ansuel pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/83f6177dbf44fa92ecf6d2e1cda9f92cfc5fe849

commit 83f6177dbf44fa92ecf6d2e1cda9f92cfc5fe849
Author: Petr Štetiar <ynezz at true.cz>
AuthorDate: Sat Dec 6 18:34:37 2025 +0000

    dropbear: enable configurable port forwarding options
    
    Currently its only possible to disable port forwarding only for specific
    keys, via the OpenSSH-style restriction in `authorized_keys` file.
    
    In some use cases it might be feasible to disable such features globally
    on service level, so lets add new LocalPortForward and RemotePortForward
    config knobs.
    
    Signed-off-by: Petr Štetiar <ynezz at true.cz>
    Link: https://github.com/openwrt/openwrt/pull/21071
    Signed-off-by: Christian Marangi <ansuelsmth at gmail.com>
---
 package/network/services/dropbear/files/dropbear.config | 2 ++
 package/network/services/dropbear/files/dropbear.init   | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/package/network/services/dropbear/files/dropbear.config b/package/network/services/dropbear/files/dropbear.config
index 7eb5975449..7957cd6a49 100644
--- a/package/network/services/dropbear/files/dropbear.config
+++ b/package/network/services/dropbear/files/dropbear.config
@@ -5,3 +5,5 @@ config dropbear main
 	option RootPasswordAuth 'on'
 	option Port         '22'
 #	option BannerFile   '/etc/banner'
+#	option LocalPortForward 'off'
+#	option RemotePortForward 'off'
diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init
index 2f5d9698eb..d5eb44bf75 100755
--- a/package/network/services/dropbear/files/dropbear.init
+++ b/package/network/services/dropbear/files/dropbear.init
@@ -178,6 +178,8 @@ validate_section_dropbear()
 		'IdleTimeout:uinteger:0' \
 		'MaxAuthTries:uinteger:3' \
 		'RecvWindowSize:uinteger:0' \
+		'LocalPortForward:bool:1' \
+		'RemotePortForward:bool:1' \
 		'mdns:bool:1'
 }
 
@@ -317,6 +319,8 @@ dropbear_instance()
 	fi
 	[ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
 	[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
+	[ "${LocalPortForward}" -eq 0 ] && procd_append_param command -j
+	[ "${RemotePortForward}" -eq 0 ] && procd_append_param command -k
 	[ -n "${ForceCommand}" ] && procd_append_param command -c "${ForceCommand}"
 	[ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
 	[ "${RootLogin}" -eq 0 ] && procd_append_param command -w

More information about the lede-commits mailing list