[LEDE-DEV] [PATCH v2] dropbear: automatically add firewall rules based on the config

John Crispin john at phrozen.org
Thu Apr 26 21:43:59 PDT 2018



On 18/04/18 15:49, Pierre Lebleu wrote:
> An extra option (AllowedClientIPs:list) is available to allow
> specific clients to use this service.
Hi,

description fails to mention the FW rules being added.

> v2: do not create the firewall data if there is no valid interface.

this v2 info needs to go below the tear line

one more comment inline ...

>
> Signed-off-by: Pierre Lebleu <pme.lebleu at gmail.com>
> ---
>   .../network/services/dropbear/files/dropbear.init  | 49 ++++++++++++++++++++--
>   1 file changed, 46 insertions(+), 3 deletions(-)
>
> diff --git a/package/network/services/dropbear/files/dropbear.init b/package/network/services/dropbear/files/dropbear.init
> index 2225113..38cb674 100755
> --- a/package/network/services/dropbear/files/dropbear.init
> +++ b/package/network/services/dropbear/files/dropbear.init
> @@ -43,15 +43,41 @@ validate_section_dropbear()
>   		'IdleTimeout:uinteger:0' \
>   		'MaxAuthTries:uinteger:3' \
>   		'RecvWindowSize:uinteger:0' \
> +		'AllowedClientIPs:list(ipaddr)' \
>   		'mdns:bool:1'
>   }
>   
> +add_fw_rules()
> +{
> +	local intf="$1"
> +	local port="$2"
> +	local client="$3"
> +
> +	[ -z "${intf}" ] && return
> +	local zone=$(fw3 -q network "${intf}")
> +	[ -z "${zone}" ] && return
> +
> +	json_add_array firewall
> +
> +	json_add_object ""
> +	json_add_string type rule
> +	json_add_string src "${zone}"
> +	json_add_string proto tcp
> +	json_add_string dest_port "${port}"
> +	[ -n "${client}" ] && json_add_string src_ip "${client}"


I have to admit that i am not sure if this is a good approach. the rule 
should not be added for anything but the explictly allowed IPS

     John

> +	json_add_string target ACCEPT
> +	json_close_object
> +
> +	json_close_array
> +}
> +
>   dropbear_instance()
>   {
>   	local PasswordAuth enable Interface GatewayPorts \
>   		RootPasswordAuth RootLogin rsakeyfile \
>   		BannerFile Port SSHKeepAlive IdleTimeout \
> -		MaxAuthTries RecvWindowSize mdns ipaddrs
> +		MaxAuthTries RecvWindowSize AllowedClientIPs \
> +		mdns ipaddrs
>   
>   	validate_section_dropbear "${1}" || {
>   		echo "validation failed"
> @@ -69,7 +95,8 @@ dropbear_instance()
>   	PIDCOUNT="$(( ${PIDCOUNT} + 1))"
>   	local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
>   
> -	procd_open_instance
> +	procd_open_instance "${1}"
> +
>   	procd_set_param command "$PROG" -F -P "$pid_file"
>   	[ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
>   	[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
> @@ -83,8 +110,20 @@ dropbear_instance()
>   	[ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}"
>   	[ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \
>   		procd_append_param command -W "${RecvWindowSize}"
> -	[ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
>   	procd_set_param respawn
> +
> +	procd_open_data
> +
> +	[ "${mdns}" -ne 0 ] && {
> +		json_add_object "mdns"
> +		procd_add_mdns_service "ssh" "tcp" "$Port" "daemon=dropbear"
> +		json_close_object
> +	}
> +
> +	add_fw_rules "${Interface}" "${Port}" "${AllowedClientIPs}"
> +
> +	procd_close_data
> +
>   	procd_close_instance
>   }
>   
> @@ -130,6 +169,10 @@ start_service()
>   	config_foreach dropbear_instance dropbear
>   }
>   
> +service_started() {
> +	procd_set_config_changed firewall
> +}
> +
>   service_triggers()
>   {
>   	local interfaces




More information about the Lede-dev mailing list