firewall3: add udp/icmp flood protection
Petr Štetiar
ynezz at true.cz
Tue Dec 22 05:55:45 EST 2020
Maksym Kovalchuck <monkeyukraine at gmail.com> [2020-11-04 15:40:04]:
Please add proper commit description, see openwrt.org/submitting-patches for
details
> Signed-off-by: Maksym Kovalchuck <maksym.kovalchuck-ext at sagemcom.com>
> ---
> defaults.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> options.h | 14 +++++++++++---
> 2 files changed, 65 insertions(+), 3 deletions(-)
>
> diff --git a/defaults.c b/defaults.c
> index f03765c..a8c9d4d 100644
> --- a/defaults.c
> +++ b/defaults.c
> @@ -28,6 +28,8 @@ static const struct fw3_chain_spec default_chains[] = {
> C(ANY, FILTER, CUSTOM_CHAINS, "output_rule"),
> C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
> C(ANY, FILTER, SYN_FLOOD, "syn_flood"),
> + C(ANY, FILTER, UDP_FLOOD, "udp_flood"),
> + C(ANY, FILTER, ICMP_FLOOD, "icmp_flood"),
>
> C(V4, NAT, CUSTOM_CHAINS, "prerouting_rule"),
> C(V4, NAT, CUSTOM_CHAINS, "postrouting_rule"),
> @@ -49,6 +51,14 @@ const struct fw3_option fw3_flag_opts[] = {
> FW3_OPT("synflood_rate", limit, defaults, syn_flood_rate),
> FW3_OPT("synflood_burst", int, defaults, syn_flood_rate.burst),
>
> + FW3_OPT("udpflood_protect", bool, defaults, udp_flood),
> + FW3_OPT("udpflood_rate", limit, defaults, udp_flood_rate),
> + FW3_OPT("udpflood_burst", int, defaults, udp_flood_rate.burst),
> +
> + FW3_OPT("icmpflood_protect", bool, defaults, icmp_flood),
> + FW3_OPT("icmpflood_rate", limit, defaults, icmp_flood_rate),
> + FW3_OPT("icmpflood_burst", int, defaults, icmp_flood_rate.burst),
> +
> FW3_OPT("tcp_syncookies", bool, defaults, tcp_syncookies),
> FW3_OPT("tcp_ecn", int, defaults, tcp_ecn),
> FW3_OPT("tcp_window_scaling", bool, defaults, tcp_window_scaling),
> @@ -144,6 +154,10 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
> defs->any_reject_code = FW3_REJECT_CODE_PORT_UNREACH;
> defs->syn_flood_rate.rate = 25;
> defs->syn_flood_rate.burst = 50;
> + defs->udp_flood_rate.rate = 50;
> + defs->udp_flood_rate.burst = 50;
> + defs->icmp_flood_rate.rate = 10;
> + defs->icmp_flood_rate.burst = 1;
> defs->tcp_syncookies = true;
> defs->tcp_window_scaling = true;
> defs->custom_chains = true;
> @@ -201,6 +215,12 @@ fw3_print_default_chains(struct fw3_ipt_handle *handle, struct fw3_state *state,
> if (defs->syn_flood)
> set(defs->flags, handle->family, FW3_FLAG_SYN_FLOOD);
>
> + if (defs->udp_flood)
> + set(defs->flags, handle->family, FW3_FLAG_UDP_FLOOD);
> +
> + if (defs->icmp_flood)
> + set(defs->flags, handle->family, FW3_FLAG_ICMP_FLOOD);
> +
> for (c = default_chains; c->format; c++)
> {
> /* don't touch user chains on selective stop */
> @@ -231,6 +251,8 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
> struct fw3_defaults *defs = &state->defaults;
> struct fw3_device lodev = { .set = true };
> struct fw3_protocol tcp = { .protocol = 6 };
> + struct fw3_protocol udp = { .protocol = 17 };
> + struct fw3_protocol icmp = { .protocol = 1 };
> struct fw3_ipt_rule *r;
>
> const char *chains[] = {
> @@ -309,6 +331,38 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
> fw3_ipt_rule_append(r, "INPUT");
> }
>
> + if (defs->udp_flood)
> + {
> + r = fw3_ipt_rule_create(handle, &udp, NULL, NULL, NULL, NULL);
> + fw3_ipt_rule_limit(r, &defs->udp_flood_rate);
> + fw3_ipt_rule_target(r, "RETURN");
> + fw3_ipt_rule_append(r, "udp_flood");
> +
> + r = fw3_ipt_rule_new(handle);
> + fw3_ipt_rule_target(r, "DROP");
> + fw3_ipt_rule_append(r, "udp_flood");
> +
> + r = fw3_ipt_rule_create(handle, &udp, NULL, NULL, NULL, NULL);
> + fw3_ipt_rule_target(r, "udp_flood");
> + fw3_ipt_rule_append(r, "INPUT");
> + }
> +
> + if (defs->icmp_flood)
> + {
> + r = fw3_ipt_rule_create(handle, &icmp, NULL, NULL, NULL, NULL);
> + fw3_ipt_rule_limit(r, &defs->icmp_flood_rate);
> + fw3_ipt_rule_target(r, "RETURN");
> + fw3_ipt_rule_append(r, "icmp_flood");
> +
> + r = fw3_ipt_rule_new(handle);
> + fw3_ipt_rule_target(r, "DROP");
> + fw3_ipt_rule_append(r, "icmp_flood");
> +
> + r = fw3_ipt_rule_create(handle, &icmp, NULL, NULL, NULL, NULL);
> + fw3_ipt_rule_target(r, "icmp_flood");
> + fw3_ipt_rule_append(r, "INPUT");
> + }
> +
> r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
> fw3_ipt_rule_target(r, "REJECT");
> fw3_ipt_rule_addarg(r, false, "--reject-with", get_reject_code(handle->family, defs->tcp_reject_code));
> diff --git a/options.h b/options.h
> index cffc01c..7679d0e 100644
> --- a/options.h
> +++ b/options.h
> @@ -82,9 +82,11 @@ enum fw3_flag
> FW3_FLAG_SRC_DROP = 18,
> FW3_FLAG_CUSTOM_CHAINS = 19,
> FW3_FLAG_SYN_FLOOD = 20,
> - FW3_FLAG_MTU_FIX = 21,
> - FW3_FLAG_DROP_INVALID = 22,
> - FW3_FLAG_HOTPLUG = 23,
> + FW3_FLAG_UDP_FLOOD = 21,
> + FW3_FLAG_ICMP_FLOOD = 22,
> + FW3_FLAG_MTU_FIX = 23,
> + FW3_FLAG_DROP_INVALID = 24,
> + FW3_FLAG_HOTPLUG = 25,
>
> __FW3_FLAG_MAX
> };
> @@ -299,6 +301,12 @@ struct fw3_defaults
> bool syn_flood;
> struct fw3_limit syn_flood_rate;
>
> + bool udp_flood;
> + struct fw3_limit udp_flood_rate;
> +
> + bool icmp_flood;
> + struct fw3_limit icmp_flood_rate;
> +
> bool tcp_syncookies;
> int tcp_ecn;
> bool tcp_window_scaling;
--
ynezz
More information about the openwrt-devel
mailing list