Message ID | 20180804143427.18488-6-freifunk@adrianschmutzler.de |
---|---|
State | Rejected |
Headers | show |
diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile index 727901d0..e63010cb 100644 --- a/src/packages/fff/fff-firewall/Makefile +++ b/src/packages/fff/fff-firewall/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-firewall -PKG_VERSION:=2 +PKG_VERSION:=3 PKG_RELEASE:=1 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) @@ -16,7 +16,8 @@ define Package/$(PKG_NAME) DEPENDS:=+arptables \ +ebtables +ebtables-utils \ +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \ - +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra + +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra \ + +kmod-nf-conntrack6 endef define Package/$(PKG_NAME)/description diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh index d5cc07ac..50fa087b 100644 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh @@ -3,5 +3,5 @@ iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEP iptables -A INPUT -i $IF_WAN -j REJECT # Limit ssh to 6 new connections per 60 seconds -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP
Hi Am Samstag, den 04.08.2018, 16:34 +0200 schrieb Adrian Schmutzler: > The syntax " -m state --state " seems to be not supported anymore. > > The replace should not change behavior compared to > lede-17.01-based firmware. Ich glaub das einfach mal. Ansonsten passts: Reviewed-by: Tim Niemeyer <tim@tn-x.org> Tim > > Added required dependency. > > Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> > --- > src/packages/fff/fff- > firewall/Makefile | 5 +++-- > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > | 4 ++-- > 2 files changed, 5 insertions(+), 4 deletions(-) > > diff --git a/src/packages/fff/fff-firewall/Makefile > b/src/packages/fff/fff-firewall/Makefile > index 727901d0..e63010cb 100644 > --- a/src/packages/fff/fff-firewall/Makefile > +++ b/src/packages/fff/fff-firewall/Makefile > @@ -1,7 +1,7 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=fff-firewall > -PKG_VERSION:=2 > +PKG_VERSION:=3 > PKG_RELEASE:=1 > > PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) > @@ -16,7 +16,8 @@ define Package/$(PKG_NAME) > DEPENDS:=+arptables \ > +ebtables +ebtables-utils \ > +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \ > - +iptables-mod-filter +iptables-mod-ipopt +iptables-mod- > conntrack-extra > + +iptables-mod-filter +iptables-mod-ipopt +iptables-mod- > conntrack-extra \ > + +kmod-nf-conntrack6 > endef > > define Package/$(PKG_NAME)/description > diff --git a/src/packages/fff/fff- > firewall/files/usr/lib/firewall.d/20-filter-ssh > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter- > ssh > index d5cc07ac..50fa087b 100644 > --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20- > filter-ssh > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20- > filter-ssh > @@ -3,5 +3,5 @@ iptables -A INPUT -i $IF_WAN -m conntrack --ctstate > RELATED,ESTABLISHED -j ACCEP > iptables -A INPUT -i $IF_WAN -j REJECT > > # Limit ssh to 6 new connections per 60 seconds > -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW > -m recent --set --name dropbear > -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW > -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear > -j DROP > +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack -- > ctstate NEW -m recent --set --name dropbear > +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack -- > ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl -- > name dropbear -j DROP
Hallo, ich hatte das zunächst als Fehler im logread und dieser Patch war das Ergebnis meiner Recherchen. Habe da keine Quellen mehr zu. Zumindest der syntax Teil ist aber gut googlebar. Grüße Adrian > -----Original Message----- > From: Tim Niemeyer [mailto:tim@tn-x.org] > Sent: Sonntag, 5. August 2018 17:25 > To: Adrian Schmutzler <freifunk@adrianschmutzler.de>; franken- > dev@freifunk.net > Subject: Re: [PATCH v3 5/8] fff-firewall: Fix match in ip6tables and add > dependencies > > Hi > > Am Samstag, den 04.08.2018, 16:34 +0200 schrieb Adrian Schmutzler: > > The syntax " -m state --state " seems to be not supported anymore. > > > > The replace should not change behavior compared to lede-17.01-based > > firmware. > Ich glaub das einfach mal. > > Ansonsten passts: > Reviewed-by: Tim Niemeyer <tim@tn-x.org> > > Tim > > > > > Added required dependency. > > > > Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> > > --- > > src/packages/fff/fff- > > firewall/Makefile | 5 +++-- > > src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh > > | 4 ++-- > > 2 files changed, 5 insertions(+), 4 deletions(-) > > > > diff --git a/src/packages/fff/fff-firewall/Makefile > > b/src/packages/fff/fff-firewall/Makefile > > index 727901d0..e63010cb 100644 > > --- a/src/packages/fff/fff-firewall/Makefile > > +++ b/src/packages/fff/fff-firewall/Makefile > > @@ -1,7 +1,7 @@ > > include $(TOPDIR)/rules.mk > > > > PKG_NAME:=fff-firewall > > -PKG_VERSION:=2 > > +PKG_VERSION:=3 > > PKG_RELEASE:=1 > > > > PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) > > @@ -16,7 +16,8 @@ define Package/$(PKG_NAME) > > DEPENDS:=+arptables \ > > +ebtables +ebtables-utils \ > > +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \ > > - +iptables-mod-filter +iptables-mod-ipopt +iptables-mod- > > conntrack-extra > > + +iptables-mod-filter +iptables-mod-ipopt +iptables-mod- > > conntrack-extra \ > > + +kmod-nf-conntrack6 > > endef > > > > define Package/$(PKG_NAME)/description diff --git > > a/src/packages/fff/fff- > > firewall/files/usr/lib/firewall.d/20-filter-ssh > > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter- > > ssh > > index d5cc07ac..50fa087b 100644 > > --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20- > > filter-ssh > > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20- > > filter-ssh > > @@ -3,5 +3,5 @@ iptables -A INPUT -i $IF_WAN -m conntrack --ctstate > > RELATED,ESTABLISHED -j ACCEP > > iptables -A INPUT -i $IF_WAN -j REJECT > > > > # Limit ssh to 6 new connections per 60 seconds -/usr/sbin/ip6tables > > -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name > > dropbear -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state > > --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name > > dropbear -j DROP > > +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack -- > > ctstate NEW -m recent --set --name dropbear > > +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack -- > > ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl -- > > name dropbear -j DROP
The syntax " -m state --state " seems to be not supported anymore. The replace should not change behavior compared to lede-17.01-based firmware. Added required dependency. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> --- src/packages/fff/fff-firewall/Makefile | 5 +++-- src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-)