From patchwork Wed Oct 17 16:36:12 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [Alternative, v2,
 4/7] fff-firewall: Fix match in ip6tables and add dependencies
From: Fabian Blaese <fabian@blaese.de>
X-Patchwork-Id: 938
Message-Id: <20181017163615.9248-4-fabian@blaese.de>
To: franken-dev@freifunk.net
Cc: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Date: Wed, 17 Oct 2018 18:36:12 +0200

From: Adrian Schmutzler <freifunk@adrianschmutzler.de>

The syntax " -m state --state " seems to be not supported anymore.

The replace should not change behavior compared to
lede-17.01-based firmware.

Added required dependency.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Tim Niemeyer <tim@tn-x.org>
Reviewed-by: Fabian Bläse <fabian@blaese.de>
---
 src/packages/fff/fff-firewall/Makefile                       | 5 +++--
 .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh  | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile
index 727901d..e63010c 100644
--- a/src/packages/fff/fff-firewall/Makefile
+++ b/src/packages/fff/fff-firewall/Makefile
@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-firewall
-PKG_VERSION:=2
+PKG_VERSION:=3
 PKG_RELEASE:=1
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
@@ -16,7 +16,8 @@ define Package/$(PKG_NAME)
     DEPENDS:=+arptables \
              +ebtables +ebtables-utils \
              +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
-             +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra
+             +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra \
+             +kmod-nf-conntrack6
 endef
 
 define Package/$(PKG_NAME)/description
diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
index d5cc07a..50fa087 100644
--- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
+++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
@@ -3,5 +3,5 @@ iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEP
 iptables -A INPUT -i $IF_WAN -j REJECT
 
 # Limit ssh to 6 new connections per 60 seconds
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name dropbear
-/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP
+/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
+/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear -j DROP