icwmp: Support to whitelist Connection Request IPs

icwmp/Config.in

@@ -7,4 +7,12 @@ config ICWMP_MGMT_FROM_USP
 config ICWMP_BACKUP_EVENTS
 	bool "Create backup of session events to persistent storage after each successful session"
 	default y
+
+config ICWMP_ENABLE_VENDOR_EXTN
+	bool "Enable datamodel vendor extension"
+	default y
+
+config ICWMP_VENDOR_PREFIX
+	string "Package specific datamodel Vendor Prefix for TR181 extensions"
+	default ""
 endmenu

icwmp/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=icwmp
-PKG_VERSION:=9.8.42
+PKG_VERSION:=9.9.0
 
 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=21021a71342398d1e42153f2fff965bbff99870a
+PKG_SOURCE_VERSION:=dc2cf6979d40658c7da65686d9c9fa1b3000e115
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
@@ -52,6 +52,17 @@ ifeq ($(CONFIG_ICWMP_BACKUP_EVENTS),y)
 EXTRA_CFLAGS += -DPERSIST_BACKUP_SESSION_EVENTS
 endif
 
+ifeq ($(CONFIG_ICWMP_ENABLE_VENDOR_EXTN),y)
+EXTRA_CFLAGS += -DICWMP_ENABLE_VENDOR_EXTN
+endif
+
+ifeq ($(CONFIG_ICWMP_VENDOR_PREFIX),"")
+CMAKE_OPTIONS += -DBBF_VENDOR_PREFIX:String="$(CONFIG_BBF_VENDOR_PREFIX)"
+else
+CMAKE_OPTIONS += -DBBF_VENDOR_PREFIX:String="$(CONFIG_ICWMP_VENDOR_PREFIX)"
+endif
+
+
 ifeq ($(LOCAL_DEV),1)
 define Build/Prepare
 	$(CP) -rf ~/git/icwmp/* $(PKG_BUILD_DIR)/

icwmp/files/etc/config/cwmp

@@ -45,6 +45,7 @@ config cpe 'cpe'
 	option fw_upgrade_keep_settings '1'
 	option clock_sync_timeout '128'
 	option disable_datatype_check '0'
+	#list allowed_cr_ip '10.5.1.0/24'
 	
 config lwn 'lwn'
 	option enable '0'

icwmp/files/etc/icwmpd/firewall.cwmp

@@ -11,14 +11,19 @@ get_firewall_zone() {
 	echo "$zone"
 }
 
-cleanup_exiting_rules() {
-        while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do
+cleanup_upstream_rules() {
+	if [ -z "${1}" ]; then
+		log "Rule can not be cleaned without zone name"
+		return
+	fi
+
+	while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do
 		rule_num="$(iptables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Open_ACS_port" | head -1|awk '{print $1}')"
 		if [ -n "${rule_num}" ]; then
 			iptables -w 1 -D zone_"${1}"_input "${rule_num}";
 		fi
 	done
-        while ip6tables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do
+	while ip6tables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do
 		rule_num="$(ip6tables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Open_ACS_port" | head -1|awk '{print $1}')"
 		if [ -n "${rule_num}" ]; then
 			ip6tables -w 1 -D zone_"${1}"_input "${rule_num}";
@@ -26,76 +31,143 @@ cleanup_exiting_rules() {
 	done
 }
 
-enable="$(uci -q get cwmp.cpe.enable)"
-enable="${enable:-1}"
-
-if [ "$enable" -eq 0 ]; then
-	log "CWMP not enabled"
-	exit 0;
-fi
-
-wan="$(uci -q get cwmp.cpe.default_wan_interface)"
-wan="${wan:-wan}"
-
-zone_name="$(get_firewall_zone $wan)"
-
-port=$(uci -q get cwmp.cpe.port)
-port="${port:-7547}"
-
-incoming_rule=$(uci -q get cwmp.cpe.incoming_rule|awk '{print tolower($0)}')
-incoming_rule="${incoming_rule:-port_only}"
-
-ipaddr=$(uci -c /var/state -q get icwmp.acs.ip)
-ip6addr=$(uci -c /var/state -q get icwmp.acs.ip6)
-
-cmd="iptables -w 1 -I zone_${zone_name}_input -p tcp"
-cmd6="ip6tables -w 1 -I zone_${zone_name}_input -p tcp"
-
-# default incoming rule is Port only
-if [ "${incoming_rule}" = "ip_only" ]; then
-	if [ -n "${ipaddr}" ]; then
-		cmd="${cmd} -s ${ipaddr}"
-	fi
-	if [ -n "${ip6addr}" ]; then
-		cmd6="${cmd6} -s ${ip6addr}"
-	fi
-elif [ "${incoming_rule}" = "port_only" ]; then
-	if [ -n "${port}" ]; then
-		cmd="${cmd} --dport ${port}"
-		cmd6="${cmd6} --dport ${port}"
-	fi
-else
-	if [ -n "${ipaddr}" ]; then
-		cmd="${cmd} -s ${ipaddr}"
+cleanup_downstream_rules() {
+	if [ -z "${1}" ]; then
+		log "Rule can not be cleaned without zone name"
+		return
 	fi
 
-	if [ -n "${ip6addr}" ]; then
-		cmd6="${cmd6} -s ${ip6addr}"
+	while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Close_ACS_port"; do
+		rule_num="$(iptables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Close_ACS_port" | head -1|awk '{print $1}')"
+		if [ -n "${rule_num}" ]; then
+			iptables -w 1 -D zone_"${1}"_input "${rule_num}";
+		fi
+	done
+	while ip6tables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Close_ACS_port"; do
+		rule_num="$(ip6tables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Close_ACS_port" | head -1|awk '{print $1}')"
+		if [ -n "${rule_num}" ]; then
+			ip6tables -w 1 -D zone_"${1}"_input "${rule_num}";
+		fi
+	done
+}
+
+close_downstream_acs_port() {
+	lan="${1}"
+	port="${2}"
+	zone_name="$(get_firewall_zone $lan)"
+
+	if [ -z "${zone_name}" ]; then
+		log "Rule can not be added without zone name"
+		return
 	fi
 
-	if [ -n "${port}" ]; then
-		cmd="${cmd} --dport ${port}"
-		cmd6="${cmd6} --dport ${port}"
-	fi
-fi
-
-cleanup_exiting_rules "${zone_name}"
-
-echo "${cmd}"|grep -q "\-\-dport \|\-s "
-if [ "$?" -eq 0 ]; then
-	cmd="${cmd} -j ACCEPT -m comment --comment=Open_ACS_port"
+	cmd="iptables -w 1 -I zone_${zone_name}_input -p tcp --dport ${port} -j DROP -m comment --comment=Close_ACS_port"
 	${cmd}
 	log "Applied [${cmd}]"
-fi
 
-echo "${cmd6}"|grep -q "\-\-dport \|\-s "
-if [ "$?" -eq 0 ]; then
-	cmd6="${cmd6} -j ACCEPT -m comment --comment=Open_ACS_port"
-	${cmd6}
-	log "Applied [${cmd6}]"
-fi
+	cmd="ip6tables -w 1 -I zone_${zone_name}_input -p tcp --dport ${port} -j DROP -m comment --comment=Close_ACS_port"
+	${cmd}
+	log "Applied [${cmd}]"
+}
 
-if [ -f "/var/state/icwmp" ]; then
-	uci -c /var/state -q set icwmp.cpe.firewall_restart="init"
-	uci -c /var/state -q commit icwmp
-fi
+add_firewall_rule() {
+	version="${1}"
+	ipaddr="${2}"
+	port="${3}"
+	zone_name="${4}"
+	cmd=""
+
+	if [ -z "${zone_name}" ]; then
+		log "Rule can not be added without zone name"
+		return
+	fi
+
+	if [ "${version}" == "ipv6" ]; then
+		cmd="ip6tables -w 1 -I zone_${zone_name}_input -p tcp"
+	else
+		cmd="iptables -w 1 -I zone_${zone_name}_input -p tcp"
+	fi
+
+	if [ -n "${ipaddr}" ]; then
+		cmd="${cmd} -s ${ipaddr}"
+	fi
+
+	if [ -n "${port}" ]; then
+		cmd="${cmd} --dport ${port}"
+	fi
+
+	echo "${cmd}"|grep -q "\-\-dport \|\-s "
+	if [ "$?" -eq 0 ]; then
+		cmd="${cmd} -j ACCEPT -m comment --comment=Open_ACS_port"
+		${cmd}
+		log "Applied [${cmd}]"
+	fi
+}
+
+configure_connection_req_rules() {
+	app="${1}"
+
+	wan="$(uci -q get cwmp.cpe.default_wan_interface)"
+	wan="${wan:-wan}"
+
+	wan_zone_name="$(get_firewall_zone $wan)"
+
+	cleanup_upstream_rules "${wan_zone_name}"
+
+	lan="$(uci -q get cwmp.cpe.default_lan_interface)"
+	lan="${lan:-lan}"
+
+	if [ "${lan}" != "${wan}" ]; then
+		lan_zone_name="$(get_firewall_zone $lan)"
+		cleanup_downstream_rules "${lan_zone_name}"
+	fi
+
+	enable="$(uci -q get cwmp.cpe.enable)"
+	enable="${enable:-1}"
+
+	if [ "$enable" -eq 0 ]; then
+		exit 0
+	fi
+
+	url="$(uci -q get cwmp.acs.url)"
+	if [ -z "${url}" ]; then
+		url="$(uci -q get cwmp.acs.dhcp_url)"
+	fi
+
+	# no need to apply firewall rule, acs url not configured
+	if [ -z "${url}" ]; then
+		exit 0
+	fi
+
+	if [ -z "${app}" ]; then
+		if ! ubus -t 1 list tr069 2>/dev/null;
+			log "cwmp client not running"
+			exit 0
+		fi
+	fi
+
+	port=$(uci -q get cwmp.cpe.port)
+	port="${port:-7547}"
+
+	ipaddr=$(uci -q get cwmp.cpe.allowed_cr_ip)
+	if [ -n "${ipaddr}" ]; then
+		for ip in $ipaddr; do
+			if [[ "${ip}" =~ ":" ]]; then
+				add_firewall_rule "ipv6" "${ip}" "${port}" "${wan_zone_name}"
+			else
+				add_firewall_rule "ipv4" "${ip}" "${port}" "${wan_zone_name}"
+			fi
+		done
+	else
+		# Port-only
+		add_firewall_rule "ipv6" "" "${port}" "${wan_zone_name}"
+		add_firewall_rule "ipv4" "" "${port}" "${wan_zone_name}"
+	fi
+
+	if [ "${lan}" != "${wan}" ]; then
+		# Close the ACS port at Lan side
+		close_downstream_acs_port "${lan}" "${port}"
+	fi
+}
+
+configure_connection_req_rules $@