diff --git a/icwmp/Config.in b/icwmp/Config.in index 7f89df6a5..01e000923 100644 --- a/icwmp/Config.in +++ b/icwmp/Config.in @@ -7,4 +7,12 @@ config ICWMP_MGMT_FROM_USP config ICWMP_BACKUP_EVENTS bool "Create backup of session events to persistent storage after each successful session" default y + +config ICWMP_ENABLE_VENDOR_EXTN + bool "Enable datamodel vendor extension" + default y + +config ICWMP_VENDOR_PREFIX + string "Package specific datamodel Vendor Prefix for TR181 extensions" + default "" endmenu diff --git a/icwmp/Makefile b/icwmp/Makefile index 117443331..cae06034d 100755 --- a/icwmp/Makefile +++ b/icwmp/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=icwmp -PKG_VERSION:=9.8.42 +PKG_VERSION:=9.9.0 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git -PKG_SOURCE_VERSION:=21021a71342398d1e42153f2fff965bbff99870a +PKG_SOURCE_VERSION:=dc2cf6979d40658c7da65686d9c9fa1b3000e115 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_MIRROR_HASH:=skip endif @@ -52,6 +52,17 @@ ifeq ($(CONFIG_ICWMP_BACKUP_EVENTS),y) EXTRA_CFLAGS += -DPERSIST_BACKUP_SESSION_EVENTS endif +ifeq ($(CONFIG_ICWMP_ENABLE_VENDOR_EXTN),y) +EXTRA_CFLAGS += -DICWMP_ENABLE_VENDOR_EXTN +endif + +ifeq ($(CONFIG_ICWMP_VENDOR_PREFIX),"") +CMAKE_OPTIONS += -DBBF_VENDOR_PREFIX:String="$(CONFIG_BBF_VENDOR_PREFIX)" +else +CMAKE_OPTIONS += -DBBF_VENDOR_PREFIX:String="$(CONFIG_ICWMP_VENDOR_PREFIX)" +endif + + ifeq ($(LOCAL_DEV),1) define Build/Prepare $(CP) -rf ~/git/icwmp/* $(PKG_BUILD_DIR)/ diff --git a/icwmp/files/etc/config/cwmp b/icwmp/files/etc/config/cwmp index 6263b86ac..5379eb913 100644 --- a/icwmp/files/etc/config/cwmp +++ b/icwmp/files/etc/config/cwmp @@ -45,6 +45,7 @@ config cpe 'cpe' option fw_upgrade_keep_settings '1' option clock_sync_timeout '128' option disable_datatype_check '0' + #list allowed_cr_ip '10.5.1.0/24' config lwn 'lwn' option enable '0' diff --git a/icwmp/files/etc/icwmpd/firewall.cwmp b/icwmp/files/etc/icwmpd/firewall.cwmp index 876b0c103..54441b641 100644 --- a/icwmp/files/etc/icwmpd/firewall.cwmp +++ b/icwmp/files/etc/icwmpd/firewall.cwmp @@ -11,14 +11,19 @@ get_firewall_zone() { echo "$zone" } -cleanup_exiting_rules() { - while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do +cleanup_upstream_rules() { + if [ -z "${1}" ]; then + log "Rule can not be cleaned without zone name" + return + fi + + while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do rule_num="$(iptables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Open_ACS_port" | head -1|awk '{print $1}')" if [ -n "${rule_num}" ]; then iptables -w 1 -D zone_"${1}"_input "${rule_num}"; fi done - while ip6tables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do + while ip6tables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do rule_num="$(ip6tables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Open_ACS_port" | head -1|awk '{print $1}')" if [ -n "${rule_num}" ]; then ip6tables -w 1 -D zone_"${1}"_input "${rule_num}"; @@ -26,76 +31,143 @@ cleanup_exiting_rules() { done } -enable="$(uci -q get cwmp.cpe.enable)" -enable="${enable:-1}" - -if [ "$enable" -eq 0 ]; then - log "CWMP not enabled" - exit 0; -fi - -wan="$(uci -q get cwmp.cpe.default_wan_interface)" -wan="${wan:-wan}" - -zone_name="$(get_firewall_zone $wan)" - -port=$(uci -q get cwmp.cpe.port) -port="${port:-7547}" - -incoming_rule=$(uci -q get cwmp.cpe.incoming_rule|awk '{print tolower($0)}') -incoming_rule="${incoming_rule:-port_only}" - -ipaddr=$(uci -c /var/state -q get icwmp.acs.ip) -ip6addr=$(uci -c /var/state -q get icwmp.acs.ip6) - -cmd="iptables -w 1 -I zone_${zone_name}_input -p tcp" -cmd6="ip6tables -w 1 -I zone_${zone_name}_input -p tcp" - -# default incoming rule is Port only -if [ "${incoming_rule}" = "ip_only" ]; then - if [ -n "${ipaddr}" ]; then - cmd="${cmd} -s ${ipaddr}" - fi - if [ -n "${ip6addr}" ]; then - cmd6="${cmd6} -s ${ip6addr}" - fi -elif [ "${incoming_rule}" = "port_only" ]; then - if [ -n "${port}" ]; then - cmd="${cmd} --dport ${port}" - cmd6="${cmd6} --dport ${port}" - fi -else - if [ -n "${ipaddr}" ]; then - cmd="${cmd} -s ${ipaddr}" +cleanup_downstream_rules() { + if [ -z "${1}" ]; then + log "Rule can not be cleaned without zone name" + return fi - if [ -n "${ip6addr}" ]; then - cmd6="${cmd6} -s ${ip6addr}" + while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Close_ACS_port"; do + rule_num="$(iptables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Close_ACS_port" | head -1|awk '{print $1}')" + if [ -n "${rule_num}" ]; then + iptables -w 1 -D zone_"${1}"_input "${rule_num}"; + fi + done + while ip6tables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Close_ACS_port"; do + rule_num="$(ip6tables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Close_ACS_port" | head -1|awk '{print $1}')" + if [ -n "${rule_num}" ]; then + ip6tables -w 1 -D zone_"${1}"_input "${rule_num}"; + fi + done +} + +close_downstream_acs_port() { + lan="${1}" + port="${2}" + zone_name="$(get_firewall_zone $lan)" + + if [ -z "${zone_name}" ]; then + log "Rule can not be added without zone name" + return fi - if [ -n "${port}" ]; then - cmd="${cmd} --dport ${port}" - cmd6="${cmd6} --dport ${port}" - fi -fi - -cleanup_exiting_rules "${zone_name}" - -echo "${cmd}"|grep -q "\-\-dport \|\-s " -if [ "$?" -eq 0 ]; then - cmd="${cmd} -j ACCEPT -m comment --comment=Open_ACS_port" + cmd="iptables -w 1 -I zone_${zone_name}_input -p tcp --dport ${port} -j DROP -m comment --comment=Close_ACS_port" ${cmd} log "Applied [${cmd}]" -fi -echo "${cmd6}"|grep -q "\-\-dport \|\-s " -if [ "$?" -eq 0 ]; then - cmd6="${cmd6} -j ACCEPT -m comment --comment=Open_ACS_port" - ${cmd6} - log "Applied [${cmd6}]" -fi + cmd="ip6tables -w 1 -I zone_${zone_name}_input -p tcp --dport ${port} -j DROP -m comment --comment=Close_ACS_port" + ${cmd} + log "Applied [${cmd}]" +} -if [ -f "/var/state/icwmp" ]; then - uci -c /var/state -q set icwmp.cpe.firewall_restart="init" - uci -c /var/state -q commit icwmp -fi +add_firewall_rule() { + version="${1}" + ipaddr="${2}" + port="${3}" + zone_name="${4}" + cmd="" + + if [ -z "${zone_name}" ]; then + log "Rule can not be added without zone name" + return + fi + + if [ "${version}" == "ipv6" ]; then + cmd="ip6tables -w 1 -I zone_${zone_name}_input -p tcp" + else + cmd="iptables -w 1 -I zone_${zone_name}_input -p tcp" + fi + + if [ -n "${ipaddr}" ]; then + cmd="${cmd} -s ${ipaddr}" + fi + + if [ -n "${port}" ]; then + cmd="${cmd} --dport ${port}" + fi + + echo "${cmd}"|grep -q "\-\-dport \|\-s " + if [ "$?" -eq 0 ]; then + cmd="${cmd} -j ACCEPT -m comment --comment=Open_ACS_port" + ${cmd} + log "Applied [${cmd}]" + fi +} + +configure_connection_req_rules() { + app="${1}" + + wan="$(uci -q get cwmp.cpe.default_wan_interface)" + wan="${wan:-wan}" + + wan_zone_name="$(get_firewall_zone $wan)" + + cleanup_upstream_rules "${wan_zone_name}" + + lan="$(uci -q get cwmp.cpe.default_lan_interface)" + lan="${lan:-lan}" + + if [ "${lan}" != "${wan}" ]; then + lan_zone_name="$(get_firewall_zone $lan)" + cleanup_downstream_rules "${lan_zone_name}" + fi + + enable="$(uci -q get cwmp.cpe.enable)" + enable="${enable:-1}" + + if [ "$enable" -eq 0 ]; then + exit 0 + fi + + url="$(uci -q get cwmp.acs.url)" + if [ -z "${url}" ]; then + url="$(uci -q get cwmp.acs.dhcp_url)" + fi + + # no need to apply firewall rule, acs url not configured + if [ -z "${url}" ]; then + exit 0 + fi + + if [ -z "${app}" ]; then + if ! ubus -t 1 list tr069 2>/dev/null; + log "cwmp client not running" + exit 0 + fi + fi + + port=$(uci -q get cwmp.cpe.port) + port="${port:-7547}" + + ipaddr=$(uci -q get cwmp.cpe.allowed_cr_ip) + if [ -n "${ipaddr}" ]; then + for ip in $ipaddr; do + if [[ "${ip}" =~ ":" ]]; then + add_firewall_rule "ipv6" "${ip}" "${port}" "${wan_zone_name}" + else + add_firewall_rule "ipv4" "${ip}" "${port}" "${wan_zone_name}" + fi + done + else + # Port-only + add_firewall_rule "ipv6" "" "${port}" "${wan_zone_name}" + add_firewall_rule "ipv4" "" "${port}" "${wan_zone_name}" + fi + + if [ "${lan}" != "${wan}" ]; then + # Close the ACS port at Lan side + close_downstream_acs_port "${lan}" "${port}" + fi +} + +configure_connection_req_rules $@