mirror/iopsys-feed
1
0
Fork 0
mirror of https://dev.iopsys.eu/feed/iopsys.git synced 2025-12-10 07:44:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

icwmp: Support to whitelist Connection Request IPs

Browse source
This commit is contained in:
Suvendhu Hansa 2025-04-04 12:30:55 +00:00 committed by IOPSYS Dev
parent b18f6dc39c
commit 033613f999
No known key found for this signature in database
4 changed files with 162 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
icwmp/Config.in
View file

@ -7,4 +7,12 @@ config ICWMP_MGMT_FROM_USP
config ICWMP_BACKUP_EVENTS config ICWMP_BACKUP_EVENTS
bool "Create backup of session events to persistent storage after each successful session" bool "Create backup of session events to persistent storage after each successful session"
default y default y
config ICWMP_ENABLE_VENDOR_EXTN
bool "Enable datamodel vendor extension"
default y
config ICWMP_VENDOR_PREFIX
string "Package specific datamodel Vendor Prefix for TR181 extensions"
default ""
endmenu endmenu

15
icwmp/Makefile
View file

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=icwmp PKG_NAME:=icwmp
PKG_VERSION:=9.8.42 PKG_VERSION:=9.9.0
LOCAL_DEV:=0 LOCAL_DEV:=0
ifneq ($(LOCAL_DEV),1) ifneq ($(LOCAL_DEV),1)
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
PKG_SOURCE_VERSION:=21021a71342398d1e42153f2fff965bbff99870a PKG_SOURCE_VERSION:=dc2cf6979d40658c7da65686d9c9fa1b3000e115
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
PKG_MIRROR_HASH:=skip PKG_MIRROR_HASH:=skip
endif endif
@ -52,6 +52,17 @@ ifeq ($(CONFIG_ICWMP_BACKUP_EVENTS),y)
EXTRA_CFLAGS += -DPERSIST_BACKUP_SESSION_EVENTS EXTRA_CFLAGS += -DPERSIST_BACKUP_SESSION_EVENTS
endif endif
ifeq ($(CONFIG_ICWMP_ENABLE_VENDOR_EXTN),y)
EXTRA_CFLAGS += -DICWMP_ENABLE_VENDOR_EXTN
endif
ifeq ($(CONFIG_ICWMP_VENDOR_PREFIX),"")
CMAKE_OPTIONS += -DBBF_VENDOR_PREFIX:String="$(CONFIG_BBF_VENDOR_PREFIX)"
else
CMAKE_OPTIONS += -DBBF_VENDOR_PREFIX:String="$(CONFIG_ICWMP_VENDOR_PREFIX)"
endif
ifeq ($(LOCAL_DEV),1) ifeq ($(LOCAL_DEV),1)
define Build/Prepare define Build/Prepare
$(CP) -rf ~/git/icwmp/* $(PKG_BUILD_DIR)/ $(CP) -rf ~/git/icwmp/* $(PKG_BUILD_DIR)/

1
icwmp/files/etc/config/cwmp
View file

@ -45,6 +45,7 @@ config cpe 'cpe'
option fw_upgrade_keep_settings '1' option fw_upgrade_keep_settings '1'
option clock_sync_timeout '128' option clock_sync_timeout '128'
option disable_datatype_check '0' option disable_datatype_check '0'
#list allowed_cr_ip '10.5.1.0/24'
config lwn 'lwn' config lwn 'lwn'
option enable '0' option enable '0'

208
icwmp/files/etc/icwmpd/firewall.cwmp
View file

@ -11,14 +11,19 @@ get_firewall_zone() {
echo "$zone" echo "$zone"
} }
cleanup_exiting_rules() { cleanup_upstream_rules() {
while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do if [ -z "${1}" ]; then
log "Rule can not be cleaned without zone name"
return
fi
while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do
rule_num="$(iptables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Open_ACS_port" | head -1|awk '{print $1}')" rule_num="$(iptables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Open_ACS_port" | head -1|awk '{print $1}')"
if [ -n "${rule_num}" ]; then if [ -n "${rule_num}" ]; then
iptables -w 1 -D zone_"${1}"_input "${rule_num}"; iptables -w 1 -D zone_"${1}"_input "${rule_num}";
fi fi
done done
while ip6tables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do while ip6tables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Open_ACS_port"; do
rule_num="$(ip6tables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Open_ACS_port" | head -1|awk '{print $1}')" rule_num="$(ip6tables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Open_ACS_port" | head -1|awk '{print $1}')"
if [ -n "${rule_num}" ]; then if [ -n "${rule_num}" ]; then
ip6tables -w 1 -D zone_"${1}"_input "${rule_num}"; ip6tables -w 1 -D zone_"${1}"_input "${rule_num}";
@ -26,76 +31,143 @@ cleanup_exiting_rules() {
done done
} }
enable="$(uci -q get cwmp.cpe.enable)" cleanup_downstream_rules() {
enable="${enable:-1}" if [ -z "${1}" ]; then
log "Rule can not be cleaned without zone name"
if [ "$enable" -eq 0 ]; then return
log "CWMP not enabled"
exit 0;
fi
wan="$(uci -q get cwmp.cpe.default_wan_interface)"
wan="${wan:-wan}"
zone_name="$(get_firewall_zone $wan)"
port=$(uci -q get cwmp.cpe.port)
port="${port:-7547}"
incoming_rule=$(uci -q get cwmp.cpe.incoming_rule|awk '{print tolower($0)}')
incoming_rule="${incoming_rule:-port_only}"
ipaddr=$(uci -c /var/state -q get icwmp.acs.ip)
ip6addr=$(uci -c /var/state -q get icwmp.acs.ip6)
cmd="iptables -w 1 -I zone_${zone_name}_input -p tcp"
cmd6="ip6tables -w 1 -I zone_${zone_name}_input -p tcp"
# default incoming rule is Port only
if [ "${incoming_rule}" = "ip_only" ]; then
if [ -n "${ipaddr}" ]; then
cmd="${cmd} -s ${ipaddr}"
fi
if [ -n "${ip6addr}" ]; then
cmd6="${cmd6} -s ${ip6addr}"
fi
elif [ "${incoming_rule}" = "port_only" ]; then
if [ -n "${port}" ]; then
cmd="${cmd} --dport ${port}"
cmd6="${cmd6} --dport ${port}"
fi
else
if [ -n "${ipaddr}" ]; then
cmd="${cmd} -s ${ipaddr}"
fi fi
if [ -n "${ip6addr}" ]; then while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Close_ACS_port"; do
cmd6="${cmd6} -s ${ip6addr}" rule_num="$(iptables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Close_ACS_port" | head -1|awk '{print $1}')"
if [ -n "${rule_num}" ]; then
iptables -w 1 -D zone_"${1}"_input "${rule_num}";
fi
done
while ip6tables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "Close_ACS_port"; do
rule_num="$(ip6tables -w 1 -nL zone_"${1}"_input --line-numbers | grep "Close_ACS_port" | head -1|awk '{print $1}')"
if [ -n "${rule_num}" ]; then
ip6tables -w 1 -D zone_"${1}"_input "${rule_num}";
fi
done
}
close_downstream_acs_port() {
lan="${1}"
port="${2}"
zone_name="$(get_firewall_zone $lan)"
if [ -z "${zone_name}" ]; then
log "Rule can not be added without zone name"
return
fi fi
if [ -n "${port}" ]; then cmd="iptables -w 1 -I zone_${zone_name}_input -p tcp --dport ${port} -j DROP -m comment --comment=Close_ACS_port"
cmd="${cmd} --dport ${port}"
cmd6="${cmd6} --dport ${port}"
fi
fi
cleanup_exiting_rules "${zone_name}"
echo "${cmd}"|grep -q "\-\-dport \|\-s "
if [ "$?" -eq 0 ]; then
cmd="${cmd} -j ACCEPT -m comment --comment=Open_ACS_port"
${cmd} ${cmd}
log "Applied [${cmd}]" log "Applied [${cmd}]"
fi
echo "${cmd6}"|grep -q "\-\-dport \|\-s " cmd="ip6tables -w 1 -I zone_${zone_name}_input -p tcp --dport ${port} -j DROP -m comment --comment=Close_ACS_port"
if [ "$?" -eq 0 ]; then ${cmd}
cmd6="${cmd6} -j ACCEPT -m comment --comment=Open_ACS_port" log "Applied [${cmd}]"
${cmd6} }
log "Applied [${cmd6}]"
fi
if [ -f "/var/state/icwmp" ]; then add_firewall_rule() {
uci -c /var/state -q set icwmp.cpe.firewall_restart="init" version="${1}"
uci -c /var/state -q commit icwmp ipaddr="${2}"
fi port="${3}"
zone_name="${4}"
cmd=""
if [ -z "${zone_name}" ]; then
log "Rule can not be added without zone name"
return
fi
if [ "${version}" == "ipv6" ]; then
cmd="ip6tables -w 1 -I zone_${zone_name}_input -p tcp"
else
cmd="iptables -w 1 -I zone_${zone_name}_input -p tcp"
fi
if [ -n "${ipaddr}" ]; then
cmd="${cmd} -s ${ipaddr}"
fi
if [ -n "${port}" ]; then
cmd="${cmd} --dport ${port}"
fi
echo "${cmd}"|grep -q "\-\-dport \|\-s "
if [ "$?" -eq 0 ]; then
cmd="${cmd} -j ACCEPT -m comment --comment=Open_ACS_port"
${cmd}
log "Applied [${cmd}]"
fi
}
configure_connection_req_rules() {
app="${1}"
wan="$(uci -q get cwmp.cpe.default_wan_interface)"
wan="${wan:-wan}"
wan_zone_name="$(get_firewall_zone $wan)"
cleanup_upstream_rules "${wan_zone_name}"
lan="$(uci -q get cwmp.cpe.default_lan_interface)"
lan="${lan:-lan}"
if [ "${lan}" != "${wan}" ]; then
lan_zone_name="$(get_firewall_zone $lan)"
cleanup_downstream_rules "${lan_zone_name}"
fi
enable="$(uci -q get cwmp.cpe.enable)"
enable="${enable:-1}"
if [ "$enable" -eq 0 ]; then
exit 0
fi
url="$(uci -q get cwmp.acs.url)"
if [ -z "${url}" ]; then
url="$(uci -q get cwmp.acs.dhcp_url)"
fi
# no need to apply firewall rule, acs url not configured
if [ -z "${url}" ]; then
exit 0
fi
if [ -z "${app}" ]; then
if ! ubus -t 1 list tr069 2>/dev/null;
log "cwmp client not running"
exit 0
fi
fi
port=$(uci -q get cwmp.cpe.port)
port="${port:-7547}"
ipaddr=$(uci -q get cwmp.cpe.allowed_cr_ip)
if [ -n "${ipaddr}" ]; then
for ip in $ipaddr; do
if [[ "${ip}" =~ ":" ]]; then
add_firewall_rule "ipv6" "${ip}" "${port}" "${wan_zone_name}"
else
add_firewall_rule "ipv4" "${ip}" "${port}" "${wan_zone_name}"
fi
done
else
# Port-only
add_firewall_rule "ipv6" "" "${port}" "${wan_zone_name}"
add_firewall_rule "ipv4" "" "${port}" "${wan_zone_name}"
fi
if [ "${lan}" != "${wan}" ]; then
# Close the ACS port at Lan side
close_downstream_acs_port "${lan}" "${port}"
fi
}
configure_connection_req_rules $@