icwmp: Fix overriding of port definition

2025-12-10 07:44:50 +01:00 · 2025-08-08 12:52:57 +05:30 · 2025-08-08 12:52:57 +05:30 · a92f32eba4
commit a92f32eba4
parent 842968da4f
3 changed files with 56 additions and 5 deletions
--- a/icwmp/Makefile
+++ b/icwmp/Makefile
@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=icwmp
-PKG_VERSION:=9.9.12
+PKG_VERSION:=9.9.13

 LOCAL_DEV:=0
 ifneq ($(LOCAL_DEV),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
-PKG_SOURCE_VERSION:=ce1c11e561ba25a4086c27c4dd5aa18bb0ed3e4d
+PKG_SOURCE_VERSION:=3b6737be25c28e8b33da35f2ee90a8b9f61f248a
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif
--- a/icwmp/files/etc/icwmpd/firewall.cwmp
+++ b/icwmp/files/etc/icwmpd/firewall.cwmp
@ -133,9 +133,56 @@ add_firewall_rule() {
 	fi
 }

+remove_port_protection() {
+	local enabled chain rule rule_num
+
+	config_get enabled "${1}" "${2}"
+
+	if [ "${enabled}" -eq 1 ]; then
+		config_get zonename "$1" name
+		[ -n "$zonename" ] || return 0
+
+		chain='prerouting_'$zonename'_rule'
+
+		while rule=$(iptables -w -t nat -nL "$chain" --line-numbers | grep -m 1 -w CWMP_Port_protection); do
+			rule_num=${rule%%[$' \t']*}
+			iptables -w -t nat -D "$chain" "$rule_num"
+		done
+	fi
+}
+
+cleanup_port_protection() {
+	config_load firewall
+	config_foreach remove_port_protection zone masq
+}
+
+install_port_protection() {
+	local PORT="${3}"
+	local enabled zonename chain
+
+	config_get enabled "${1}" "${2}"
+
+	if [ "${enabled}" -eq 1 ]; then
+		config_get zonename "${1}" name
+		[ -n "$zonename" ] || return 0
+
+		chain='prerouting_'$zonename'_rule'
+
+		iptables -w -t nat -I "$chain" -p tcp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
+		iptables -w -t nat -I "$chain" -p udp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
+	fi
+}
+
+add_port_protection() {
+	config_load firewall
+	config_foreach install_port_protection zone masq "${1}"
+}
+
 configure_connection_req_rules() {
 	app="${1}"

+	cleanup_port_protection
+
 	wan="$(uci -q get cwmp.cpe.default_wan_interface)"
 	wan="${wan:-wan}"

@ -175,8 +222,11 @@ configure_connection_req_rules() {
 		fi
 	fi

-	port=$(uci -q get cwmp.cpe.port)
-	port="${port:-7547}"
+	port=$(uci -q -c /var/state get icwmp.cpe.port)
+	if [ -z "${port}" ]; then
+		log "cwmp cpe port not configured"
+		exit 0
+	fi

 	ipaddr=$(uci -q get cwmp.cpe.allowed_cr_ip)
 	if [ -n "${ipaddr}" ]; then
@ -197,6 +247,8 @@ configure_connection_req_rules() {
 		# Close the ACS port at Lan side
 		close_downstream_acs_port "${lan}" "${port}"
 	fi
+
+	add_port_protection "${port}"
 }

 load_zone_names
--- a/icwmp/files/etc/uci-defaults/90-cwmpfirewall
+++ b/icwmp/files/etc/uci-defaults/90-cwmpfirewall
@ -5,7 +5,6 @@ uci -q batch <<-EOT
        set firewall.cwmp=include
        set firewall.cwmp.path=/etc/icwmpd/firewall.cwmp
        set firewall.cwmp.reload=1
-        commit firewall
 EOT

 exit 0