mirror/iopsys-feed
1
0
Fork 0
mirror of https://dev.iopsys.eu/feed/iopsys.git synced 2025-12-10 07:44:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

icwmp: Fix overriding of port definition

Browse source
This commit is contained in:
Suvendhu Hansa 2025-08-08 12:52:57 +05:30 committed by IOPSYS Dev
parent 842968da4f
commit a92f32eba4
No known key found for this signature in database
3 changed files with 56 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
icwmp/Makefile
View file

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=icwmp PKG_NAME:=icwmp
PKG_VERSION:=9.9.12 PKG_VERSION:=9.9.13
LOCAL_DEV:=0 LOCAL_DEV:=0
ifneq ($(LOCAL_DEV),1) ifneq ($(LOCAL_DEV),1)
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/icwmp.git
PKG_SOURCE_VERSION:=ce1c11e561ba25a4086c27c4dd5aa18bb0ed3e4d PKG_SOURCE_VERSION:=3b6737be25c28e8b33da35f2ee90a8b9f61f248a
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
PKG_MIRROR_HASH:=skip PKG_MIRROR_HASH:=skip
endif endif

56
icwmp/files/etc/icwmpd/firewall.cwmp
View file

@ -133,9 +133,56 @@ add_firewall_rule() {
fi fi
} }
remove_port_protection() {
local enabled chain rule rule_num
config_get enabled "${1}" "${2}"
if [ "${enabled}" -eq 1 ]; then
config_get zonename "$1" name
[ -n "$zonename" ] || return 0
chain='prerouting_'$zonename'_rule'
while rule=$(iptables -w -t nat -nL "$chain" --line-numbers | grep -m 1 -w CWMP_Port_protection); do
rule_num=${rule%%[$' \t']*}
iptables -w -t nat -D "$chain" "$rule_num"
done
fi
}
cleanup_port_protection() {
config_load firewall
config_foreach remove_port_protection zone masq
}
install_port_protection() {
local PORT="${3}"
local enabled zonename chain
config_get enabled "${1}" "${2}"
if [ "${enabled}" -eq 1 ]; then
config_get zonename "${1}" name
[ -n "$zonename" ] || return 0
chain='prerouting_'$zonename'_rule'
iptables -w -t nat -I "$chain" -p tcp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
iptables -w -t nat -I "$chain" -p udp --dport "$PORT" -j ACCEPT -m comment --comment=CWMP_Port_protection
fi
}
add_port_protection() {
config_load firewall
config_foreach install_port_protection zone masq "${1}"
}
configure_connection_req_rules() { configure_connection_req_rules() {
app="${1}" app="${1}"
cleanup_port_protection
wan="$(uci -q get cwmp.cpe.default_wan_interface)" wan="$(uci -q get cwmp.cpe.default_wan_interface)"
wan="${wan:-wan}" wan="${wan:-wan}"
@ -175,8 +222,11 @@ configure_connection_req_rules() {
fi fi
fi fi
port=$(uci -q get cwmp.cpe.port) port=$(uci -q -c /var/state get icwmp.cpe.port)
port="${port:-7547}" if [ -z "${port}" ]; then
log "cwmp cpe port not configured"
exit 0
fi
ipaddr=$(uci -q get cwmp.cpe.allowed_cr_ip) ipaddr=$(uci -q get cwmp.cpe.allowed_cr_ip)
if [ -n "${ipaddr}" ]; then if [ -n "${ipaddr}" ]; then
@ -197,6 +247,8 @@ configure_connection_req_rules() {
# Close the ACS port at Lan side # Close the ACS port at Lan side
close_downstream_acs_port "${lan}" "${port}" close_downstream_acs_port "${lan}" "${port}"
fi fi
add_port_protection "${port}"
} }
load_zone_names load_zone_names

1
icwmp/files/etc/uci-defaults/90-cwmpfirewall
View file

@ -5,7 +5,6 @@ uci -q batch <<-EOT
set firewall.cwmp=include set firewall.cwmp=include
set firewall.cwmp.path=/etc/icwmpd/firewall.cwmp set firewall.cwmp.path=/etc/icwmpd/firewall.cwmp
set firewall.cwmp.reload=1 set firewall.cwmp.reload=1
commit firewall
EOT EOT
exit 0 exit 0