Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[7716] branches/1.0/package/arnofw
|
From: <abe...@us...> - 2016-06-11 20:31:28
|
Revision: 7716
http://sourceforge.net/p/astlinux/code/7716
Author: abelbeck
Date: 2016-06-11 20:31:25 +0000 (Sat, 11 Jun 2016)
Log Message:
-----------
arnofw, Add LAN to LAN filtering rules (AIF issue #28), bump serial number for updated default firewall.conf
Ref: https://github.com/arno-iptables-firewall/aif/issues/28
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.serial
Added Paths:
-----------
branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch
branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch
branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch
branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch
branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch
branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch
Copied: branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch (from rev 7715, branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch)
===================================================================
--- branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0001-do-not-reset-accept_ra.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -0,0 +1,11 @@
+--- arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall.orig 2015-10-30 15:52:23.000000000 -0500
++++ arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall 2015-10-30 16:00:37.000000000 -0500
+@@ -495,7 +495,7 @@
+ sysctl_set_all "net.ipv6.conf" "forwarding" 1
+ echo " Disabling Local IPv6 Auto-Configuration"
+ sysctl_set_all "net.ipv6.conf" "autoconf" 0
+- sysctl_set_all "net.ipv6.conf" "accept_ra" 0
++ ## Setting accept_ra=0 is not needed with forwarding=1, don't overwrite any existing accept_ra=2 values
+ fi
+ elif [ "$IP_FORWARDING" = "0" ]; then
+ echo " DISABLING packet forwarding"
Copied: branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch (from rev 7715, branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch)
===================================================================
--- branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0002-icmpv6-add-MLD-cleanup-logging.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -0,0 +1,75 @@
+From 7bd64927a401050769b7da18fd2ae52370cc2390 Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lo...@ab...>
+Date: Sat, 13 Feb 2016 16:16:16 -0600
+Subject: [PATCH] changed: added support for ICMPv6 Multicast Listener
+ Discovery, disabled by default with OPEN_ICMPV6_MLD=0. Additionally make sure
+ all un-needed ICMPv6 packets are dropped so they don't appear as annoying
+ logs, more common with native IPv6 support by ISP's. Thanks to David Kerr for
+ pointing out the issue and testing a solution.
+
+---
+ bin/arno-iptables-firewall | 10 ++++++++++
+ etc/arno-iptables-firewall/firewall.conf | 6 ++++++
+ share/arno-iptables-firewall/environment | 4 ++++
+ 3 files changed, 20 insertions(+)
+
+diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
+index f5095a5..b02a85f 100755
+--- a/bin/arno-iptables-firewall
++++ b/bin/arno-iptables-firewall
+@@ -4574,6 +4574,11 @@ setup_firewall_rules()
+ for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
+ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
+ done
++ if [ "$OPEN_ICMPV6_MLD" = "1" ]; then
++ for icmpv6_type in $ICMPV6_MLD_TYPES; do
++ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
++ done
++ fi
+ fi
+
+ # Apply external (internet) interface policy for the input chain:
+@@ -4592,6 +4597,11 @@ setup_firewall_rules()
+
+ # ICMP traffic (flood)
+ iptables -A INPUT -i $interface -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
++
++ # Drop any remaining ICMPv6 traffic
++ if [ "$IPV6_SUPPORT" = "1" ]; then
++ ip6tables -A INPUT -i $interface -p icmpv6 -j POST_INPUT_DROP_CHAIN
++ fi
+ done
+
+
+diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
+index 9e80e20..2291916 100644
+--- a/etc/arno-iptables-firewall/firewall.conf
++++ b/etc/arno-iptables-firewall/firewall.conf
+@@ -1158,6 +1158,12 @@ OPEN_ICMP=0
+ # -----------------------------------------------------------------------------
+ OPEN_ICMPV6=1
+
++# Enable (1) to make the default policy allow IPv6 ICMPv6
++# Multicast Listener Discovery (RFC 2710, 3810) for INET access
++# Note: Requires setting OPEN_ICMPV6=1 to apply.
++# -----------------------------------------------------------------------------
++OPEN_ICMPV6_MLD=0
++
+ # Put in the following variables which ports or IP protocols you want to leave
+ # open to the whole world.
+ # -----------------------------------------------------------------------------
+diff --git a/share/arno-iptables-firewall/environment b/share/arno-iptables-firewall/environment
+index 5728e4c..616c29c 100644
+--- a/share/arno-iptables-firewall/environment
++++ b/share/arno-iptables-firewall/environment
+@@ -1698,6 +1698,10 @@ fi
+ ######################################################################
+ ICMPV6_SPECIAL_TYPES="133 134 135 136"
+
++# IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810)
++######################################################################
++ICMPV6_MLD_TYPES="130 131 132 143"
++
+ # Check plugin bin path and fallback in case it's empty
+ #######################################################
+ if [ -z "$PLUGIN_BIN_PATH" ]; then
Copied: branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch (from rev 7715, branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch)
===================================================================
--- branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0003-pptp-vpn-passthrough.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -0,0 +1,186 @@
+From ade2e3fd17771b861f97dd3adb5307e4da16dc4e Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lo...@ab...>
+Date: Sat, 9 Jan 2016 10:04:46 -0600
+Subject: [PATCH] added: PPTP VPN Passthrough plugin, Issue #27
+
+---
+ .../plugins/pptp-vpn-passthrough.conf | 14 +++
+ .../plugins/50pptp-vpn-passthrough.plugin | 135 +++++++++++++++++++++
+ .../plugins/pptp-vpn-passthrough.CHANGELOG | 4 +
+ 3 files changed, 153 insertions(+)
+ create mode 100644 etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
+ create mode 100644 share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
+ create mode 100644 share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
+
+diff --git a/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
+new file mode 100644
+index 0000000..250bc0d
+--- /dev/null
++++ b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
+@@ -0,0 +1,14 @@
++# ------------------------------------------------------------------------------
++# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
++# ------------------------------------------------------------------------------
++
++# To actually enable this plugin make ENABLED=1:
++# ------------------------------------------------------------------------------
++ENABLED=0
++
++# PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients
++# have NAT between them and the PPTP VPN server special packet handling must be performed.
++# This plugin loads the required Linux Kernel modules to handle that situation.
++#
++# No configuration options
++# ------------------------------------------------------------------------------
+diff --git a/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
+new file mode 100644
+index 0000000..379a1dd
+--- /dev/null
++++ b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
+@@ -0,0 +1,135 @@
++# ------------------------------------------------------------------------------
++# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
++#
++PLUGIN_NAME="PPTP VPN Passthrough plugin"
++PLUGIN_VERSION="1.00"
++PLUGIN_CONF_FILE="pptp-vpn-passthrough.conf"
++#
++# Last changed : January 9, 2016
++# Requirements : AIF 2.0.0+ and ip_nat_pptp
++# Comments : This plugin loads the required kernel modules for PPTP VPN Clients
++# to access remote PPTP VPN Server(s) when NAT is enabled.
++#
++# Author : (C) Copyright 2016 by Lonnie Abelbeck & Arno van Amersfoort
++# Homepage : http://rocky.eld.leidenuniv.nl/
++# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
++# (note: you must remove all spaces and substitute the @ and the .
++# at the proper locations!)
++# ------------------------------------------------------------------------------
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# version 2 as published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++# ------------------------------------------------------------------------------
++
++# Plugin start function
++plugin_start()
++{
++
++ if [ "$NAT" = "1" ]; then
++ echo "${INDENT}Enable PPTP NAT helper module"
++ modprobe_multi nf_nat_pptp ip_nat_pptp
++ else
++ echo "${INDENT}ERROR: NAT is not enabled, this plugin will be ignored."
++ fi
++
++ return 0
++}
++
++
++# Plugin restart function
++plugin_restart()
++{
++
++ # Skip plugin_stop on a restart
++ plugin_start
++
++ return 0
++}
++
++
++# Plugin stop function
++plugin_stop()
++{
++
++ if [ "$NAT" = "1" ]; then
++ if [ -e /proc/modules -a -x "$MODPROBE" ]; then
++ if ! $MODPROBE -r nf_nat_pptp >/dev/null 2>&1; then
++ $MODPROBE -r ip_nat_pptp >/dev/null 2>&1
++ fi
++ if [ $? -eq 0 ]; then
++ echo "${INDENT}Disabled PPTP NAT helper module"
++ fi
++ fi
++ fi
++
++ return 0
++}
++
++
++# Plugin status function
++plugin_status()
++{
++ return 0
++}
++
++
++# Check sanity of eg. environment
++plugin_sanity_check()
++{
++ return 0
++}
++
++
++############
++# Mainline #
++############
++
++# Check where to find the config file
++CONF_FILE=""
++if [ -n "$PLUGIN_CONF_PATH" ]; then
++ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
++fi
++
++# Preinit to success:
++PLUGIN_RET_VAL=0
++
++# Check if the config file exists
++if [ ! -e "$CONF_FILE" ]; then
++ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
++else
++ # Source the plugin config file
++ . "$CONF_FILE"
++
++ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
++ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
++ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
++ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
++ # Show who we are:
++ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
++
++ # Increment indention
++ INDENT="$INDENT "
++
++ # Only proceed if environment ok
++ if ! plugin_sanity_check; then
++ PLUGIN_RET_VAL=1
++ else
++ case $PLUGIN_CMD in
++ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
++ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
++ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
++ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
++ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
++ esac
++ fi
++ fi
++fi
+diff --git a/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
+new file mode 100644
+index 0000000..042b789
+--- /dev/null
++++ b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
+@@ -0,0 +1,4 @@
++Version 1.00 (January 9, 2016)
++-----------------------------------
+++ Initial version
++
+
Added: branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch (rev 0)
+++ branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -0,0 +1,173 @@
+diff --git a/README b/README
+index 093151a..93641a4 100644
+--- a/README
++++ b/README
+@@ -480,6 +480,7 @@ INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic
+ INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic
+ INT_INPUT_CHAIN - Internal-net INPUT chain
+ INT_OUTPUT_CHAIN - Internal-net OUTPUT chain
++LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain
+ LAN_INET_FORWARD_CHAIN - LAN to internet (external net) forward chain
+ POST_INPUT_CHAIN - This chain is always processed last(post) in the
+ INPUT chain
+diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
+index b02a85f..67d79ec 100755
+--- a/bin/arno-iptables-firewall
++++ b/bin/arno-iptables-firewall
+@@ -2263,6 +2263,72 @@ setup_int_input_chain()
+ }
+
+
++##################################################
++# Setup chain for the LAN-to-LAN forward traffic #
++##################################################
++setup_lan_lan_forward_chain()
++{
++ echo " Setting up LAN->LAN policy"
++
++ # TCP ports to ALLOW for certain Inter-LAN hosts
++ ################################################
++ unset IFS
++ for rule in $LAN_LAN_HOST_OPEN_TCP; do
++ if parse_rule "$rule" LAN_LAN_HOST_OPEN_TCP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
++
++ echo " Allowing $shosts(LAN) to $dhosts(LAN) for TCP port(s): $ports"
++
++ IFS=','
++ for shost in `ip_range "$shosts"`; do
++ for dhost in `ip_range "$dhosts"`; do
++ for port in $ports; do
++ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
++ done
++ done
++ done
++ fi
++ done
++
++ # UDP ports to ALLOW for certain Inter-LAN hosts
++ ################################################
++ unset IFS
++ for rule in $LAN_LAN_HOST_OPEN_UDP; do
++ if parse_rule "$rule" LAN_LAN_HOST_OPEN_UDP "shosts:ANYHOST-dhosts-ports:ANYPORT"; then
++
++ echo " Allowing $shosts(LAN) to $dhosts(LAN) for UDP port(s): $ports"
++
++ IFS=','
++ for shost in `ip_range "$shosts"`; do
++ for dhost in `ip_range "$dhosts"`; do
++ for port in $ports; do
++ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
++ done
++ done
++ done
++ fi
++ done
++
++ # IP protocol(s) to ALLOW for certain Inter-LAN hosts
++ #####################################################
++ unset IFS
++ for rule in $LAN_LAN_HOST_OPEN_IP; do
++ if parse_rule "$rule" LAN_LAN_HOST_OPEN_IP "shosts:ANYHOST-dhosts-protos"; then
++
++ echo " Allowing $shosts(LAN) to $dhosts(LAN) for IP protocol(s): $protos"
++
++ IFS=','
++ for shost in `ip_range "$shosts"`; do
++ for dhost in `ip_range "$dhosts"`; do
++ for proto in $protos; do
++ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
++ done
++ done
++ done
++ fi
++ done
++}
++
++
+ ###################################################
+ # Setup chain for the LAN-to-INET forward traffic #
+ ###################################################
+@@ -4803,7 +4869,8 @@ setup_firewall_rules()
+ echo " Logging of denied LAN->INET FORWARD connections disabled"
+ fi
+
+- # Setup helper chain for the LAN:
++ # Setup helper chains for the LAN:
++ setup_lan_lan_forward_chain;
+ setup_lan_inet_forward_chain;
+
+ IFS=' ,'
+@@ -4813,6 +4880,12 @@ setup_firewall_rules()
+ # Always make subnets on the SAME interface trust each other
+ iptables -A FORWARD -i $iif -o $iif -j ACCEPT
+
++ for output_if in $INT_IF; do
++ if [ "$iif" != "$output_if" ]; then
++ iptables -A FORWARD -i $iif -o $output_if -j LAN_LAN_FORWARD_CHAIN
++ fi
++ done
++
+ for eif in $EXT_IF; do
+ iptables -A FORWARD -i $iif -o $eif -j LAN_INET_FORWARD_CHAIN
+ done
+@@ -5035,6 +5108,7 @@ create_user_chains()
+ iptables -N DMZ_LAN_FORWARD_CHAIN
+ iptables -N INET_DMZ_FORWARD_CHAIN
+ iptables -N DMZ_INET_FORWARD_CHAIN
++ iptables -N LAN_LAN_FORWARD_CHAIN
+ iptables -N LAN_INET_FORWARD_CHAIN
+
+ # Chains for the external interface
+@@ -5091,6 +5165,7 @@ flush_user_chains()
+ iptables -F DMZ_LAN_FORWARD_CHAIN
+ iptables -F INET_DMZ_FORWARD_CHAIN
+ iptables -F DMZ_INET_FORWARD_CHAIN
++ iptables -F LAN_LAN_FORWARD_CHAIN
+ iptables -F LAN_INET_FORWARD_CHAIN
+
+ # Chains for the external interface
+diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
+index 2291916..73554d2 100644
+--- a/etc/arno-iptables-firewall/firewall.conf
++++ b/etc/arno-iptables-firewall/firewall.conf
+@@ -696,6 +696,40 @@ LAN_HOST_DENY_IP=""
+
+
+ ###############################################################################
++# LAN_LAN_xxx = LAN->LAN access rules (forward) #
++###############################################################################
++
++# Put in the following variables which LAN hosts you want to allow to certain
++# hosts/services on a different LAN (net).
++#
++# TCP/UDP form:
++# "SRCIP1,SRCIP2,...>DESTIP1~port \
++# SRCIP3,...>DESTIP2~port"
++#
++# IP form:
++# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
++# SRCIP3,...>DESTIP2~protocol"
++#
++# TCP/UDP examples:
++# Simple (Allow port 80 to LAN host 1.2.3.4 from all other LAN hosts(0/0)):
++# LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
++# Advanced (Allow port 20 & 21 to LAN host 1.2.3.4 from all other LAN hosts (0/0) and
++# allow port 80 from LAN host 5.6.7.8 (only) to LAN host 1.2.3.4):
++# LAN_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
++#
++# IP protocol example:
++# (Allow protocols 47 & 48 to LAN host 1.2.3.4 from all other LAN hosts(0/0)):
++# LAN_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
++#
++# NOTE 1: If no SRCIPx is specified, any source host is used
++# NOTE 2: If no port is specified, any port is used
++# -----------------------------------------------------------------------------
++LAN_LAN_HOST_OPEN_TCP=""
++LAN_LAN_HOST_OPEN_UDP=""
++LAN_LAN_HOST_OPEN_IP=""
++
++
++###############################################################################
+ # LAN_INET_xxx = LAN->internet access rules (forward) #
+ # #
+ # Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #
Deleted: branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch 2016-06-10 13:54:37 UTC (rev 7715)
+++ branches/1.0/package/arnofw/arnofw-do-not-reset-accept_ra.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -1,11 +0,0 @@
---- arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall.orig 2015-10-30 15:52:23.000000000 -0500
-+++ arno-iptables-firewall_2.0.1f/bin/arno-iptables-firewall 2015-10-30 16:00:37.000000000 -0500
-@@ -495,7 +495,7 @@
- sysctl_set_all "net.ipv6.conf" "forwarding" 1
- echo " Disabling Local IPv6 Auto-Configuration"
- sysctl_set_all "net.ipv6.conf" "autoconf" 0
-- sysctl_set_all "net.ipv6.conf" "accept_ra" 0
-+ ## Setting accept_ra=0 is not needed with forwarding=1, don't overwrite any existing accept_ra=2 values
- fi
- elif [ "$IP_FORWARDING" = "0" ]; then
- echo " DISABLING packet forwarding"
Deleted: branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch 2016-06-10 13:54:37 UTC (rev 7715)
+++ branches/1.0/package/arnofw/arnofw-icmpv6-add-MLD-cleanup-logging.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -1,75 +0,0 @@
-From 7bd64927a401050769b7da18fd2ae52370cc2390 Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sat, 13 Feb 2016 16:16:16 -0600
-Subject: [PATCH] changed: added support for ICMPv6 Multicast Listener
- Discovery, disabled by default with OPEN_ICMPV6_MLD=0. Additionally make sure
- all un-needed ICMPv6 packets are dropped so they don't appear as annoying
- logs, more common with native IPv6 support by ISP's. Thanks to David Kerr for
- pointing out the issue and testing a solution.
-
----
- bin/arno-iptables-firewall | 10 ++++++++++
- etc/arno-iptables-firewall/firewall.conf | 6 ++++++
- share/arno-iptables-firewall/environment | 4 ++++
- 3 files changed, 20 insertions(+)
-
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index f5095a5..b02a85f 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4574,6 +4574,11 @@ setup_firewall_rules()
- for icmpv6_type in $ICMPV6_SPECIAL_TYPES; do
- ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -m hl --hl-eq 255 -j ACCEPT
- done
-+ if [ "$OPEN_ICMPV6_MLD" = "1" ]; then
-+ for icmpv6_type in $ICMPV6_MLD_TYPES; do
-+ ip6tables -A INPUT -i $interface -p icmpv6 --icmpv6-type $icmpv6_type -s fe80::/10 -m hl --hl-eq 1 -j ACCEPT
-+ done
-+ fi
- fi
-
- # Apply external (internet) interface policy for the input chain:
-@@ -4592,6 +4597,11 @@ setup_firewall_rules()
-
- # ICMP traffic (flood)
- iptables -A INPUT -i $interface -p icmp -m state --state NEW -j EXT_ICMP_FLOOD_CHAIN
-+
-+ # Drop any remaining ICMPv6 traffic
-+ if [ "$IPV6_SUPPORT" = "1" ]; then
-+ ip6tables -A INPUT -i $interface -p icmpv6 -j POST_INPUT_DROP_CHAIN
-+ fi
- done
-
-
-diff --git a/etc/arno-iptables-firewall/firewall.conf b/etc/arno-iptables-firewall/firewall.conf
-index 9e80e20..2291916 100644
---- a/etc/arno-iptables-firewall/firewall.conf
-+++ b/etc/arno-iptables-firewall/firewall.conf
-@@ -1158,6 +1158,12 @@ OPEN_ICMP=0
- # -----------------------------------------------------------------------------
- OPEN_ICMPV6=1
-
-+# Enable (1) to make the default policy allow IPv6 ICMPv6
-+# Multicast Listener Discovery (RFC 2710, 3810) for INET access
-+# Note: Requires setting OPEN_ICMPV6=1 to apply.
-+# -----------------------------------------------------------------------------
-+OPEN_ICMPV6_MLD=0
-+
- # Put in the following variables which ports or IP protocols you want to leave
- # open to the whole world.
- # -----------------------------------------------------------------------------
-diff --git a/share/arno-iptables-firewall/environment b/share/arno-iptables-firewall/environment
-index 5728e4c..616c29c 100644
---- a/share/arno-iptables-firewall/environment
-+++ b/share/arno-iptables-firewall/environment
-@@ -1698,6 +1698,10 @@ fi
- ######################################################################
- ICMPV6_SPECIAL_TYPES="133 134 135 136"
-
-+# IPv6 ICMPv6 Multicast Listener Discovery (RFC 2710, 3810)
-+######################################################################
-+ICMPV6_MLD_TYPES="130 131 132 143"
-+
- # Check plugin bin path and fallback in case it's empty
- #######################################################
- if [ -z "$PLUGIN_BIN_PATH" ]; then
Deleted: branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch 2016-06-10 13:54:37 UTC (rev 7715)
+++ branches/1.0/package/arnofw/arnofw-pptp-vpn-passthrough.patch 2016-06-11 20:31:25 UTC (rev 7716)
@@ -1,186 +0,0 @@
-From ade2e3fd17771b861f97dd3adb5307e4da16dc4e Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sat, 9 Jan 2016 10:04:46 -0600
-Subject: [PATCH] added: PPTP VPN Passthrough plugin, Issue #27
-
----
- .../plugins/pptp-vpn-passthrough.conf | 14 +++
- .../plugins/50pptp-vpn-passthrough.plugin | 135 +++++++++++++++++++++
- .../plugins/pptp-vpn-passthrough.CHANGELOG | 4 +
- 3 files changed, 153 insertions(+)
- create mode 100644 etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
- create mode 100644 share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
- create mode 100644 share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-
-diff --git a/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
-new file mode 100644
-index 0000000..250bc0d
---- /dev/null
-+++ b/etc/arno-iptables-firewall/plugins/pptp-vpn-passthrough.conf
-@@ -0,0 +1,14 @@
-+# ------------------------------------------------------------------------------
-+# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
-+# ------------------------------------------------------------------------------
-+
-+# To actually enable this plugin make ENABLED=1:
-+# ------------------------------------------------------------------------------
-+ENABLED=0
-+
-+# PPTP uses the GRE protocol for transport, as such, when PPTP VPN clients
-+# have NAT between them and the PPTP VPN server special packet handling must be performed.
-+# This plugin loads the required Linux Kernel modules to handle that situation.
-+#
-+# No configuration options
-+# ------------------------------------------------------------------------------
-diff --git a/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
-new file mode 100644
-index 0000000..379a1dd
---- /dev/null
-+++ b/share/arno-iptables-firewall/plugins/50pptp-vpn-passthrough.plugin
-@@ -0,0 +1,135 @@
-+# ------------------------------------------------------------------------------
-+# -= Arno's iptables firewall - PPTP VPN Passthrough plugin =-
-+#
-+PLUGIN_NAME="PPTP VPN Passthrough plugin"
-+PLUGIN_VERSION="1.00"
-+PLUGIN_CONF_FILE="pptp-vpn-passthrough.conf"
-+#
-+# Last changed : January 9, 2016
-+# Requirements : AIF 2.0.0+ and ip_nat_pptp
-+# Comments : This plugin loads the required kernel modules for PPTP VPN Clients
-+# to access remote PPTP VPN Server(s) when NAT is enabled.
-+#
-+# Author : (C) Copyright 2016 by Lonnie Abelbeck & Arno van Amersfoort
-+# Homepage : http://rocky.eld.leidenuniv.nl/
-+# Email : a r n o v a AT r o c k y DOT e l d DOT l e i d e n u n i v DOT n l
-+# (note: you must remove all spaces and substitute the @ and the .
-+# at the proper locations!)
-+# ------------------------------------------------------------------------------
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# version 2 as published by the Free Software Foundation.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; if not, write to the Free Software
-+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-+# ------------------------------------------------------------------------------
-+
-+# Plugin start function
-+plugin_start()
-+{
-+
-+ if [ "$NAT" = "1" ]; then
-+ echo "${INDENT}Enable PPTP NAT helper module"
-+ modprobe_multi nf_nat_pptp ip_nat_pptp
-+ else
-+ echo "${INDENT}ERROR: NAT is not enabled, this plugin will be ignored."
-+ fi
-+
-+ return 0
-+}
-+
-+
-+# Plugin restart function
-+plugin_restart()
-+{
-+
-+ # Skip plugin_stop on a restart
-+ plugin_start
-+
-+ return 0
-+}
-+
-+
-+# Plugin stop function
-+plugin_stop()
-+{
-+
-+ if [ "$NAT" = "1" ]; then
-+ if [ -e /proc/modules -a -x "$MODPROBE" ]; then
-+ if ! $MODPROBE -r nf_nat_pptp >/dev/null 2>&1; then
-+ $MODPROBE -r ip_nat_pptp >/dev/null 2>&1
-+ fi
-+ if [ $? -eq 0 ]; then
-+ echo "${INDENT}Disabled PPTP NAT helper module"
-+ fi
-+ fi
-+ fi
-+
-+ return 0
-+}
-+
-+
-+# Plugin status function
-+plugin_status()
-+{
-+ return 0
-+}
-+
-+
-+# Check sanity of eg. environment
-+plugin_sanity_check()
-+{
-+ return 0
-+}
-+
-+
-+############
-+# Mainline #
-+############
-+
-+# Check where to find the config file
-+CONF_FILE=""
-+if [ -n "$PLUGIN_CONF_PATH" ]; then
-+ CONF_FILE="$PLUGIN_CONF_PATH/$PLUGIN_CONF_FILE"
-+fi
-+
-+# Preinit to success:
-+PLUGIN_RET_VAL=0
-+
-+# Check if the config file exists
-+if [ ! -e "$CONF_FILE" ]; then
-+ printf "NOTE: Config file \"$CONF_FILE\" not found!\n Plugin \"$PLUGIN_NAME v$PLUGIN_VERSION\" ignored!\n" >&2
-+else
-+ # Source the plugin config file
-+ . "$CONF_FILE"
-+
-+ if [ "$ENABLED" = "1" -a "$PLUGIN_CMD" != "stop-restart" ] ||
-+ [ "$ENABLED" = "0" -a "$PLUGIN_CMD" = "stop-restart" ] ||
-+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "stop" ] ||
-+ [ -n "$PLUGIN_LOAD_FILE" -a "$PLUGIN_CMD" = "status" ]; then
-+ # Show who we are:
-+ echo "${INDENT}$PLUGIN_NAME v$PLUGIN_VERSION"
-+
-+ # Increment indention
-+ INDENT="$INDENT "
-+
-+ # Only proceed if environment ok
-+ if ! plugin_sanity_check; then
-+ PLUGIN_RET_VAL=1
-+ else
-+ case $PLUGIN_CMD in
-+ start|'') plugin_start; PLUGIN_RET_VAL=$? ;;
-+ restart ) plugin_restart; PLUGIN_RET_VAL=$? ;;
-+ stop|stop-restart) plugin_stop; PLUGIN_RET_VAL=$? ;;
-+ status ) plugin_status; PLUGIN_RET_VAL=$? ;;
-+ * ) PLUGIN_RET_VAL=1; printf "\033[40m\033[1;31m${INDENT}ERROR: Invalid plugin option \"$PLUGIN_CMD\"!\033[0m\n" >&2 ;;
-+ esac
-+ fi
-+ fi
-+fi
-diff --git a/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-new file mode 100644
-index 0000000..042b789
---- /dev/null
-+++ b/share/arno-iptables-firewall/plugins/pptp-vpn-passthrough.CHANGELOG
-@@ -0,0 +1,4 @@
-+Version 1.00 (January 9, 2016)
-+-----------------------------------
-++ Initial version
-+
-
Modified: branches/1.0/package/arnofw/arnofw.serial
===================================================================
--- branches/1.0/package/arnofw/arnofw.serial 2016-06-10 13:54:37 UTC (rev 7715)
+++ branches/1.0/package/arnofw/arnofw.serial 2016-06-11 20:31:25 UTC (rev 7716)
@@ -1 +1 @@
-0002~0026~0000~0000~0000~
+0002~0027~0000~0000~0000~
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
