package: fullconenat

Signed-off-by: JiaY-shi <shi05275@163.com>
2025-12-16 06:59:52 +00:00 · 2022-07-20 01:41:31 +03:00 · 2022-07-20 01:41:31 +03:00 · be2f8ddec4
commit be2f8ddec4
parent 4f4cb52e24
6 changed files with 172 additions and 2 deletions
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@ -30,7 +30,9 @@ define Package/firewall
  SECTION:=net
  CATEGORY:=Base system
  TITLE:=OpenWrt C Firewall
-  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libiptext +IPV6:libiptext6 \
+  		+libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat \
+		+iptables-mod-fullconenat
  PROVIDES:=uci-firewall
  CONFLICTS:=firewall4
 endef
@ -61,4 +63,4 @@ define Package/firewall/install
 	$(INSTALL_CONF) $(PKG_BUILD_DIR)/helpers.conf $(1)/usr/share/fw3
 endef

-$(eval $(call BuildPackage,firewall))
+$(eval $(call BuildPackage,firewall))
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@ -3,6 +3,8 @@ config defaults
 	option input		REJECT
 	option output		ACCEPT
 	option forward		REJECT
+	option flow_offloading	1
+	option fullcone		1
 # Uncomment this line to disable ipv6 rules
 #	option disable_ipv6	1

--- a/package/network/config/firewall/patches/fullconenat.patch
+++ b/package/network/config/firewall/patches/fullconenat.patch
@ -0,0 +1,63 @@
+index 85a3750..9fac9b1 100644
+--- a/defaults.c
+++ b/defaults.c
+@@ -46,7 +46,9 @@ const struct fw3_option fw3_flag_opts[] = {
+ 	FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
+ 	FW3_OPT("synflood_rate",       limit,    defaults, syn_flood_rate),
+ 	FW3_OPT("synflood_burst",      int,      defaults, syn_flood_rate.burst),
+-
+	
+	FW3_OPT("fullcone",           bool,     defaults, fullcone),
+	
+ 	FW3_OPT("tcp_syncookies",      bool,     defaults, tcp_syncookies),
+ 	FW3_OPT("tcp_ecn",             int,      defaults, tcp_ecn),
+ 	FW3_OPT("tcp_window_scaling",  bool,     defaults, tcp_window_scaling),
+diff --git a/options.h b/options.h
+index 6edd174..c02eb97 100644
+--- a/options.h
+++ b/options.h
+@@ -267,6 +267,7 @@ struct fw3_defaults
+ 	bool drop_invalid;
+ 
+ 	bool syn_flood;
+	bool fullcone;
+ 	struct fw3_limit syn_flood_rate;
+ 
+ 	bool tcp_syncookies;
+diff --git a/zones.c b/zones.c
+index 2aa7473..57eead0 100644
+--- a/zones.c
+++ b/zones.c
+@@ -627,6 +627,7 @@ print_zone_rule(struct fw3_ipt_handle *h
+ 	struct fw3_address *msrc;
+ 	struct fw3_address *mdest;
+ 	struct fw3_ipt_rule *r;
+	struct fw3_defaults *defs = &state->defaults;
+ 
+ 	if (!fw3_is_family(zone, handle->family))
+ 		return;
+@@ -712,8 +713,22 @@ print_zone_rule(struct fw3_ipt_handle *h
+ 				{
+ 					r = fw3_ipt_rule_new(handle);
+ 					fw3_ipt_rule_src_dest(r, msrc, mdest);
+-					fw3_ipt_rule_target(r, "MASQUERADE");
+-					fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+					/*FIXME: Workaround for FULLCONE-NAT*/
+					if(defs->fullcone)
+					{
+						warn("%s will enable FULLCONE-NAT", zone->name);
+						fw3_ipt_rule_target(r, "FULLCONENAT");
+						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+						r = fw3_ipt_rule_new(handle);
+						fw3_ipt_rule_src_dest(r, msrc, mdest);
+						fw3_ipt_rule_target(r, "FULLCONENAT");
+						fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
+					}
+					else
+					{
+						fw3_ipt_rule_target(r, "MASQUERADE");
+						fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+					}
+ 				}
+ 			}
+ 		}
--- a/package/network/utils/fullconenat/Makefile
+++ b/package/network/utils/fullconenat/Makefile
@ -0,0 +1,72 @@
+#
+# Copyright (C) 2018 Chion Tang <tech@chionlab.moe>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=fullconenat
+PKG_RELEASE:=1
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/llccd/netfilter-full-cone-nat.git
+PKG_SOURCE_DATE:=2023-01-01
+PKG_SOURCE_VERSION:=74c5e6f3c7faaf33ece451697537c81781781c20
+PKG_MIRROR_HASH:=8bad0cf5d90c52b4cad384e4f1b15ac28312f767fcffe692c606d87d8c3facfc
+
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=LICENSE
+PKG_MAINTAINER:=Chion Tang <tech@chionlab.moe>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/iptables-mod-fullconenat
+  SUBMENU:=Firewall
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=FULLCONENAT iptables extension
+  DEPENDS:=+iptables +kmod-ipt-fullconenat
+endef
+
+define Package/ip6tables-mod-fullconenat
+  SUBMENU:=Firewall
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=FULLCONENAT ip6tables extension
+  DEPENDS:=ip6tables +kmod-nf-nat6 +kmod-ipt-fullconenat +ip6tables-mod-nat
+endef
+
+define KernelPackage/ipt-fullconenat
+  SUBMENU:=Netfilter Extensions
+  TITLE:=FULLCONENAT netfilter module
+  DEPENDS:=+kmod-nf-ipt +kmod-nf-nat
+  KCONFIG:= \
+	CONFIG_NF_CONNTRACK_EVENTS=y \
+	CONFIG_NF_CONNTRACK_CHAIN_EVENTS=n
+  FILES:=$(PKG_BUILD_DIR)/xt_FULLCONENAT.ko
+  AUTOLOAD:=$(call AutoLoad,50,xt_FULLCONENAT)
+endef
+
+include $(INCLUDE_DIR)/kernel-defaults.mk
+
+define Build/Compile
+	+$(KERNEL_MAKE) M="$(PKG_BUILD_DIR)" modules
+	$(call Build/Compile/Default)
+endef
+
+define Package/iptables-mod-fullconenat/install
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/libipt_FULLCONENAT.so $(1)/usr/lib/iptables
+endef
+
+define Package/ip6tables-mod-fullconenat/install
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/libip6t_FULLCONENAT.so $(1)/usr/lib/iptables
+endef
+
+$(eval $(call BuildPackage,iptables-mod-fullconenat))
+$(eval $(call BuildPackage,ip6tables-mod-fullconenat))
+$(eval $(call KernelPackage,ipt-fullconenat))
--- a/package/network/utils/fullconenat/patches/000-printk.patch
+++ b/package/network/utils/fullconenat/patches/000-printk.patch
@ -0,0 +1,19 @@
+diff --git a/xt_FULLCONENAT.c b/xt_FULLCONENAT.c
+index 30e7686..492f638 100644
+--- a/xt_FULLCONENAT.c
+++ b/xt_FULLCONENAT.c
+@@ -1345,9 +1345,13 @@ static struct xt_target tg_reg[] __read_mostly = {
+ static int __init fullconenat_tg_init(void)
+ {
+   int ret;
+
+  printk(KERN_INFO "xt_FULLCONENAT: RFC3489 Full Cone NAT module\n"
+    "xt_FULLCONENAT: Copyright (C) 2018 Chion Tang <tech@chionlab.moe>\n");
+
+   wq = create_singlethread_workqueue("xt_FULLCONENAT");
+   if (wq == NULL) {
+-    printk("xt_FULLCONENAT: warning: failed to create workqueue\n");
+    printk(KERN_WARNING "xt_FULLCONENAT: warning: failed to create workqueue\n");
+   }
+
+ #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
--- a/package/network/utils/fullconenat/src/Makefile
+++ b/package/network/utils/fullconenat/src/Makefile
@ -0,0 +1,12 @@
+all: libipt_FULLCONENAT.so libip6t_FULLCONENAT.so
+
+libipt_FULLCONENAT.so: libipt_FULLCONENAT.o
+	$(CC) -shared -lxtables -o $@ $^;
+libipt_FULLCONENAT.o: libipt_FULLCONENAT.c
+	$(CC) ${CFLAGS} -fPIC -c -o $@ $<;
+libip6t_FULLCONENAT.so: libip6t_FULLCONENAT.o
+	$(CC) -shared -lxtables -o $@ $^;
+libip6t_FULLCONENAT.o: libip6t_FULLCONENAT.c
+	$(CC) ${CFLAGS} -fPIC -c -o $@ $<;
+
+obj-m += xt_FULLCONENAT.o