firewall4: refresh fullcone patch

[immortalwrt/immortalwrt.git] / package / network / config / firewall4 / patches / 001-firewall4-add-support-for-fullcone-nat.patch

From 980594ee7bcb0bcded95731bb12cf118d7f48951 Mon Sep 17 00:00:00 2001
From: Syrone Wong <wong.syrone@gmail.com>
Date: Sat, 9 Apr 2022 13:24:19 +0800
Subject: [PATCH] firewall4: add fullcone support

fullcone is drop-in replacement of masq for non-udp traffic

add runtime fullcone rule check, disable it globally if fullcone expr is
invalid

Renew: ZiMing Mo <msylgj@immortalwrt.org>
---
 root/etc/config/firewall                      |  1 +
 root/usr/share/firewall4/templates/ruleset.uc | 13 +++++-
 .../firewall4/templates/zone-fullcone.uc      |  4 ++
 root/usr/share/ucode/fw4.uc                   | 38 ++++++++++++++++++-
 4 files changed, 53 insertions(+), 3 deletions(-)
 create mode 100644 root/usr/share/firewall4/templates/zone-fullcone.uc

--- a/root/etc/config/firewall
+++ b/root/etc/config/firewall
@@ -5,6 +5,7 @@ config defaults
        option forward          REJECT
 # Uncomment this line to disable ipv6 rules
 #      option disable_ipv6     1
+       option fullcone '1'
 
 config zone
        option name             lan
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -1,3 +1,4 @@
+{# /usr/share/firewall4/templates/ruleset.uc #}
 {% let flowtable_devices = fw4.resolve_offload_devices(); -%}
 
 table inet fw4
@@ -238,6 +239,10 @@ table inet fw4 {
 {%   for (let redirect in fw4.redirects(`dstnat_${zone.name}`)): %}
                {%+ include("redirect.uc", { fw4, redirect }) %}
 {%   endfor %}
+{%   if (fw4.default_option("fullcone")): %}
+               {%+ include("zone-fullcone.uc", { fw4, zone, direction: "dstnat" }) %}
+{%   endif %}
+
        }
 
 {%  endif %}
@@ -246,20 +251,24 @@ table inet fw4 {
 {%   for (let redirect in fw4.redirects(`srcnat_${zone.name}`)): %}
                {%+ include("redirect.uc", { fw4, redirect }) %}
 {%   endfor %}
-{%   if (zone.masq): %}
+{%   if (zone.masq && !fw4.default_option("fullcone")): %}
 {%    for (let saddrs in zone.masq4_src_subnets): %}
 {%     for (let daddrs in zone.masq4_dest_subnets): %}
                {%+ include("zone-masq.uc", { fw4, zone, family: 4, saddrs, daddrs }) %}
 {%     endfor %}
 {%    endfor %}
 {%   endif %}
-{%   if (zone.masq6): %}
+{%   if (zone.masq6 && !fw4.default_option("fullcone")): %}
 {%    for (let saddrs in zone.masq6_src_subnets): %}
 {%     for (let daddrs in zone.masq6_dest_subnets): %}
                {%+ include("zone-masq.uc", { fw4, zone, family: 6, saddrs, daddrs }) %}
 {%     endfor %}
 {%    endfor %}
 {%   endif %}
+{%   if (fw4.default_option("fullcone")): %}
+               {%+ include("zone-fullcone.uc", { fw4, zone, direction: "srcnat" }) %}
+{%   endif %}
+
        }
 
 {%  endif %}
--- /dev/null
+++ b/root/usr/share/firewall4/templates/zone-fullcone.uc
@@ -0,0 +1,4 @@
+{# /usr/share/firewall4/templates/zone-fullcone.uc #}
+               fullcone comment "!fw4: Handle {{
+               zone.name
+}} IPv4/IPv6 fullcone NAT traffic"
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -1,3 +1,5 @@
+// /usr/share/ucode/fw4.uc
+
 const fs = require("fs");
 const uci = require("uci");
 const ubus = require("ubus");
@@ -428,6 +430,25 @@ function nft_try_hw_offload(devices) {
        return (rc == 0);
 }
 
+function nft_try_fullcone() {
+       let nft_test =
+               'add table inet fw4-fullcone-test; ' +
+               'add chain inet fw4-fullcone-test dstnat { ' +
+                       'type nat hook prerouting priority -100; policy accept; ' +
+                       'fullcone; ' +
+               '}; ' +
+               'add chain inet fw4-fullcone-test srcnat { ' +
+                       'type nat hook postrouting priority -100; policy accept; ' +
+                       'fullcone; ' +
+               '}; ';
+       let cmd = sprintf("/usr/sbin/nft -c '%s' 2>/dev/null", replace(nft_test, "'", "'\\''"));
+       let ok = system(cmd) == 0;
+       if (!ok) {
+               warn("nft_try_fullcone: cmd "+ cmd + "\n");
+       }
+       return ok;
+}
+
 
 return {
        read_kernel_version: function() {
@@ -1383,6 +1404,7 @@ return {
                        "dnat",
                        "snat",
                        "masquerade",
+                       "fullcone",
                        "accept",
                        "reject",
                        "drop"
@@ -1802,6 +1824,7 @@ return {
                }
 
                let defs = this.parse_options(data, {
+                       fullcone: [ "bool", "0" ],
                        input: [ "policy", "drop" ],
                        output: [ "policy", "drop" ],
                        forward: [ "policy", "drop" ],
@@ -1834,6 +1857,14 @@ return {
 
                delete defs.syn_flood;
 
+               if (!nft_try_fullcone()) {
+                       delete defs.fullcone;
+                       warn("nft_try_fullcone failed, disable fullcone globally\n");
+               }
+               if (this.state.defaults && !this.state.defaults.fullcone) {
+                       this.warn_section(data, "fullcone enabled");
+               }
+
                this.state.defaults = defs;
        },
 
@@ -2058,10 +2089,15 @@ return {
                zone.related_subnets = related_subnets;
                zone.related_physdevs = related_physdevs;
 
+               if (this.state.defaults.fullcone) {
+                       zone.dflags.snat = true;
+                       zone.dflags.dnat = true;
+               }
+
                if (zone.masq || zone.masq6)
                        zone.dflags.snat = true;
 
-               if ((zone.auto_helper && !(zone.masq || zone.masq6)) || length(zone.helper)) {
+               if ((zone.auto_helper && !(zone.masq || zone.masq6 || this.state.defaults.fullcone)) || length(zone.helper)) {
                        zone.dflags.helper = true;
 
                        for (let helper in (length(zone.helper) ? zone.helper : this.state.helpers)) {