openwrt stealth

1. From 1ab6ef66f52115c028dca1124b494e16a58d3119 Mon Sep 17 00:00:00 2001
2. From: Matteo Croce <matteo@openwrt.org>
3. Date: Mon, 6 Jul 2015 22:03:21 +0200
4. Subject: [PATCH 14/14] add stealth mode for WAN interfaces
5.  
6. ---
7. .../files/etc/hotplug.d/iface/20-stealth           |   3 +
8.  .../linux/generic/patches-3.18/682-stealth.patch   | 204 +++++++++++++++++++++
9.  2 files changed, 207 insertions(+)
10.  create mode 100755 package/base-files/files/etc/hotplug.d/iface/20-stealth
11.  create mode 100644 target/linux/generic/patches-3.18/682-stealth.patch
12.  
13. diff --git a/package/base-files/files/etc/hotplug.d/iface/20-stealth b/package/base-files/files/etc/hotplug.d/iface/20-stealth
14. new file mode 100755
15. index 0000000..2f87a6c
16. --- /dev/null
17. +++ b/package/base-files/files/etc/hotplug.d/iface/20-stealth
18. @@ -0,0 +1,3 @@
19. +#!/bin/sh
20. +
21. +[ "$ACTION" = ifup -a "$INTERFACE" = wan ] && echo 1 >/proc/sys/net/ipv4/conf/$DEVICE/stealth
22. diff --git a/target/linux/generic/patches-3.18/682-stealth.patch b/target/linux/generic/patches-3.18/682-stealth.patch
23. new file mode 100644
24. index 0000000..f398fcf
25. --- /dev/null
26. +++ b/target/linux/generic/patches-3.18/682-stealth.patch
27. @@ -0,0 +1,204 @@
28. +Index: linux-3.18.17/Documentation/networking/ip-sysctl.txt
29. +===================================================================
30. +--- linux-3.18.17.orig/Documentation/networking/ip-sysctl.txt
31. ++++ linux-3.18.17/Documentation/networking/ip-sysctl.txt
32. +@@ -1116,6 +1116,12 @@ tag - INTEGER
33. +   Allows you to write a number, which can be used as required.
34. +   Default value is 0.
35. +
36. ++stealth - BOOLEAN
37. ++  Disable any reply not related to a listening socket,
38. ++  like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
39. ++  Also disables ICMP replies to echo requests and timestamp.
40. ++  Default value is 0.
41. ++
42. + Alexey Kuznetsov.
43. + kuznet@ms2.inr.ac.ru
44. +
45. +@@ -1466,6 +1472,12 @@ suppress_frag_ndisc - INTEGER
46. +   1 - (default) discard fragmented neighbor discovery packets
47. +   0 - allow fragmented neighbor discovery packets
48. +
49. ++stealth - BOOLEAN
50. ++  Disable any reply not related to a listening socket,
51. ++  like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
52. ++  Also disables ICMPv6 replies to echo requests.
53. ++  Default value is 0.
54. ++
55. + icmp/*:
56. + ratelimit - INTEGER
57. +   Limit the maximal rates for sending ICMPv6 packets.
58. +Index: linux-3.18.17/include/linux/inetdevice.h
59. +===================================================================
60. +--- linux-3.18.17.orig/include/linux/inetdevice.h
61. ++++ linux-3.18.17/include/linux/inetdevice.h
62. +@@ -125,6 +125,7 @@ static inline void ipv4_devconf_setall(s
63. + #define IN_DEV_ARP_ANNOUNCE(in_dev)   IN_DEV_MAXCONF((in_dev), ARP_ANNOUNCE)
64. + #define IN_DEV_ARP_IGNORE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_IGNORE)
65. + #define IN_DEV_ARP_NOTIFY(in_dev) IN_DEV_MAXCONF((in_dev), ARP_NOTIFY)
66. ++#define IN_DEV_STEALTH(in_dev)        IN_DEV_MAXCONF((in_dev), STEALTH)
67. +
68. + struct in_ifaddr {
69. +   struct hlist_node   hash;
70. +Index: linux-3.18.17/include/linux/ipv6.h
71. +===================================================================
72. +--- linux-3.18.17.orig/include/linux/ipv6.h
73. ++++ linux-3.18.17/include/linux/ipv6.h
74. +@@ -51,6 +51,7 @@ struct ipv6_devconf {
75. +   __s32       force_tllao;
76. +   __s32           ndisc_notify;
77. +   __s32       suppress_frag_ndisc;
78. ++  __s32       stealth;
79. +   void        *sysctl;
80. + };
81. +
82. +Index: linux-3.18.17/include/uapi/linux/ip.h
83. +===================================================================
84. +--- linux-3.18.17.orig/include/uapi/linux/ip.h
85. ++++ linux-3.18.17/include/uapi/linux/ip.h
86. +@@ -164,6 +164,7 @@ enum
87. +   IPV4_DEVCONF_ROUTE_LOCALNET,
88. +   IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL,
89. +   IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
90. ++  IPV4_DEVCONF_STEALTH,
91. +   __IPV4_DEVCONF_MAX
92. + };
93. +
94. +Index: linux-3.18.17/net/ipv4/devinet.c
95. +===================================================================
96. +--- linux-3.18.17.orig/net/ipv4/devinet.c
97. ++++ linux-3.18.17/net/ipv4/devinet.c
98. +@@ -2143,6 +2143,7 @@ static struct devinet_sysctl_table {
99. +                         "promote_secondaries"),
100. +       DEVINET_SYSCTL_FLUSHING_ENTRY(ROUTE_LOCALNET,
101. +                         "route_localnet"),
102. ++      DEVINET_SYSCTL_RW_ENTRY(STEALTH, "stealth"),
103. +   },
104. + };
105. +
106. +Index: linux-3.18.17/net/ipv4/icmp.c
107. +===================================================================
108. +--- linux-3.18.17.orig/net/ipv4/icmp.c
109. ++++ linux-3.18.17/net/ipv4/icmp.c
110. +@@ -879,6 +879,9 @@ static void icmp_echo(struct sk_buff *sk
111. + {
112. +   struct net *net;
113. +
114. ++  if (IN_DEV_STEALTH(skb->dev->ip_ptr))
115. ++      return true;
116. ++
117. +   net = dev_net(skb_dst(skb)->dev);
118. +   if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
119. +       struct icmp_bxm icmp_param;
120. +@@ -910,6 +913,9 @@ static void icmp_timestamp(struct sk_buf
121. +   if (skb->len < 4)
122. +       goto out_err;
123. +
124. ++  if (IN_DEV_STEALTH(skb->dev->ip_ptr))
125. ++      return true;
126. ++
127. +   /*
128. +    *  Fill in the current time as ms since midnight UT:
129. +    */
130. +Index: linux-3.18.17/net/ipv4/tcp_ipv4.c
131. +===================================================================
132. +--- linux-3.18.17.orig/net/ipv4/tcp_ipv4.c
133. ++++ linux-3.18.17/net/ipv4/tcp_ipv4.c
134. +@@ -77,6 +77,7 @@
135. + #include <net/busy_poll.h>
136. +
137. + #include <linux/inet.h>
138. ++#include <linux/inetdevice.h>
139. + #include <linux/ipv6.h>
140. + #include <linux/stddef.h>
141. + #include <linux/proc_fs.h>
142. +@@ -1695,7 +1696,7 @@ csum_error:
143. +       TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
144. + bad_packet:
145. +       TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
146. +-  } else {
147. ++  } else if (!IN_DEV_STEALTH(skb->dev->ip_ptr)) {
148. +       tcp_v4_send_reset(NULL, skb);
149. +   }
150. +
151. +Index: linux-3.18.17/net/ipv4/udp.c
152. +===================================================================
153. +--- linux-3.18.17.orig/net/ipv4/udp.c
154. ++++ linux-3.18.17/net/ipv4/udp.c
155. +@@ -96,6 +96,7 @@
156. + #include <linux/timer.h>
157. + #include <linux/mm.h>
158. + #include <linux/inet.h>
159. ++#include <linux/inetdevice.h>
160. + #include <linux/netdevice.h>
161. + #include <linux/slab.h>
162. + #include <net/tcp_states.h>
163. +@@ -1811,7 +1812,8 @@ int __udp4_lib_rcv(struct sk_buff *skb,
164. +       goto csum_error;
165. +
166. +   UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
167. +-  icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
168. ++  if (!IN_DEV_STEALTH(skb->dev->ip_ptr))
169. ++      icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
170. +
171. +   /*
172. +    * Hmm.  We got an UDP packet to a port to which we
173. +Index: linux-3.18.17/net/ipv6/addrconf.c
174. +===================================================================
175. +--- linux-3.18.17.orig/net/ipv6/addrconf.c
176. ++++ linux-3.18.17/net/ipv6/addrconf.c
177. +@@ -5224,6 +5224,13 @@ static struct addrconf_sysctl_table
178. +           .proc_handler   = proc_dointvec,
179. +       },
180. +       {
181. ++          .procname   = "stealth",
182. ++          .data       = &ipv6_devconf.stealth,
183. ++          .maxlen     = sizeof(int),
184. ++          .mode       = 0644,
185. ++          .proc_handler   = proc_dointvec,
186. ++      },
187. ++      {
188. +           /* sentinel */
189. +       }
190. +   },
191. +Index: linux-3.18.17/net/ipv6/icmp.c
192. +===================================================================
193. +--- linux-3.18.17.orig/net/ipv6/icmp.c
194. ++++ linux-3.18.17/net/ipv6/icmp.c
195. +@@ -723,7 +723,8 @@ static int icmpv6_rcv(struct sk_buff *sk
196. +
197. +   switch (type) {
198. +   case ICMPV6_ECHO_REQUEST:
199. +-      icmpv6_echo_reply(skb);
200. ++      if (!idev->cnf.stealth)
201. ++          icmpv6_echo_reply(skb);
202. +       break;
203. +
204. +   case ICMPV6_ECHO_REPLY:
205. +Index: linux-3.18.17/net/ipv6/tcp_ipv6.c
206. +===================================================================
207. +--- linux-3.18.17.orig/net/ipv6/tcp_ipv6.c
208. ++++ linux-3.18.17/net/ipv6/tcp_ipv6.c
209. +@@ -1505,7 +1505,7 @@ csum_error:
210. +       TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
211. + bad_packet:
212. +       TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
213. +-  } else {
214. ++  } else if (!__in6_dev_get(skb->dev)->cnf.stealth) {
215. +       tcp_v6_send_reset(NULL, skb);
216. +   }
217. +
218. +Index: linux-3.18.17/net/ipv6/udp.c
219. +===================================================================
220. +--- linux-3.18.17.orig/net/ipv6/udp.c
221. ++++ linux-3.18.17/net/ipv6/udp.c
222. +@@ -919,7 +919,8 @@ int __udp6_lib_rcv(struct sk_buff *skb,
223. +       goto csum_error;
224. +
225. +   UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
226. +-  icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
227. ++  if (!__in6_dev_get(skb->dev)->cnf.stealth)
228. ++      icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
229. +
230. +   kfree_skb(skb);
231. +   return 0;
232. --
233. 2.1.4