Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- From 1ab6ef66f52115c028dca1124b494e16a58d3119 Mon Sep 17 00:00:00 2001
- From: Matteo Croce <matteo@openwrt.org>
- Date: Mon, 6 Jul 2015 22:03:21 +0200
- Subject: [PATCH 14/14] add stealth mode for WAN interfaces
- ---
- .../files/etc/hotplug.d/iface/20-stealth | 3 +
- .../linux/generic/patches-3.18/682-stealth.patch | 204 +++++++++++++++++++++
- 2 files changed, 207 insertions(+)
- create mode 100755 package/base-files/files/etc/hotplug.d/iface/20-stealth
- create mode 100644 target/linux/generic/patches-3.18/682-stealth.patch
- diff --git a/package/base-files/files/etc/hotplug.d/iface/20-stealth b/package/base-files/files/etc/hotplug.d/iface/20-stealth
- new file mode 100755
- index 0000000..2f87a6c
- --- /dev/null
- +++ b/package/base-files/files/etc/hotplug.d/iface/20-stealth
- @@ -0,0 +1,3 @@
- +#!/bin/sh
- +
- +[ "$ACTION" = ifup -a "$INTERFACE" = wan ] && echo 1 >/proc/sys/net/ipv4/conf/$DEVICE/stealth
- diff --git a/target/linux/generic/patches-3.18/682-stealth.patch b/target/linux/generic/patches-3.18/682-stealth.patch
- new file mode 100644
- index 0000000..f398fcf
- --- /dev/null
- +++ b/target/linux/generic/patches-3.18/682-stealth.patch
- @@ -0,0 +1,204 @@
- +Index: linux-3.18.17/Documentation/networking/ip-sysctl.txt
- +===================================================================
- +--- linux-3.18.17.orig/Documentation/networking/ip-sysctl.txt
- ++++ linux-3.18.17/Documentation/networking/ip-sysctl.txt
- +@@ -1116,6 +1116,12 @@ tag - INTEGER
- + Allows you to write a number, which can be used as required.
- + Default value is 0.
- +
- ++stealth - BOOLEAN
- ++ Disable any reply not related to a listening socket,
- ++ like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
- ++ Also disables ICMP replies to echo requests and timestamp.
- ++ Default value is 0.
- ++
- + Alexey Kuznetsov.
- + kuznet@ms2.inr.ac.ru
- +
- +@@ -1466,6 +1472,12 @@ suppress_frag_ndisc - INTEGER
- + 1 - (default) discard fragmented neighbor discovery packets
- + 0 - allow fragmented neighbor discovery packets
- +
- ++stealth - BOOLEAN
- ++ Disable any reply not related to a listening socket,
- ++ like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
- ++ Also disables ICMPv6 replies to echo requests.
- ++ Default value is 0.
- ++
- + icmp/*:
- + ratelimit - INTEGER
- + Limit the maximal rates for sending ICMPv6 packets.
- +Index: linux-3.18.17/include/linux/inetdevice.h
- +===================================================================
- +--- linux-3.18.17.orig/include/linux/inetdevice.h
- ++++ linux-3.18.17/include/linux/inetdevice.h
- +@@ -125,6 +125,7 @@ static inline void ipv4_devconf_setall(s
- + #define IN_DEV_ARP_ANNOUNCE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_ANNOUNCE)
- + #define IN_DEV_ARP_IGNORE(in_dev) IN_DEV_MAXCONF((in_dev), ARP_IGNORE)
- + #define IN_DEV_ARP_NOTIFY(in_dev) IN_DEV_MAXCONF((in_dev), ARP_NOTIFY)
- ++#define IN_DEV_STEALTH(in_dev) IN_DEV_MAXCONF((in_dev), STEALTH)
- +
- + struct in_ifaddr {
- + struct hlist_node hash;
- +Index: linux-3.18.17/include/linux/ipv6.h
- +===================================================================
- +--- linux-3.18.17.orig/include/linux/ipv6.h
- ++++ linux-3.18.17/include/linux/ipv6.h
- +@@ -51,6 +51,7 @@ struct ipv6_devconf {
- + __s32 force_tllao;
- + __s32 ndisc_notify;
- + __s32 suppress_frag_ndisc;
- ++ __s32 stealth;
- + void *sysctl;
- + };
- +
- +Index: linux-3.18.17/include/uapi/linux/ip.h
- +===================================================================
- +--- linux-3.18.17.orig/include/uapi/linux/ip.h
- ++++ linux-3.18.17/include/uapi/linux/ip.h
- +@@ -164,6 +164,7 @@ enum
- + IPV4_DEVCONF_ROUTE_LOCALNET,
- + IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL,
- + IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
- ++ IPV4_DEVCONF_STEALTH,
- + __IPV4_DEVCONF_MAX
- + };
- +
- +Index: linux-3.18.17/net/ipv4/devinet.c
- +===================================================================
- +--- linux-3.18.17.orig/net/ipv4/devinet.c
- ++++ linux-3.18.17/net/ipv4/devinet.c
- +@@ -2143,6 +2143,7 @@ static struct devinet_sysctl_table {
- + "promote_secondaries"),
- + DEVINET_SYSCTL_FLUSHING_ENTRY(ROUTE_LOCALNET,
- + "route_localnet"),
- ++ DEVINET_SYSCTL_RW_ENTRY(STEALTH, "stealth"),
- + },
- + };
- +
- +Index: linux-3.18.17/net/ipv4/icmp.c
- +===================================================================
- +--- linux-3.18.17.orig/net/ipv4/icmp.c
- ++++ linux-3.18.17/net/ipv4/icmp.c
- +@@ -879,6 +879,9 @@ static void icmp_echo(struct sk_buff *sk
- + {
- + struct net *net;
- +
- ++ if (IN_DEV_STEALTH(skb->dev->ip_ptr))
- ++ return true;
- ++
- + net = dev_net(skb_dst(skb)->dev);
- + if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
- + struct icmp_bxm icmp_param;
- +@@ -910,6 +913,9 @@ static void icmp_timestamp(struct sk_buf
- + if (skb->len < 4)
- + goto out_err;
- +
- ++ if (IN_DEV_STEALTH(skb->dev->ip_ptr))
- ++ return true;
- ++
- + /*
- + * Fill in the current time as ms since midnight UT:
- + */
- +Index: linux-3.18.17/net/ipv4/tcp_ipv4.c
- +===================================================================
- +--- linux-3.18.17.orig/net/ipv4/tcp_ipv4.c
- ++++ linux-3.18.17/net/ipv4/tcp_ipv4.c
- +@@ -77,6 +77,7 @@
- + #include <net/busy_poll.h>
- +
- + #include <linux/inet.h>
- ++#include <linux/inetdevice.h>
- + #include <linux/ipv6.h>
- + #include <linux/stddef.h>
- + #include <linux/proc_fs.h>
- +@@ -1695,7 +1696,7 @@ csum_error:
- + TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
- + bad_packet:
- + TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
- +- } else {
- ++ } else if (!IN_DEV_STEALTH(skb->dev->ip_ptr)) {
- + tcp_v4_send_reset(NULL, skb);
- + }
- +
- +Index: linux-3.18.17/net/ipv4/udp.c
- +===================================================================
- +--- linux-3.18.17.orig/net/ipv4/udp.c
- ++++ linux-3.18.17/net/ipv4/udp.c
- +@@ -96,6 +96,7 @@
- + #include <linux/timer.h>
- + #include <linux/mm.h>
- + #include <linux/inet.h>
- ++#include <linux/inetdevice.h>
- + #include <linux/netdevice.h>
- + #include <linux/slab.h>
- + #include <net/tcp_states.h>
- +@@ -1811,7 +1812,8 @@ int __udp4_lib_rcv(struct sk_buff *skb,
- + goto csum_error;
- +
- + UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
- +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
- ++ if (!IN_DEV_STEALTH(skb->dev->ip_ptr))
- ++ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
- +
- + /*
- + * Hmm. We got an UDP packet to a port to which we
- +Index: linux-3.18.17/net/ipv6/addrconf.c
- +===================================================================
- +--- linux-3.18.17.orig/net/ipv6/addrconf.c
- ++++ linux-3.18.17/net/ipv6/addrconf.c
- +@@ -5224,6 +5224,13 @@ static struct addrconf_sysctl_table
- + .proc_handler = proc_dointvec,
- + },
- + {
- ++ .procname = "stealth",
- ++ .data = &ipv6_devconf.stealth,
- ++ .maxlen = sizeof(int),
- ++ .mode = 0644,
- ++ .proc_handler = proc_dointvec,
- ++ },
- ++ {
- + /* sentinel */
- + }
- + },
- +Index: linux-3.18.17/net/ipv6/icmp.c
- +===================================================================
- +--- linux-3.18.17.orig/net/ipv6/icmp.c
- ++++ linux-3.18.17/net/ipv6/icmp.c
- +@@ -723,7 +723,8 @@ static int icmpv6_rcv(struct sk_buff *sk
- +
- + switch (type) {
- + case ICMPV6_ECHO_REQUEST:
- +- icmpv6_echo_reply(skb);
- ++ if (!idev->cnf.stealth)
- ++ icmpv6_echo_reply(skb);
- + break;
- +
- + case ICMPV6_ECHO_REPLY:
- +Index: linux-3.18.17/net/ipv6/tcp_ipv6.c
- +===================================================================
- +--- linux-3.18.17.orig/net/ipv6/tcp_ipv6.c
- ++++ linux-3.18.17/net/ipv6/tcp_ipv6.c
- +@@ -1505,7 +1505,7 @@ csum_error:
- + TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
- + bad_packet:
- + TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
- +- } else {
- ++ } else if (!__in6_dev_get(skb->dev)->cnf.stealth) {
- + tcp_v6_send_reset(NULL, skb);
- + }
- +
- +Index: linux-3.18.17/net/ipv6/udp.c
- +===================================================================
- +--- linux-3.18.17.orig/net/ipv6/udp.c
- ++++ linux-3.18.17/net/ipv6/udp.c
- +@@ -919,7 +919,8 @@ int __udp6_lib_rcv(struct sk_buff *skb,
- + goto csum_error;
- +
- + UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
- +- icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
- ++ if (!__in6_dev_get(skb->dev)->cnf.stealth)
- ++ icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
- +
- + kfree_skb(skb);
- + return 0;
- --
- 2.1.4
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement