firewall: move OpenVPN rules to a separate chain and relocate them wi…

…thin the INPUT/FORWARD chains This ensures that OpenVPN traffic only gets accepted after the various security chains (like access_restriction or NFSW) have been processed, otherwise all OpenVPN traffic would ignore these rules.
RMerl · Dec 20, 2017 · d666f55 · d666f55
1 parent 84a6cf8
commit d666f55
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 6 deletions.
diff --git a/release/src/router/rc/firewall.c b/release/src/router/rc/firewall.c
@@ -2520,6 +2520,9 @@ start_default_filter(int lanunit)
 		":FORWARD DROP [0:0]\n"
 		":OUTPUT ACCEPT [0:0]\n"
 		":ACCESS_RESTRICTION - [0:0]\n"
+#ifdef RTCONFIG_OPENVPN
+		":OVPN - [0:0]\n"
+#endif
 		":logaccept - [0:0]\n"
 		":logdrop - [0:0]\n");
 #ifdef RTCONFIG_PROTECTION_SERVER
@@ -3048,6 +3051,9 @@ filter_setting(char *wan_if, char *wan_ip, char *lan_if, char *lan_ip, char *log
 	    ":FUPNP - [0:0]\n"
 	    ":SECURITY - [0:0]\n"
 	    ":ACCESS_RESTRICTION - [0:0]\n"
+#ifdef RTCONFIG_OPENVPN
+	    ":OVPN - [0:0]\n"
+#endif
 #ifdef RTCONFIG_PARENTALCTRL
 	    ":PControls - [0:0]\n"
 #endif
@@ -3257,6 +3263,9 @@ TRACE_PT("writing Parental Control\n");
 		fprintf(fp, "-A INPUT -i %s -m state --state NEW -j %s\n", lan_if, "ACCEPT");
 #endif
 		fprintf(fp, "-A INPUT -i %s -m state --state NEW -j %s\n", "lo", "ACCEPT");
+#ifdef RTCONFIG_OPENVPN
+		fprintf(fp, "-A INPUT -m state --state NEW -j OVPN\n");
+#endif
 #ifdef RTCONFIG_IPV6
 		if (ipv6_enabled()) {
 			fprintf(fp_ipv6, "-A INPUT -m state --state RELATED,ESTABLISHED -j %s\n", logaccept);
@@ -3932,6 +3941,9 @@ TRACE_PT("write wl filter\n");
 #endif
 	}
 
+#ifdef RTCONFIG_OPENVPN
+	fprintf(fp, "-A FORWARD -m state --state NEW -j OVPN\n");
+#endif
 	/* SECURITY chain */
 	/* Skip DMZ */
 	if ((dstip = nvram_safe_get("dmz_ip")) && *dstip && inet_addr_(dstip))
@@ -4135,6 +4147,9 @@ filter_setting2(char *lan_if, char *lan_ip, char *logaccept, char *logdrop)
 	    ":FUPNP - [0:0]\n"
 	    ":SECURITY - [0:0]\n"
 	    ":ACCESS_RESTRICTION - [0:0]\n"
+#ifdef RTCONFIG_OPENVPN
+	    ":OVPN - [0:0]\n"
+#endif
 #ifdef RTCONFIG_PARENTALCTRL
 	    ":PControls - [0:0]\n"
 #endif
@@ -4355,6 +4370,9 @@ TRACE_PT("writing Parental Control\n");
 #endif
 		fprintf(fp, "-A INPUT -i %s -m state --state NEW -j %s\n", lan_if, "ACCEPT");
 		fprintf(fp, "-A INPUT -i %s -m state --state NEW -j %s\n", "lo", "ACCEPT");
+#ifdef RTCONFIG_OPENVPN
+		fprintf(fp, "-A INPUT -m state --state NEW -j OVPN\n");
+#endif
 #ifdef RTCONFIG_IPV6
 		if (ipv6_enabled()) {
 			fprintf(fp_ipv6, "-A INPUT -m state --state RELATED,ESTABLISHED -j %s\n", logaccept);
@@ -5052,6 +5070,10 @@ TRACE_PT("write wl filter\n");
 #endif
 	}
 
+#ifdef RTCONFIG_OPENVPN
+	fprintf(fp, "-A FORWARD -m state --state NEW -j OVPN\n");
+#endif
+
 	/* SECURITY chain */
 	/* Skip DMZ */
 	if ((dstip = nvram_safe_get("dmz_ip")) && *dstip && inet_addr_(dstip))

diff --git a/release/src/router/rc/openvpn.c b/release/src/router/rc/openvpn.c
@@ -440,8 +440,7 @@ void start_ovpn_client(int clientNum)
 		fp = fopen(buffer, "w");
 		chmod(buffer, S_IRUSR|S_IWUSR|S_IXUSR);
 		fprintf(fp, "#!/bin/sh\n");
-		fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", iface);
-		fprintf(fp, "iptables -I FORWARD %d -i %s -j ACCEPT\n", (nvram_match("cstats_enable", "1") ? 4 : 2), iface);
+		fprintf(fp, "iptables -I OVPN -i %s -j ACCEPT\n", iface);
 #ifdef HND_ROUTER
 		if (nvram_match("fc_disable", "0")) {
 #else
@@ -560,7 +559,7 @@ void stop_ovpn_client(int clientNum)
 	sprintf(buffer, "/etc/openvpn/fw/client%d-fw.sh", clientNum);
 	argv[0] = "sed";
 	argv[1] = "-i";
-	argv[2] = "s/-A/-D/g;s/-I/-D/g;s/FORWARD\\ [0-9]\\ /FORWARD\\ /g";
+	argv[2] = "s/-A/-D/g;s/-I/-D/g";
 	argv[3] = buffer;
 	argv[4] = NULL;
 	if (!_eval(argv, NULL, 0, NULL))
@@ -1350,8 +1349,7 @@ void start_ovpn_server(int serverNum)
 		fprintf(fp, "--dport %d -j ACCEPT\n", nvram_pf_get_int(prefix, "port"));
 		if ( !nvram_pf_match(prefix, "firewall", "external") )
 		{
-			fprintf(fp, "iptables -I INPUT -i %s -j ACCEPT\n", iface);
-			fprintf(fp, "iptables -I FORWARD %d -i %s -j ACCEPT\n", (nvram_match("cstats_enable", "1") ? 4 : 2), iface);
+			fprintf(fp, "iptables -I OVPN -i %s -j ACCEPT\n", iface);
 #ifdef HND_ROUTER
 			if (nvram_match("fc_disable", "0")) {
 #else
@@ -1462,7 +1460,7 @@ void stop_ovpn_server(int serverNum)
 	sprintf(buffer, "/etc/openvpn/fw/server%d-fw.sh", serverNum);
 	argv[0] = "sed";
 	argv[1] = "-i";
-	argv[2] = "s/-A/-D/g;s/-I/-D/g;s/FORWARD\\ [0-9]\\ /FORWARD\\ /g";
+	argv[2] = "s/-A/-D/g;s/-I/-D/g";
 	argv[3] = buffer;
 	argv[4] = NULL;
 	if (!_eval(argv, NULL, 0, NULL))