From 3e25a01a87c4a78760dc124fa2e1b89e250054de Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sun, 19 Nov 2006 01:03:47 +0000 Subject: [PATCH] reorganize nat helper packages, move ftp and irc nat to a package that is enabled by default, for security reasons - see #917 for more information git-svn-id: svn://svn.openwrt.org/openwrt/trunk@5581 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- include/netfilter.mk | 8 +++++++- package/kernel/modules/netfilter.mk | 20 ++++++++++++++++++-- target/linux/ar531x-2.4/config | 8 ++++---- target/linux/ar7-2.4/config | 8 ++++---- target/linux/aruba-2.6/config | 4 ++-- target/linux/au1000-2.6/config | 8 ++++---- target/linux/brcm-2.4/config | 8 ++++---- target/linux/brcm-2.6/config | 8 ++++---- target/linux/brcm63xx-2.6/config | 8 ++++---- target/linux/ixp4xx-2.6/config | 8 ++++---- target/linux/magicbox-2.6/config | 4 ++-- target/linux/rb532-2.6/config | 8 ++++---- target/linux/sibyte-2.6/config | 8 ++++---- target/linux/x86-2.6/config | 8 ++++---- 14 files changed, 69 insertions(+), 47 deletions(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index ba1512e14a..1d8f4d880e 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -85,6 +85,13 @@ IPT_NAT-$(CONFIG_IP_NF_TARGET_MIRROR) += $(P_V4)ipt_MIRROR IPT_NAT-$(CONFIG_IP_NF_TARGET_REDIRECT) += $(P_V4)ipt_REDIRECT IPT_NAT-$(CONFIG_IP_NF_TARGET_NETMAP) += $(P_V4)ipt_NETMAP +IPT_NAT_DEFAULT-m := +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_FTP) += $(P_V4)ip_conntrack_ftp +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_NAT_FTP) += $(P_V4)ip_nat_ftp +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_IRC) += $(P_V4)ip_conntrack_irc +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_NAT_IRC) += $(P_V4)ip_nat_irc +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_TFTP) += $(P_V4)ip_conntrack_tftp + IPT_NAT_EXTRA-m := IPT_NAT_EXTRA-$(CONFIG_IP_NF_AMANDA) += $(P_V4)ip_conntrack_amanda IPT_NAT_EXTRA-$(CONFIG_IP_NF_CT_PROTO_GRE) += $(P_V4)ip_conntrack_proto_gre @@ -102,7 +109,6 @@ IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_SIP) += $(P_V4)ip_nat_sip IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += $(P_V4)ip_nat_snmp_basic IPT_NAT_EXTRA-$(CONFIG_IP_NF_SIP) += $(P_V4)ip_conntrack_sip IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_SIP) += $(P_V4)ip_nat_sip -IPT_NAT_EXTRA-$(CONFIG_IP_NF_TFTP) += $(P_V4)ip_conntrack_tftp IPT_QUEUE-m := IPT_QUEUE-$(CONFIG_IP_NF_QUEUE) += $(P_V4)ip_queue diff --git a/package/kernel/modules/netfilter.mk b/package/kernel/modules/netfilter.mk index 6f3994c121..8a99a27ecf 100644 --- a/package/kernel/modules/netfilter.mk +++ b/package/kernel/modules/netfilter.mk @@ -81,6 +81,23 @@ endef $(eval $(call KernelPackage,ipt-nat)) define KernelPackage/ipt-nathelper + TITLE:=Default Conntrack and NAT helpers + DEFAULT:=y + DESCRIPTION:=\ + Default Netfilter (IPv4) Conntrack and NAT helpers \\\ + \\\ + Includes: \\\ + - ip_conntrack_ftp \\\ + - ip_nat_ftp \\\ + - ip_conntrack_irc \\\ + - ip_nat_irc \\\ + - ip_conntrack_tftp + FILES:=$(foreach mod,$(IPT_NAT_DEFAULT-m),$(MODULES_DIR)/kernel/net/$(mod).$(LINUX_KMOD_SUFFIX)) + SUBMENU:=$(NFMENU) +endef +$(eval $(call KernelPackage,ipt-nathelper)) + +define KernelPackage/ipt-nathelper-extra TITLE:=Extra Conntrack and NAT helpers DESCRIPTION:=\ Extra Netfilter (IPv4) Conntrack and NAT helpers \\\ @@ -93,8 +110,7 @@ define KernelPackage/ipt-nathelper - ip_nat_pptp \\\ - ip_conntrack_sip \\\ - ip_nat_sip \\\ - - ip_nat_snmp_basic \\\ - - ip_conntrack_tftp + - ip_nat_snmp_basic FILES:=$(foreach mod,$(IPT_NAT_EXTRA-m),$(MODULES_DIR)/kernel/net/$(mod).$(LINUX_KMOD_SUFFIX)) SUBMENU:=$(NFMENU) endef diff --git a/target/linux/ar531x-2.4/config b/target/linux/ar531x-2.4/config index b779045163..49b26cdd00 100644 --- a/target/linux/ar531x-2.4/config +++ b/target/linux/ar531x-2.4/config @@ -357,10 +357,10 @@ CONFIG_NET_IPGRE=m # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CONNTRACK_MARK=y -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_TFTP=m -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_IRC=m CONFIG_IP_NF_CT_ACCT=m CONFIG_IP_NF_MATCH_CONNBYTES=m CONFIG_IP_NF_CT_PROTO_GRE=m @@ -422,8 +422,8 @@ CONFIG_IP_NF_NAT_H323=m CONFIG_IP_NF_NAT_RTSP=m CONFIG_IP_NF_NAT_MMS=m CONFIG_IP_NF_NAT_SNMP_BASIC=m -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=m diff --git a/target/linux/ar7-2.4/config b/target/linux/ar7-2.4/config index 2d3acae5e4..adc39d56e3 100644 --- a/target/linux/ar7-2.4/config +++ b/target/linux/ar7-2.4/config @@ -339,10 +339,10 @@ CONFIG_NET_IPGRE=m # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CONNTRACK_MARK=y -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_TFTP=m -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_IRC=m CONFIG_IP_NF_CT_ACCT=m CONFIG_IP_NF_MATCH_CONNBYTES=m CONFIG_IP_NF_CT_PROTO_GRE=m @@ -405,8 +405,8 @@ CONFIG_IP_NF_NAT_MMS=m CONFIG_IP_NF_NAT_RTSP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_SNMP_BASIC=m -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=m diff --git a/target/linux/aruba-2.6/config b/target/linux/aruba-2.6/config index a0df432a8d..438bb881ac 100644 --- a/target/linux/aruba-2.6/config +++ b/target/linux/aruba-2.6/config @@ -313,7 +313,7 @@ CONFIG_IP_NF_CT_ACCT=y # CONFIG_IP_NF_CONNTRACK_MARK is not set # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m @@ -352,7 +352,7 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_IRC=m -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/au1000-2.6/config b/target/linux/au1000-2.6/config index 7452a4a915..b1b221f40b 100644 --- a/target/linux/au1000-2.6/config +++ b/target/linux/au1000-2.6/config @@ -380,8 +380,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -418,8 +418,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/brcm-2.4/config b/target/linux/brcm-2.4/config index 68299fbe14..fed5af7a71 100644 --- a/target/linux/brcm-2.4/config +++ b/target/linux/brcm-2.4/config @@ -353,10 +353,10 @@ CONFIG_NET_IPGRE=m # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CONNTRACK_MARK=y -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_TFTP=m -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_IRC=m CONFIG_IP_NF_CT_ACCT=m CONFIG_IP_NF_MATCH_CONNBYTES=m CONFIG_IP_NF_CT_PROTO_GRE=m @@ -418,8 +418,8 @@ CONFIG_IP_NF_NAT_H323=m CONFIG_IP_NF_NAT_RTSP=m CONFIG_IP_NF_NAT_MMS=m CONFIG_IP_NF_NAT_SNMP_BASIC=m -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=m diff --git a/target/linux/brcm-2.6/config b/target/linux/brcm-2.6/config index 65c82729bb..9c3c5f6513 100644 --- a/target/linux/brcm-2.6/config +++ b/target/linux/brcm-2.6/config @@ -355,8 +355,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -393,8 +393,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/brcm63xx-2.6/config b/target/linux/brcm63xx-2.6/config index 2146e8309c..ec86fa3b9f 100644 --- a/target/linux/brcm63xx-2.6/config +++ b/target/linux/brcm63xx-2.6/config @@ -381,8 +381,8 @@ CONFIG_IP_NF_CT_ACCT=y # CONFIG_IP_NF_CONNTRACK_MARK is not set # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=y CONFIG_IP_NF_AMANDA=m @@ -419,8 +419,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/ixp4xx-2.6/config b/target/linux/ixp4xx-2.6/config index 90292ec9f8..a9b2418fcf 100644 --- a/target/linux/ixp4xx-2.6/config +++ b/target/linux/ixp4xx-2.6/config @@ -317,8 +317,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_AMANDA is not set @@ -355,8 +355,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_H323=m CONFIG_IP_NF_NAT_SIP=m CONFIG_IP_NF_MANGLE=y diff --git a/target/linux/magicbox-2.6/config b/target/linux/magicbox-2.6/config index c96576d1c8..ab75eab923 100644 --- a/target/linux/magicbox-2.6/config +++ b/target/linux/magicbox-2.6/config @@ -264,7 +264,7 @@ CONFIG_IP_NF_CT_ACCT=y # CONFIG_IP_NF_CONNTRACK_MARK is not set # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m @@ -303,7 +303,7 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_IRC=m -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/rb532-2.6/config b/target/linux/rb532-2.6/config index 0e04b1fa33..2d2138261a 100644 --- a/target/linux/rb532-2.6/config +++ b/target/linux/rb532-2.6/config @@ -340,8 +340,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -378,8 +378,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/sibyte-2.6/config b/target/linux/sibyte-2.6/config index ebb32c48ad..aa0991c94d 100644 --- a/target/linux/sibyte-2.6/config +++ b/target/linux/sibyte-2.6/config @@ -362,8 +362,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -401,8 +401,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/x86-2.6/config b/target/linux/x86-2.6/config index 708f4c0804..cd1893ec74 100644 --- a/target/linux/x86-2.6/config +++ b/target/linux/x86-2.6/config @@ -392,8 +392,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set CONFIG_IP_NF_CT_PROTO_SCTP=m -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -430,8 +430,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_SAME=m # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m