From 0a2540a31397f19c54cf197dabc9beca8dfdfd87 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Sun, 19 Nov 2006 01:03:47 +0000 Subject: [PATCH] reorganize nat helper packages, move ftp and irc nat to a package that is enabled by default, for security reasons - see #917 for more information SVN-Revision: 5581 --- include/netfilter.mk | 8 +++++++- package/kernel/modules/netfilter.mk | 20 ++++++++++++++++++-- target/linux/ar531x-2.4/config | 8 ++++---- target/linux/ar7-2.4/config | 8 ++++---- target/linux/aruba-2.6/config | 4 ++-- target/linux/au1000-2.6/config | 8 ++++---- target/linux/brcm-2.4/config | 8 ++++---- target/linux/brcm-2.6/config | 8 ++++---- target/linux/brcm63xx-2.6/config | 8 ++++---- target/linux/ixp4xx-2.6/config | 8 ++++---- target/linux/magicbox-2.6/config | 4 ++-- target/linux/rb532-2.6/config | 8 ++++---- target/linux/sibyte-2.6/config | 8 ++++---- target/linux/x86-2.6/config | 8 ++++---- 14 files changed, 69 insertions(+), 47 deletions(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index ba1512e14ab..1d8f4d880e0 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -85,6 +85,13 @@ IPT_NAT-$(CONFIG_IP_NF_TARGET_MIRROR) += $(P_V4)ipt_MIRROR IPT_NAT-$(CONFIG_IP_NF_TARGET_REDIRECT) += $(P_V4)ipt_REDIRECT IPT_NAT-$(CONFIG_IP_NF_TARGET_NETMAP) += $(P_V4)ipt_NETMAP +IPT_NAT_DEFAULT-m := +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_FTP) += $(P_V4)ip_conntrack_ftp +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_NAT_FTP) += $(P_V4)ip_nat_ftp +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_IRC) += $(P_V4)ip_conntrack_irc +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_NAT_IRC) += $(P_V4)ip_nat_irc +IPT_NAT_DEFAULT-$(CONFIG_IP_NF_TFTP) += $(P_V4)ip_conntrack_tftp + IPT_NAT_EXTRA-m := IPT_NAT_EXTRA-$(CONFIG_IP_NF_AMANDA) += $(P_V4)ip_conntrack_amanda IPT_NAT_EXTRA-$(CONFIG_IP_NF_CT_PROTO_GRE) += $(P_V4)ip_conntrack_proto_gre @@ -102,7 +109,6 @@ IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_SIP) += $(P_V4)ip_nat_sip IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += $(P_V4)ip_nat_snmp_basic IPT_NAT_EXTRA-$(CONFIG_IP_NF_SIP) += $(P_V4)ip_conntrack_sip IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_SIP) += $(P_V4)ip_nat_sip -IPT_NAT_EXTRA-$(CONFIG_IP_NF_TFTP) += $(P_V4)ip_conntrack_tftp IPT_QUEUE-m := IPT_QUEUE-$(CONFIG_IP_NF_QUEUE) += $(P_V4)ip_queue diff --git a/package/kernel/modules/netfilter.mk b/package/kernel/modules/netfilter.mk index 6f3994c1217..8a99a27ecf9 100644 --- a/package/kernel/modules/netfilter.mk +++ b/package/kernel/modules/netfilter.mk @@ -81,6 +81,23 @@ endef $(eval $(call KernelPackage,ipt-nat)) define KernelPackage/ipt-nathelper + TITLE:=Default Conntrack and NAT helpers + DEFAULT:=y + DESCRIPTION:=\ + Default Netfilter (IPv4) Conntrack and NAT helpers \\\ + \\\ + Includes: \\\ + - ip_conntrack_ftp \\\ + - ip_nat_ftp \\\ + - ip_conntrack_irc \\\ + - ip_nat_irc \\\ + - ip_conntrack_tftp + FILES:=$(foreach mod,$(IPT_NAT_DEFAULT-m),$(MODULES_DIR)/kernel/net/$(mod).$(LINUX_KMOD_SUFFIX)) + SUBMENU:=$(NFMENU) +endef +$(eval $(call KernelPackage,ipt-nathelper)) + +define KernelPackage/ipt-nathelper-extra TITLE:=Extra Conntrack and NAT helpers DESCRIPTION:=\ Extra Netfilter (IPv4) Conntrack and NAT helpers \\\ @@ -93,8 +110,7 @@ define KernelPackage/ipt-nathelper - ip_nat_pptp \\\ - ip_conntrack_sip \\\ - ip_nat_sip \\\ - - ip_nat_snmp_basic \\\ - - ip_conntrack_tftp + - ip_nat_snmp_basic FILES:=$(foreach mod,$(IPT_NAT_EXTRA-m),$(MODULES_DIR)/kernel/net/$(mod).$(LINUX_KMOD_SUFFIX)) SUBMENU:=$(NFMENU) endef diff --git a/target/linux/ar531x-2.4/config b/target/linux/ar531x-2.4/config index b7790451634..49b26cdd002 100644 --- a/target/linux/ar531x-2.4/config +++ b/target/linux/ar531x-2.4/config @@ -357,10 +357,10 @@ CONFIG_NET_IPGRE=m # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CONNTRACK_MARK=y -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_TFTP=m -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_IRC=m CONFIG_IP_NF_CT_ACCT=m CONFIG_IP_NF_MATCH_CONNBYTES=m CONFIG_IP_NF_CT_PROTO_GRE=m @@ -422,8 +422,8 @@ CONFIG_IP_NF_NAT_H323=m CONFIG_IP_NF_NAT_RTSP=m CONFIG_IP_NF_NAT_MMS=m CONFIG_IP_NF_NAT_SNMP_BASIC=m -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=m diff --git a/target/linux/ar7-2.4/config b/target/linux/ar7-2.4/config index 2d3acae5e43..adc39d56e30 100644 --- a/target/linux/ar7-2.4/config +++ b/target/linux/ar7-2.4/config @@ -339,10 +339,10 @@ CONFIG_NET_IPGRE=m # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CONNTRACK_MARK=y -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_TFTP=m -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_IRC=m CONFIG_IP_NF_CT_ACCT=m CONFIG_IP_NF_MATCH_CONNBYTES=m CONFIG_IP_NF_CT_PROTO_GRE=m @@ -405,8 +405,8 @@ CONFIG_IP_NF_NAT_MMS=m CONFIG_IP_NF_NAT_RTSP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_SNMP_BASIC=m -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=m diff --git a/target/linux/aruba-2.6/config b/target/linux/aruba-2.6/config index a0df432a8df..438bb881acd 100644 --- a/target/linux/aruba-2.6/config +++ b/target/linux/aruba-2.6/config @@ -313,7 +313,7 @@ CONFIG_IP_NF_CT_ACCT=y # CONFIG_IP_NF_CONNTRACK_MARK is not set # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m @@ -352,7 +352,7 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_IRC=m -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/au1000-2.6/config b/target/linux/au1000-2.6/config index 7452a4a9155..b1b221f40b9 100644 --- a/target/linux/au1000-2.6/config +++ b/target/linux/au1000-2.6/config @@ -380,8 +380,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -418,8 +418,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/brcm-2.4/config b/target/linux/brcm-2.4/config index 68299fbe14a..fed5af7a717 100644 --- a/target/linux/brcm-2.4/config +++ b/target/linux/brcm-2.4/config @@ -353,10 +353,10 @@ CONFIG_NET_IPGRE=m # CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_CONNTRACK_MARK=y -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_TFTP=m -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_IRC=m CONFIG_IP_NF_CT_ACCT=m CONFIG_IP_NF_MATCH_CONNBYTES=m CONFIG_IP_NF_CT_PROTO_GRE=m @@ -418,8 +418,8 @@ CONFIG_IP_NF_NAT_H323=m CONFIG_IP_NF_NAT_RTSP=m CONFIG_IP_NF_NAT_MMS=m CONFIG_IP_NF_NAT_SNMP_BASIC=m -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=m diff --git a/target/linux/brcm-2.6/config b/target/linux/brcm-2.6/config index 65c82729bb4..9c3c5f6513f 100644 --- a/target/linux/brcm-2.6/config +++ b/target/linux/brcm-2.6/config @@ -355,8 +355,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -393,8 +393,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/brcm63xx-2.6/config b/target/linux/brcm63xx-2.6/config index 2146e8309c2..ec86fa3b9fc 100644 --- a/target/linux/brcm63xx-2.6/config +++ b/target/linux/brcm63xx-2.6/config @@ -381,8 +381,8 @@ CONFIG_IP_NF_CT_ACCT=y # CONFIG_IP_NF_CONNTRACK_MARK is not set # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=y CONFIG_IP_NF_AMANDA=m @@ -419,8 +419,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/ixp4xx-2.6/config b/target/linux/ixp4xx-2.6/config index 90292ec9f89..a9b2418fcff 100644 --- a/target/linux/ixp4xx-2.6/config +++ b/target/linux/ixp4xx-2.6/config @@ -317,8 +317,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set # CONFIG_IP_NF_TFTP is not set # CONFIG_IP_NF_AMANDA is not set @@ -355,8 +355,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_H323=m CONFIG_IP_NF_NAT_SIP=m CONFIG_IP_NF_MANGLE=y diff --git a/target/linux/magicbox-2.6/config b/target/linux/magicbox-2.6/config index c96576d1c89..ab75eab923f 100644 --- a/target/linux/magicbox-2.6/config +++ b/target/linux/magicbox-2.6/config @@ -264,7 +264,7 @@ CONFIG_IP_NF_CT_ACCT=y # CONFIG_IP_NF_CONNTRACK_MARK is not set # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y +CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m @@ -303,7 +303,7 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_IRC=m -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/rb532-2.6/config b/target/linux/rb532-2.6/config index 0e04b1fa337..2d2138261a0 100644 --- a/target/linux/rb532-2.6/config +++ b/target/linux/rb532-2.6/config @@ -340,8 +340,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -378,8 +378,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/sibyte-2.6/config b/target/linux/sibyte-2.6/config index ebb32c48ad3..aa0991c94d6 100644 --- a/target/linux/sibyte-2.6/config +++ b/target/linux/sibyte-2.6/config @@ -362,8 +362,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set # CONFIG_IP_NF_CT_PROTO_SCTP is not set -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -401,8 +401,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m # CONFIG_IP_NF_TARGET_NETMAP is not set # CONFIG_IP_NF_TARGET_SAME is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m diff --git a/target/linux/x86-2.6/config b/target/linux/x86-2.6/config index 708f4c08047..cd1893ec74e 100644 --- a/target/linux/x86-2.6/config +++ b/target/linux/x86-2.6/config @@ -392,8 +392,8 @@ CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y # CONFIG_IP_NF_CONNTRACK_EVENTS is not set CONFIG_IP_NF_CT_PROTO_SCTP=m -CONFIG_IP_NF_FTP=y -CONFIG_IP_NF_IRC=y +CONFIG_IP_NF_FTP=m +CONFIG_IP_NF_IRC=m # CONFIG_IP_NF_NETBIOS_NS is not set CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m @@ -430,8 +430,8 @@ CONFIG_IP_NF_TARGET_ROUTE=m CONFIG_IP_NF_TARGET_NETMAP=m CONFIG_IP_NF_TARGET_SAME=m # CONFIG_IP_NF_NAT_SNMP_BASIC is not set -CONFIG_IP_NF_NAT_IRC=y -CONFIG_IP_NF_NAT_FTP=y +CONFIG_IP_NF_NAT_IRC=m +CONFIG_IP_NF_NAT_FTP=m CONFIG_IP_NF_NAT_TFTP=m CONFIG_IP_NF_NAT_AMANDA=m CONFIG_IP_NF_NAT_PPTP=m