firewall3: add udp/icmp flood protection

Maksym Kovalchuck monkeyukraine at gmail.com
Wed Nov 4 09:40:04 EST 2020 

Signed-off-by: Maksym Kovalchuck <maksym.kovalchuck-ext at sagemcom.com>
---
 defaults.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 options.h  | 14 +++++++++++---
 2 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/defaults.c b/defaults.c
index f03765c..a8c9d4d 100644
--- a/defaults.c
+++ b/defaults.c
@@ -28,6 +28,8 @@ static const struct fw3_chain_spec default_chains[] = {
 	C(ANY, FILTER, CUSTOM_CHAINS, "output_rule"),
 	C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
 	C(ANY, FILTER, SYN_FLOOD,     "syn_flood"),
+	C(ANY, FILTER, UDP_FLOOD,     "udp_flood"),
+	C(ANY, FILTER, ICMP_FLOOD,    "icmp_flood"),
 
 	C(V4,  NAT,    CUSTOM_CHAINS, "prerouting_rule"),
 	C(V4,  NAT,    CUSTOM_CHAINS, "postrouting_rule"),
@@ -49,6 +51,14 @@ const struct fw3_option fw3_flag_opts[] = {
 	FW3_OPT("synflood_rate",       limit,    defaults, syn_flood_rate),
 	FW3_OPT("synflood_burst",      int,      defaults, syn_flood_rate.burst),
 
+	FW3_OPT("udpflood_protect",    bool,     defaults, udp_flood),
+	FW3_OPT("udpflood_rate",       limit,    defaults, udp_flood_rate),
+	FW3_OPT("udpflood_burst",      int,      defaults, udp_flood_rate.burst),
+
+	FW3_OPT("icmpflood_protect",   bool,     defaults, icmp_flood),
+	FW3_OPT("icmpflood_rate",      limit,    defaults, icmp_flood_rate),
+	FW3_OPT("icmpflood_burst",     int,      defaults, icmp_flood_rate.burst),
+
 	FW3_OPT("tcp_syncookies",      bool,     defaults, tcp_syncookies),
 	FW3_OPT("tcp_ecn",             int,      defaults, tcp_ecn),
 	FW3_OPT("tcp_window_scaling",  bool,     defaults, tcp_window_scaling),
@@ -144,6 +154,10 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
 	defs->any_reject_code      = FW3_REJECT_CODE_PORT_UNREACH;
 	defs->syn_flood_rate.rate  = 25;
 	defs->syn_flood_rate.burst = 50;
+	defs->udp_flood_rate.rate  = 50;
+	defs->udp_flood_rate.burst = 50;
+	defs->icmp_flood_rate.rate  = 10;
+	defs->icmp_flood_rate.burst = 1;
 	defs->tcp_syncookies       = true;
 	defs->tcp_window_scaling   = true;
 	defs->custom_chains        = true;
@@ -201,6 +215,12 @@ fw3_print_default_chains(struct fw3_ipt_handle *handle, struct fw3_state *state,
 	if (defs->syn_flood)
 		set(defs->flags, handle->family, FW3_FLAG_SYN_FLOOD);
 
+	if (defs->udp_flood)
+	        set(defs->flags, handle->family, FW3_FLAG_UDP_FLOOD);
+
+	if (defs->icmp_flood)
+	        set(defs->flags, handle->family, FW3_FLAG_ICMP_FLOOD);
+
 	for (c = default_chains; c->format; c++)
 	{
 		/* don't touch user chains on selective stop */
@@ -231,6 +251,8 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
 	struct fw3_defaults *defs = &state->defaults;
 	struct fw3_device lodev = { .set = true };
 	struct fw3_protocol tcp = { .protocol = 6 };
+	struct fw3_protocol udp = { .protocol = 17 };
+	struct fw3_protocol icmp = { .protocol = 1 };
 	struct fw3_ipt_rule *r;
 
 	const char *chains[] = {
@@ -309,6 +331,38 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
 			fw3_ipt_rule_append(r, "INPUT");
 		}
 
+		if (defs->udp_flood)
+		{
+			r = fw3_ipt_rule_create(handle, &udp, NULL, NULL, NULL, NULL);
+			fw3_ipt_rule_limit(r, &defs->udp_flood_rate);
+			fw3_ipt_rule_target(r, "RETURN");
+			fw3_ipt_rule_append(r, "udp_flood");
+
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_target(r, "DROP");
+			fw3_ipt_rule_append(r, "udp_flood");
+
+			r = fw3_ipt_rule_create(handle, &udp, NULL, NULL, NULL, NULL);
+			fw3_ipt_rule_target(r, "udp_flood");
+			fw3_ipt_rule_append(r, "INPUT");
+		}
+
+		if (defs->icmp_flood)
+		{
+			r = fw3_ipt_rule_create(handle, &icmp, NULL, NULL, NULL, NULL);
+			fw3_ipt_rule_limit(r, &defs->icmp_flood_rate);
+			fw3_ipt_rule_target(r, "RETURN");
+			fw3_ipt_rule_append(r, "icmp_flood");
+
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_target(r, "DROP");
+			fw3_ipt_rule_append(r, "icmp_flood");
+
+			r = fw3_ipt_rule_create(handle, &icmp, NULL, NULL, NULL, NULL);
+			fw3_ipt_rule_target(r, "icmp_flood");
+			fw3_ipt_rule_append(r, "INPUT");
+		}
+
 		r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
 		fw3_ipt_rule_target(r, "REJECT");
 		fw3_ipt_rule_addarg(r, false, "--reject-with", get_reject_code(handle->family, defs->tcp_reject_code));
diff --git a/options.h b/options.h
index cffc01c..7679d0e 100644
--- a/options.h
+++ b/options.h
@@ -82,9 +82,11 @@ enum fw3_flag
 	FW3_FLAG_SRC_DROP      = 18,
 	FW3_FLAG_CUSTOM_CHAINS = 19,
 	FW3_FLAG_SYN_FLOOD     = 20,
-	FW3_FLAG_MTU_FIX       = 21,
-	FW3_FLAG_DROP_INVALID  = 22,
-	FW3_FLAG_HOTPLUG       = 23,
+	FW3_FLAG_UDP_FLOOD     = 21,
+	FW3_FLAG_ICMP_FLOOD    = 22,
+	FW3_FLAG_MTU_FIX       = 23,
+	FW3_FLAG_DROP_INVALID  = 24,
+	FW3_FLAG_HOTPLUG       = 25,
 
 	__FW3_FLAG_MAX
 };
@@ -299,6 +301,12 @@ struct fw3_defaults
 	bool syn_flood;
 	struct fw3_limit syn_flood_rate;
 
+	bool udp_flood;
+	struct fw3_limit udp_flood_rate;
+
+	bool icmp_flood;
+	struct fw3_limit icmp_flood_rate;
+
 	bool tcp_syncookies;
 	int tcp_ecn;
 	bool tcp_window_scaling;
-- 
2.7.4

More information about the openwrt-devel mailing list