modify Makefile.linux

@@ -20,6 +21,7 @@
 # installed, you need to get iptables sources from http://netfilter.org/
 # ./configure them and build them then miniupnpd will build using :
 # $ IPTABLESPATH=/path/to/iptables-1.4.1 make -f Makefile.linux
+IPTABLESPATH=$(ROOTDIR)/user/iptables-1.4.21
 #
 #CFLAGS = -O -g -DDEBUG
 CFLAGS ?= -Os

enable IPv6

@@ -7,6 +7,7 @@
 #
 # options can be passed to genconfig.sh through CONFIG_OPTIONS :
 # $ CONFIG_OPTIONS="--ipv6 --igd2" make -f Makefile.linux
+CONFIG_OPTIONS=--ipv6
 #
 # To install use :
 # $ DESTDIR=/dummyinstalldir make -f Makefile.linux install
@@ -107,6 +109,7 @@
 CPPFLAGS := $(CPPFLAGS) -DIPTABLES_143
 # the following sucks, but works
 LDLIBS = $(IPTABLESPATH)/libiptc/.libs/libip4tc.o
+LDLIBS += $(IPTABLESPATH)/libiptc/.libs/libip6tc.o
 #LDLIBS = $(IPTABLESPATH)/libiptc/.libs/libiptc.a
 else # ifeq ($(TEST), 1)
 LDLIBS = $(IPTABLESPATH)/libiptc/libiptc.a

修改 genconfig.sh,開啟 IPv6 時會需要 getifaddrs(),所以 USE_GETIFADDRS 同時也要開啟。

@@ -502,6 +502,7 @@
 echo "/* Enable IP v6 support */" >> ${CONFIGFILE}
 if [ -n "$IPV6" ]; then
        echo "#define ENABLE_IPV6" >> ${CONFIGFILE}
+       echo "#define USE_GETIFADDRS" >> ${CONFIGFILE}
 else
        echo "/*#define ENABLE_IPV6*/" >> ${CONFIGFILE}
 fi

modify upnpdescstrings.h

#define ROOTDEV_FRIENDLYNAME          OS_NAME " router"
#define ROOTDEV_MANUFACTURER            OS_NAME
#define ROOTDEV_MANUFACTURERURL         OS_URL
#define ROOTDEV_MODELNAME                       OS_NAME " router"
#define ROOTDEV_MODELDESCRIPTION        OS_NAME " router"
#define ROOTDEV_MODELURL                        OS_URL

enable configuration of manufacturer info

@@ -7,6 +7,7 @@
 #
 # options can be passed to genconfig.sh through CONFIG_OPTIONS :
 # $ CONFIG_OPTIONS="--ipv6 --igd2" make -f Makefile.linux
+CONFIG_OPTIONS=--vendorcfg
 #
 # To install use :
 # $ DESTDIR=/dummyinstalldir make -f Makefile.linux install

/etc/miniupnpd.conf

  • 等號後面不可以加雙引號。
  • serial: 沒有則後面空白。
  • uuid: 讀取 /proc/sys/kernel/random/uuid。
  • ext_ifname: WAN_IF
  • listening_ip: LAN_IF
  • enable_upnp: 開啟 upnp
friendly_name=
manufacturer_name=
manufacturer_url=
model_name=
model_description=
model_url=
uuid=
serial=
model_number=

Debug

  • miniupnpd -d & 可以顯示更多訊息
  • miniupnpd 直接跑 daemon,訊息比較少。

bugs

/opt/buildroot-gcc483_arm/usr/bin/arm-linux-gcc -mcpu=cortex-a7 -O2 -fomit-frame-pointer -pipe  -Dlinux -D__linux__ -Dunix -DEMBED -I/home/enos/workspace/fgn1300/source/uClibc-0.9.33.2/app_headers/include -I/home/enos/workspace/fgn1300/source/lib/include -DCONFIG_UCLIBC_0_9_33_2 -mcpu=cortex-a7 -I/home/enos/workspace/fgn1300/source  -fno-strict-aliasing -fno-common -Wall -Wextra -Wstrict-prototypes -Wdeclaration-after-statement -D_GNU_SOURCE  -c -o netfilter/iptcrdr.o netfilter/iptcrdr.c
Package libssl was not found in the pkg-config search path.
Perhaps you should add the directory containing `libssl.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libssl' found
netfilter/iptcrdr.c:16:21: fatal error: xtables.h: No such file or directory
 #include 
                     ^
compilation terminated.
make[3]: *** [netfilter/iptcrdr.o] Error 1
make[3]: Leaving directory `/home/enos/workspace/fgn1300/source/user/miniupnpd-2.0.20180412'
make[2]: *** [miniupnpd-2.0.20180412] Error 2
make[2]: Leaving directory `/home/enos/workspace/fgn1300/source/user'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/home/enos/workspace/fgn1300/source/user'
make: *** [user_only] Error 2

modify Makefile.linux, add IPTABLESPATH.

台南小新 發表在 痞客邦 留言(0) 人氣()

  • ifconfig -a | sed 's/[ \t].*//;/^$/d'
    列出所有 interface
  • ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d'

台南小新 發表在 痞客邦 留言(0) 人氣()

server.bind = "[::]"

只要新增這一行就可以同時使用 IPv6 及 IPv4。

Reference


台南小新 發表在 痞客邦 留言(0) 人氣()

cat /proc/sys/net/nf_conntrack_max

Reference


台南小新 發表在 痞客邦 留言(0) 人氣()

  • stateful packet inspection,SPI
  • Stateful firewall,狀態防火牆

IPv4

  • iptables -A INPUT -i lo -j ACCEPT
  • iptables -A INPUT -i br0 -j ACCEPT
  • iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  • iptables -A FORWARD -i br0 -j ACCEPT
  • iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  • iptables -P INPUT DROP
  • iptables -P OUTPUT ACCEPT
  • iptables -P FORWARD DROP

IPv6

  • ip6tables -A INPUT -i lo -j ACCEPT
  • ip6tables -A INPUT -i br0 -j ACCEPT
  • ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  • ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
  • ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
  • ip6tables -A FORWARD -i br0 -j ACCEPT
  • ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  • ip6tables -P INPUT DROP
  • ip6tables -P OUTPUT ACCEPT
  • ip6tables -P FORWARD DROP

封包狀態

  • NEW:一個新的連線封包 (建立新連線後的第一個封包)
  • ESTABLISHED:成功建立的連線,即建立追蹤連線後所有封包狀態 (跟在 NEW 封包後面的所有封包)
  • RELATED:新建連線,由 ESTABLISHED session 所建立的新獨立連線 (ex. ftp-data 連線)
  • INVALID:非法連線狀態的封包 (DROP 封包)
  • UNKOWN:不明連線狀態的封包

Reference


台南小新 發表在 痞客邦 留言(0) 人氣()