From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Forcing all DNS traffic from the LAN to the firewall Date: Mon, 23 Nov 2020 10:08:14 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5107245272089449805==" List-Id: --===============5107245272089449805== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, to keep this discussion going, I'd like to publish some code that is already running here and ask for some hints. As Jon used to say: "Please don't hurt me". ;-) I'm *not* sending this through patchwork - I strongly think this is not ready yet. Opinions? The following seems to work as I want, but I'm at a point where I know what I want the code to do - but he/it has other thoughts. The last step is not working yet. As in my previous post I "Slightly shortened, kept the relevant parts", current patches are based on 'next'. On 15.11.2020 15:50, Michael Tremer wrote: >>>> .... >>>> This would probably go into /etc/init.d/firewall. Done. Done right? >> Sorry, but *which* line? I'm really not sure. I suppose somewhere after >> line 179f which read: >> ... >> iptables -t nat -N CUSTOMPREROUTING >> iptables -t nat -A PREROUTING -j CUSTOMPREROUTING >> ... >>=20 >> I don't want to mess things up - especially in *this* script! >> We need an "if"-query to check for ON/OFF there, ok. >> But the more often I read this script the less sure I am where this code >> can be inserted best. Where? Hints? >=20 > If we do not go with the generic redirection option, I would suggest to put= this before the CAPTIVE_PORTAL chain and create another chain with the redir= ection rules. I used REDIRECT, see below. Is it ok this way? To get a start I first altered 'optionsfw.cgi', so that I got '[DNS/NTP]_FORCED_ON_[INTERFACE] options in ''/var/ipfire/optionsfw/settings' (see: 01_force_dns_in_optionsfw.patch). Here, it was important to me that the corresponding options are only visible if the respective interface is actually available. So if there is no BLUE interface, you don't see any ON/OFF switches for 'DNS/NTP on BLUE' or BLUE logging options. Language strings were altered accordingly. Screenshot examples: =3D> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-fi= rewall/3512/91 ['Masquerading on BLUE' is not shown because screenshots were made on a testmachine.] Then I went to the next problem: how and where to activate? I used '/etc/rc.d/init.d/firewall' with REDIRECT rules and placed them just behind the CAPITVE_PORTAL_CHAIN, as Michael mentions. I hope, I got the right place (see: 02_force_dns_firewall_init.patch). To avoid creating duplicate rule entries, I used code like 'if ! iptables -t nat -C..." or 'if iptables -t nat -C..." ("Check for the existence of a rule"). I wanted to be sure that a specific rule would only be created if it doesn't exist. To reduce output noise I added '>/dev/null 2>&1', where necessary. Opinions? All this seemed to work. Manually testing was ok. If I delete just one rule manually, only the missing rule will be created, I experienced no duplicates. ON/OFF switches worked as expected. But still I have to do the necessary firewall restart in a console session. Hm. Ok, up to next problem. Restarting the firewall after making changes: How can I initiate *restarting* the firewall through 'optionsfw.cgi'!? This implements initiating '/etc/rc.d/init.d/firewall restart' and starting 'iptables' and this seems to be a point where I'm stuck. Or do I miss something!? Like in 'squid', I wanted two buttons: 'Save' and 'Save and restart'. I found a solution how to code this - perhaps not very professional - really simple, but works. Nearly. (see: 03_firewall_restart_in_optionsfw_cgi.patch In this patch I'm trying to restart the firewall by adding: ... system("/etc/rc.d/init.d/firewall restart >/dev/null 2>&1 "); ... Doesn't work. I tried adding a new prog 'optionsfwctrl' (see: 04_optionsfwctrl.c). Doesn't work either. I checked rights ("set user id on execution") and played with 'C' (try and error), but no chance. I think, I'm missing something important. Current situation: If I run 'optionsfwctrl on a root console, it works. Settings are saved. But the firewall restart does not work. I'm not able to initiate '/etc/rc.d/init.d/firewall restart' through the web GUI. DNS/NTP rules won't be applied. So I got my two buttons, but only ONE is working. The other is only saving, but doesn't restart. >> Besides, deactivating these rules would need a complete reboot!? Or do I >> overlook something? >=20 > Yes, this would be true. >=20 > We could otherwise create a extra script that is only executed when this is= enabled like we do with the captive portal. Tried this(?), but haven't found the right way yet. How to do? >> Because if this should be the case then on the firewall options page the >> entries that require a restart should be *marked* to make things easier >> and more clearly. Otherwise you switch ON <-> OFF or vice versa without >> *really* realising that your changes "need a reboot". The notice "Some >> options need a reboot to take effect" is not sufficiently meaningful. >> "Some options..."!? Which? >=20 > Yes, I find this quite annoying=E2=80=A6 >=20 > Maybe we should in general move these things to not require a reboot? >=20 > I believe reloading the whole firewall is something we can support right no= w. I think, I need a 'restart'. Right? How can this be done? Please correct me if I'm totally wrong with these patches (but it was fun coding this...). Best, Matthias --===============5107245272089449805== Content-Type: text/plain Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="01_force_dns_in_optionsfw_cgi.patch" MIME-Version: 1.0 ZGlmZiAtVSAzIEM6L0NvbXBhcmUvZm9yY2UgZG5zL25leHQvaHRtbF9jZ2ktYmluX29wdGlvbnNm dy5jZ2kgQzovQ29tcGFyZS9mb3JjZSBkbnMvdHVuZWQgMDEvb3B0aW9uc2Z3LmNnaQ0KLS0tIEM6 L0NvbXBhcmUvZm9yY2UgZG5zL25leHQvaHRtbF9jZ2ktYmluX29wdGlvbnNmdy5jZ2kJTW9uIE5v diAyMyAwODo1MjoxMiAyMDIwDQorKysgQzovQ29tcGFyZS9mb3JjZSBkbnMvdHVuZWQgMDEvb3B0 aW9uc2Z3LmNnaQlTdW4gTm92ICA4IDIwOjE3OjU0IDIwMjANCkBAIC0xNTgsNiArMTU4LDE4IEBA DQogJHNlbGVjdGVkeydNQVNRVUVSQURFX0JMVUUnfXsnb2ZmJ30gPSAnJzsNCiAkc2VsZWN0ZWR7 J01BU1FVRVJBREVfQkxVRSd9eydvbid9ID0gJyc7DQogJHNlbGVjdGVkeydNQVNRVUVSQURFX0JM VUUnfXskc2V0dGluZ3N7J01BU1FVRVJBREVfQkxVRSd9fSA9ICdzZWxlY3RlZD0ic2VsZWN0ZWQi JzsNCiskY2hlY2tlZHsnRE5TX0ZPUkNFX09OX0dSRUVOJ317J29mZid9ID0gJyc7DQorJGNoZWNr ZWR7J0ROU19GT1JDRV9PTl9HUkVFTid9eydvbid9ID0gJyc7DQorJGNoZWNrZWR7J0ROU19GT1JD RV9PTl9HUkVFTid9eyRzZXR0aW5nc3snRE5TX0ZPUkNFX09OX0dSRUVOJ319ID0gImNoZWNrZWQ9 J2NoZWNrZWQnIjsNCiskY2hlY2tlZHsnRE5TX0ZPUkNFX09OX0JMVUUnfXsnb2ZmJ30gPSAnJzsN CiskY2hlY2tlZHsnRE5TX0ZPUkNFX09OX0JMVUUnfXsnb24nfSA9ICcnOw0KKyRjaGVja2VkeydE TlNfRk9SQ0VfT05fQkxVRSd9eyRzZXR0aW5nc3snRE5TX0ZPUkNFX09OX0JMVUUnfX0gPSAiY2hl Y2tlZD0nY2hlY2tlZCciOw0KKyRjaGVja2VkeydOVFBfRk9SQ0VfT05fR1JFRU4nfXsnb2ZmJ30g PSAnJzsNCiskY2hlY2tlZHsnTlRQX0ZPUkNFX09OX0dSRUVOJ317J29uJ30gPSAnJzsNCiskY2hl Y2tlZHsnTlRQX0ZPUkNFX09OX0dSRUVOJ317JHNldHRpbmdzeydOVFBfRk9SQ0VfT05fR1JFRU4n fX0gPSAiY2hlY2tlZD0nY2hlY2tlZCciOw0KKyRjaGVja2VkeydOVFBfRk9SQ0VfT05fQkxVRSd9 eydvZmYnfSA9ICcnOw0KKyRjaGVja2VkeydOVFBfRk9SQ0VfT05fQkxVRSd9eydvbid9ID0gJyc7 DQorJGNoZWNrZWR7J05UUF9GT1JDRV9PTl9CTFVFJ317JHNldHRpbmdzeydOVFBfRk9SQ0VfT05f QkxVRSd9fSA9ICJjaGVja2VkPSdjaGVja2VkJyI7DQogDQogJkhlYWRlcjo6b3BlbmJveCgnMTAw JScsICdjZW50ZXInLCk7DQogcHJpbnQgIjxmb3JtIG1ldGhvZD0ncG9zdCcgYWN0aW9uPSckRU5W eydTQ1JJUFRfTkFNRSd9Jz4iOw0KQEAgLTIwNyw3ICsyMTksMzggQEANCiBFTkQNCiAJfQ0KIA0K LQlwcmludCA8PEVORA0KK3ByaW50IDw8RU5EOw0KKwk8dGFibGUgd2lkdGg9Jzk1JScgY2VsbHNw YWNpbmc9JzAnPg0KKwkJPHRyIGJnY29sb3I9JyRjb2xvcnsnY29sb3IyMCd9Jz48L3RyPg0KKwkJ PHRyPiZuYnNwOzwvdHI+DQorCQkJPHRkIGNvbHNwYW49JzInIGFsaWduPSdsZWZ0Jz48Yj4kTGFu Zzo6dHJ7J2Z3IGdyZWVuJ308L2I+PC90ZD4NCisJCTwvdHI+DQorCQk8dHI+PHRkIGFsaWduPSds ZWZ0JyB3aWR0aD0nNjAlJz4kTGFuZzo6dHJ7J2RucyBmb3JjZSBvbiBncmVlbid9PC90ZD48dGQg YWxpZ249J2xlZnQnPiRMYW5nOjp0cnsnb24nfSA8aW5wdXQgdHlwZT0ncmFkaW8nIG5hbWU9J0RO U19GT1JDRV9PTl9HUkVFTicgdmFsdWU9J29uJyAkY2hlY2tlZHsnRE5TX0ZPUkNFX09OX0dSRUVO J317J29uJ30gLz4vDQorCQkJCQkJCQkJCQkJCQkJCQkJCQkJCTxpbnB1dCB0eXBlPSdyYWRpbycg bmFtZT0nRE5TX0ZPUkNFX09OX0dSRUVOJyB2YWx1ZT0nb2ZmJyAkY2hlY2tlZHsnRE5TX0ZPUkNF X09OX0dSRUVOJ317J29mZid9IC8+ICRMYW5nOjp0cnsnb2ZmJ308L3RkPjwvdHI+DQorCQk8dHI+ PHRkIGFsaWduPSdsZWZ0JyB3aWR0aD0nNjAlJz4kTGFuZzo6dHJ7J250cCBmb3JjZSBvbiBncmVl bid9PC90ZD48dGQgYWxpZ249J2xlZnQnPiRMYW5nOjp0cnsnb24nfSA8aW5wdXQgdHlwZT0ncmFk aW8nIG5hbWU9J05UUF9GT1JDRV9PTl9HUkVFTicgdmFsdWU9J29uJyAkY2hlY2tlZHsnTlRQX0ZP UkNFX09OX0dSRUVOJ317J29uJ30gLz4vDQorCQkJCQkJCQkJCQkJCQkJCQkJCQkJCTxpbnB1dCB0 eXBlPSdyYWRpbycgbmFtZT0nTlRQX0ZPUkNFX09OX0dSRUVOJyB2YWx1ZT0nb2ZmJyAkY2hlY2tl ZHsnTlRQX0ZPUkNFX09OX0dSRUVOJ317J29mZid9IC8+ICRMYW5nOjp0cnsnb2ZmJ308L3RkPjwv dHI+DQorRU5EDQorDQorCWlmICgmSGVhZGVyOjpibHVlX3VzZWQoKSkgew0KKwkJcHJpbnQgPDxF TkQ7DQorCQk8dGFibGUgd2lkdGg9Jzk1JScgY2VsbHNwYWNpbmc9JzAnPg0KKwkJPHRyIGJnY29s b3I9JyRjb2xvcnsnY29sb3IyMCd9Jz48dGQgY29sc3Bhbj0nMicgYWxpZ249J2xlZnQnPjxiPiRM YW5nOjp0cnsnZncgYmx1ZSd9PC9iPjwvdGQ+PC90cj4NCisJCTx0cj4mbmJzcDs8L3RyPg0KKwkJ CTx0cj4NCisJCQk8dHI+PHRkIGFsaWduPSdsZWZ0JyB3aWR0aD0nNjAlJz4kTGFuZzo6dHJ7J2Ru cyBmb3JjZSBvbiBibHVlJ308L3RkPjx0ZCBhbGlnbj0nbGVmdCc+JExhbmc6OnRyeydvbid9IDxp bnB1dCB0eXBlPSdyYWRpbycgbmFtZT0nRE5TX0ZPUkNFX09OX0JMVUUnIHZhbHVlPSdvbicgJGNo ZWNrZWR7J0ROU19GT1JDRV9PTl9CTFVFJ317J29uJ30gLz4vDQorCQkJCQkJCQkJCQkJCQkJCQkJ CQkJCTxpbnB1dCB0eXBlPSdyYWRpbycgbmFtZT0nRE5TX0ZPUkNFX09OX0JMVUUnIHZhbHVlPSdv ZmYnICRjaGVja2VkeydETlNfRk9SQ0VfT05fQkxVRSd9eydvZmYnfSAvPiAkTGFuZzo6dHJ7J29m Zid9PC90ZD48L3RyPg0KKwkJCTx0cj48dGQgYWxpZ249J2xlZnQnIHdpZHRoPSc2MCUnPiRMYW5n Ojp0cnsnbnRwIGZvcmNlIG9uIGJsdWUnfTwvdGQ+PHRkIGFsaWduPSdsZWZ0Jz4kTGFuZzo6dHJ7 J29uJ30gPGlucHV0IHR5cGU9J3JhZGlvJyBuYW1lPSdOVFBfRk9SQ0VfT05fQkxVRScgdmFsdWU9 J29uJyAkY2hlY2tlZHsnTlRQX0ZPUkNFX09OX0JMVUUnfXsnb24nfSAvPi8NCisJCQkJCQkJCQkJ CQkJCQkJCQkJCQkJPGlucHV0IHR5cGU9J3JhZGlvJyBuYW1lPSdOVFBfRk9SQ0VfT05fQkxVRScg dmFsdWU9J29mZicgJGNoZWNrZWR7J05UUF9GT1JDRV9PTl9CTFVFJ317J29mZid9IC8+ICRMYW5n Ojp0cnsnb2ZmJ308L3RkPjwvdHI+DQorCQkJPHRyPjx0ZCBhbGlnbj0nbGVmdCcgd2lkdGg9JzYw JSc+JExhbmc6OnRyeydkcm9wIHByb3h5J308L3RkPjx0ZCBhbGlnbj0nbGVmdCc+JExhbmc6OnRy eydvbid9IDxpbnB1dCB0eXBlPSdyYWRpbycgbmFtZT0nRFJPUFBST1hZJyB2YWx1ZT0nb24nICRj aGVja2VkeydEUk9QUFJPWFknfXsnb24nfSAvPi8NCisJCQkJCQkJCQkJCQkJCQkJCQkJCQkJPGlu cHV0IHR5cGU9J3JhZGlvJyBuYW1lPSdEUk9QUFJPWFknIHZhbHVlPSdvZmYnICRjaGVja2VkeydE Uk9QUFJPWFknfXsnb2ZmJ30gLz4gJExhbmc6OnRyeydvZmYnfTwvdGQ+PC90cj4NCisJCQk8dHI+ PHRkIGFsaWduPSdsZWZ0JyB3aWR0aD0nNjAlJz4kTGFuZzo6dHJ7J2Ryb3Agc2FtYmEnfTwvdGQ+ PHRkIGFsaWduPSdsZWZ0Jz4kTGFuZzo6dHJ7J29uJ30gPGlucHV0IHR5cGU9J3JhZGlvJyBuYW1l PSdEUk9QU0FNQkEnIHZhbHVlPSdvbicgJGNoZWNrZWR7J0RST1BTQU1CQSd9eydvbid9IC8+Lw0K KwkJCQkJCQkJCQkJCQkJCQkJCQkJCQk8aW5wdXQgdHlwZT0ncmFkaW8nIG5hbWU9J0RST1BTQU1C QScgdmFsdWU9J29mZicgJGNoZWNrZWR7J0RST1BTQU1CQSd9eydvZmYnfSAvPiAkTGFuZzo6dHJ7 J29mZid9PC90ZD48L3RyPg0KKwkJCTwvdGQ+DQorCQkJPC90cj4NCitFTkQNCisJfQ0KKw0KKwlw cmludCA8PEVORDsNCiAJPC90YWJsZT4NCiANCiAJPGJyPg0KQEAgLTIyNCwyMSArMjY3LDI1IEBA DQogCQkJCQkJCQkJCQkJCQkJCQkJCQkJCTxpbnB1dCB0eXBlPSdyYWRpbycgbmFtZT0nRFJPUE9V VEdPSU5HJyB2YWx1ZT0nb2ZmJyAkY2hlY2tlZHsnRFJPUE9VVEdPSU5HJ317J29mZid9IC8+ICRM YW5nOjp0cnsnb2ZmJ308L3RkPjwvdHI+DQogPHRyPjx0ZCBhbGlnbj0nbGVmdCcgd2lkdGg9JzYw JSc+JExhbmc6OnRyeydkcm9wIHBvcnRzY2FuJ308L3RkPjx0ZCBhbGlnbj0nbGVmdCc+JExhbmc6 OnRyeydvbid9IDxpbnB1dCB0eXBlPSdyYWRpbycgbmFtZT0nRFJPUFBPUlRTQ0FOJyB2YWx1ZT0n b24nICRjaGVja2VkeydEUk9QUE9SVFNDQU4nfXsnb24nfSAvPi8NCiAJCQkJCQkJCQkJCQkJCQkJ CQkJCQkJPGlucHV0IHR5cGU9J3JhZGlvJyBuYW1lPSdEUk9QUE9SVFNDQU4nIHZhbHVlPSdvZmYn ICRjaGVja2VkeydEUk9QUE9SVFNDQU4nfXsnb2ZmJ30gLz4gJExhbmc6OnRyeydvZmYnfTwvdGQ+ PC90cj4NCi08dHI+PHRkIGFsaWduPSdsZWZ0JyB3aWR0aD0nNjAlJz4kTGFuZzo6dHJ7J2Ryb3Ag d2lyZWxlc3NpbnB1dCd9PC90ZD48dGQgYWxpZ249J2xlZnQnPiRMYW5nOjp0cnsnb24nfSA8aW5w dXQgdHlwZT0ncmFkaW8nIG5hbWU9J0RST1BXSVJFTEVTU0lOUFVUJyB2YWx1ZT0nb24nICRjaGVj a2VkeydEUk9QV0lSRUxFU1NJTlBVVCd9eydvbid9IC8+Lw0KK0VORA0KKw0KKwlpZiAoJkhlYWRl cjo6Ymx1ZV91c2VkKCkpIHsNCisJCXByaW50IDw8RU5EOw0KKwkJPHRhYmxlIHdpZHRoPSc5NSUn IGNlbGxzcGFjaW5nPScwJz4NCisJCQk8dHI+DQorCQkJPHRyPjx0ZCBhbGlnbj0nbGVmdCcgd2lk dGg9JzYwJSc+JExhbmc6OnRyeydkcm9wIHdpcmVsZXNzaW5wdXQnfTwvdGQ+PHRkIGFsaWduPSds ZWZ0Jz4kTGFuZzo6dHJ7J29uJ30gPGlucHV0IHR5cGU9J3JhZGlvJyBuYW1lPSdEUk9QV0lSRUxF U1NJTlBVVCcgdmFsdWU9J29uJyAkY2hlY2tlZHsnRFJPUFdJUkVMRVNTSU5QVVQnfXsnb24nfSAv Pi8NCiAJCQkJCQkJCQkJCQkJCQkJCQkJCQkJPGlucHV0IHR5cGU9J3JhZGlvJyBuYW1lPSdEUk9Q V0lSRUxFU1NJTlBVVCcgdmFsdWU9J29mZicgJGNoZWNrZWR7J0RST1BXSVJFTEVTU0lOUFVUJ317 J29mZid9IC8+ICRMYW5nOjp0cnsnb2ZmJ308L3RkPjwvdHI+DQotPHRyPjx0ZCBhbGlnbj0nbGVm dCcgd2lkdGg9JzYwJSc+JExhbmc6OnRyeydkcm9wIHdpcmVsZXNzZm9yd2FyZCd9PC90ZD48dGQg YWxpZ249J2xlZnQnPiRMYW5nOjp0cnsnb24nfSA8aW5wdXQgdHlwZT0ncmFkaW8nIG5hbWU9J0RS T1BXSVJFTEVTU0ZPUldBUkQnIHZhbHVlPSdvbicgJGNoZWNrZWR7J0RST1BXSVJFTEVTU0ZPUldB UkQnfXsnb24nfSAvPi8NCisJCQk8dHI+PHRkIGFsaWduPSdsZWZ0JyB3aWR0aD0nNjAlJz4kTGFu Zzo6dHJ7J2Ryb3Agd2lyZWxlc3Nmb3J3YXJkJ308L3RkPjx0ZCBhbGlnbj0nbGVmdCc+JExhbmc6 OnRyeydvbid9IDxpbnB1dCB0eXBlPSdyYWRpbycgbmFtZT0nRFJPUFdJUkVMRVNTRk9SV0FSRCcg dmFsdWU9J29uJyAkY2hlY2tlZHsnRFJPUFdJUkVMRVNTRk9SV0FSRCd9eydvbid9IC8+Lw0KIAkJ CQkJCQkJCQkJCQkJCQkJCQkJCQk8aW5wdXQgdHlwZT0ncmFkaW8nIG5hbWU9J0RST1BXSVJFTEVT U0ZPUldBUkQnIHZhbHVlPSdvZmYnICRjaGVja2VkeydEUk9QV0lSRUxFU1NGT1JXQVJEJ317J29m Zid9IC8+ICRMYW5nOjp0cnsnb2ZmJ308L3RkPjwvdHI+DQotPC90YWJsZT4NCi08YnIvPg0KKwkJ CTwvdHI+DQorRU5EDQorCX0NCisNCisJcHJpbnQgPDxFTkQ7DQorCTwvdGFibGU+DQorDQorCTxi ci8+DQogDQotPHRhYmxlIHdpZHRoPSc5NSUnIGNlbGxzcGFjaW5nPScwJz4NCi08dHIgYmdjb2xv cj0nJGNvbG9yeydjb2xvcjIwJ30nPjx0ZCBjb2xzcGFuPScyJyBhbGlnbj0nbGVmdCc+PGI+JExh bmc6OnRyeydmdyBibHVlJ308L2I+PC90ZD48L3RyPg0KLTx0cj48dGQgYWxpZ249J2xlZnQnIHdp ZHRoPSc2MCUnPiRMYW5nOjp0cnsnZHJvcCBwcm94eSd9PC90ZD48dGQgYWxpZ249J2xlZnQnPiRM YW5nOjp0cnsnb24nfSA8aW5wdXQgdHlwZT0ncmFkaW8nIG5hbWU9J0RST1BQUk9YWScgdmFsdWU9 J29uJyAkY2hlY2tlZHsnRFJPUFBST1hZJ317J29uJ30gLz4vDQotCQkJCQkJCQkJCQkJCQkJCQkJ CQkJCTxpbnB1dCB0eXBlPSdyYWRpbycgbmFtZT0nRFJPUFBST1hZJyB2YWx1ZT0nb2ZmJyAkY2hl Y2tlZHsnRFJPUFBST1hZJ317J29mZid9IC8+ICRMYW5nOjp0cnsnb2ZmJ308L3RkPjwvdHI+DQot PHRyPjx0ZCBhbGlnbj0nbGVmdCcgd2lkdGg9JzYwJSc+JExhbmc6OnRyeydkcm9wIHNhbWJhJ308 L3RkPjx0ZCBhbGlnbj0nbGVmdCc+JExhbmc6OnRyeydvbid9IDxpbnB1dCB0eXBlPSdyYWRpbycg bmFtZT0nRFJPUFNBTUJBJyB2YWx1ZT0nb24nICRjaGVja2VkeydEUk9QU0FNQkEnfXsnb24nfSAv Pi8NCi0JCQkJCQkJCQkJCQkJCQkJCQkJCQkJPGlucHV0IHR5cGU9J3JhZGlvJyBuYW1lPSdEUk9Q U0FNQkEnIHZhbHVlPSdvZmYnICRjaGVja2VkeydEUk9QU0FNQkEnfXsnb2ZmJ30gLz4gJExhbmc6 OnRyeydvZmYnfTwvdGQ+PC90cj4NCi08L3RhYmxlPg0KLTxicj4NCiA8dGFibGUgd2lkdGg9Jzk1 JScgY2VsbHNwYWNpbmc9JzAnPg0KIDx0ciBiZ2NvbG9yPSckY29sb3J7J2NvbG9yMjAnfSc+PHRk IGNvbHNwYW49JzInIGFsaWduPSdsZWZ0Jz48Yj4kTGFuZzo6dHJ7J2Z3IHNldHRpbmdzJ308L2I+ PC90ZD48L3RyPg0KIDx0cj48dGQgYWxpZ249J2xlZnQnIHdpZHRoPSc2MCUnPiRMYW5nOjp0cnsn Zncgc2V0dGluZ3MgY29sb3InfTwvdGQ+PHRkIGFsaWduPSdsZWZ0Jz4kTGFuZzo6dHJ7J29uJ30g PGlucHV0IHR5cGU9J3JhZGlvJyBuYW1lPSdTSE9XQ09MT1JTJyB2YWx1ZT0nb24nICRjaGVja2Vk eydTSE9XQ09MT1JTJ317J29uJ30gLz4vDQo= --===============5107245272089449805== Content-Type: text/plain Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="02_force_dns_firewall_init.patch" MIME-Version: 1.0 ZGlmZiAtVSAzIEM6L0NvbXBhcmUvZm9yY2UgZG5zL25leHQvc3JjX2luaXRzY3JpcHRzX3N5c3Rl bV9maXJld2FsbCBDOi9Db21wYXJlL2ZvcmNlIGRucy90dW5lZCAwMS9maXJld2FsbF9pbml0DQot LS0gQzovQ29tcGFyZS9mb3JjZSBkbnMvbmV4dC9zcmNfaW5pdHNjcmlwdHNfc3lzdGVtX2ZpcmV3 YWxsCU1vbiBOb3YgMjMgMDk6MDk6MjQgMjAyMA0KKysrIEM6L0NvbXBhcmUvZm9yY2UgZG5zL3R1 bmVkIDAxL2ZpcmV3YWxsX2luaXQJU2F0IE5vdiAyMSAwMTozNzo1NCAyMDIwDQpAQCAtMjQ2LDYg KzI0Niw3NyBAQA0KIAkJaXB0YWJsZXMgLUEgJHtpfSAtaiBDQVBUSVZFX1BPUlRBTA0KIAlkb25l DQogDQorIyBGb3JjZSBETlMgUkVESVJFQ1Qgb24gR1JFRU4gKHVkcCwgdGNwLCA1MykNCitpZiBb ICIkRE5TX0ZPUkNFX09OX0dSRUVOIiA9PSAib24iIF07IHRoZW4NCisJaWYgISBpcHRhYmxlcyAt dCBuYXQgLUMgQ1VTVE9NUFJFUk9VVElORyAtaSBncmVlbjAgLXAgdWRwIC1tIHVkcCAtLWRwb3J0 IDUzIC1qIFJFRElSRUNUID4vZGV2L251bGwgMj4mMTsgdGhlbg0KKwkJaXB0YWJsZXMgLXQgbmF0 IC1BIENVU1RPTVBSRVJPVVRJTkcgLWkgZ3JlZW4wIC1wIHVkcCAtbSB1ZHAgLS1kcG9ydCA1MyAt aiBSRURJUkVDVA0KKwlmaQ0KKw0KKwlpZiAhIGlwdGFibGVzIC10IG5hdCAtQyBDVVNUT01QUkVS T1VUSU5HIC1pIGdyZWVuMCAtcCB0Y3AgLW0gdGNwIC0tZHBvcnQgNTMgLWogUkVESVJFQ1QgPi9k ZXYvbnVsbCAyPiYxOyB0aGVuDQorCQlpcHRhYmxlcyAtdCBuYXQgLUEgQ1VTVE9NUFJFUk9VVElO RyAtaSBncmVlbjAgLXAgdGNwIC1tIHRjcCAtLWRwb3J0IDUzIC1qIFJFRElSRUNUDQorCWZpDQor DQorZWxzZQ0KKw0KKwlpZiBpcHRhYmxlcyAtdCBuYXQgLUMgQ1VTVE9NUFJFUk9VVElORyAtaSBn cmVlbjAgLXAgdWRwIC1tIHVkcCAtLWRwb3J0IDUzIC1qIFJFRElSRUNUID4vZGV2L251bGwgMj4m MTsgdGhlbg0KKwkJaXB0YWJsZXMgLXQgbmF0IC1EIENVU1RPTVBSRVJPVVRJTkcgLWkgZ3JlZW4w IC1wIHVkcCAtbSB1ZHAgLS1kcG9ydCA1MyAtaiBSRURJUkVDVCA+L2Rldi9udWxsIDI+JjENCisJ ZmkNCisNCisJaWYgaXB0YWJsZXMgLXQgbmF0IC1DIENVU1RPTVBSRVJPVVRJTkcgLWkgZ3JlZW4w IC1wIHRjcCAtbSB0Y3AgLS1kcG9ydCA1MyAtaiBSRURJUkVDVCA+L2Rldi9udWxsIDI+JjE7IHRo ZW4NCisJCWlwdGFibGVzIC10IG5hdCAtRCBDVVNUT01QUkVST1VUSU5HIC1pIGdyZWVuMCAtcCB0 Y3AgLW0gdGNwIC0tZHBvcnQgNTMgLWogUkVESVJFQ1QgPi9kZXYvbnVsbCAyPiYxDQorCWZpDQor ZmkNCisNCisjIEZvcmNlIEROUyBSRURJUkVDVCBvbiBCTFVFICh1ZHAsIHRjcCwgNTMpDQoraWYg WyAiJEROU19GT1JDRV9PTl9CTFVFIiA9PSAib24iIF07IHRoZW4NCisJaWYgISBpcHRhYmxlcyAt dCBuYXQgLUMgQ1VTVE9NUFJFUk9VVElORyAtaSBibHVlMCAtcCB1ZHAgLW0gdWRwIC0tZHBvcnQg NTMgLWogUkVESVJFQ1QgPi9kZXYvbnVsbCAyPiYxOyB0aGVuDQorCQlpcHRhYmxlcyAtdCBuYXQg LUEgQ1VTVE9NUFJFUk9VVElORyAtaSBibHVlMCAtcCB1ZHAgLW0gdWRwIC0tZHBvcnQgNTMgLWog UkVESVJFQ1QNCisJZmkNCisNCisJaWYgISBpcHRhYmxlcyAtdCBuYXQgLUMgQ1VTVE9NUFJFUk9V VElORyAtaSBibHVlMCAtcCB0Y3AgLW0gdGNwIC0tZHBvcnQgNTMgLWogUkVESVJFQ1QgPi9kZXYv bnVsbCAyPiYxOyB0aGVuDQorCQlpcHRhYmxlcyAtdCBuYXQgLUEgQ1VTVE9NUFJFUk9VVElORyAt aSBibHVlMCAtcCB0Y3AgLW0gdGNwIC0tZHBvcnQgNTMgLWogUkVESVJFQ1QNCisJZmkNCisNCitl bHNlDQorDQorCWlmIGlwdGFibGVzIC10IG5hdCAtQyBDVVNUT01QUkVST1VUSU5HIC1pIGJsdWUw IC1wIHVkcCAtbSB1ZHAgLS1kcG9ydCA1MyAtaiBSRURJUkVDVCA+L2Rldi9udWxsIDI+JjE7IHRo ZW4NCisJCWlwdGFibGVzIC10IG5hdCAtRCBDVVNUT01QUkVST1VUSU5HIC1pIGJsdWUwIC1wIHVk cCAtbSB1ZHAgLS1kcG9ydCA1MyAtaiBSRURJUkVDVCA+L2Rldi9udWxsIDI+JjENCisJZmkNCisN CisJaWYgaXB0YWJsZXMgLXQgbmF0IC1DIENVU1RPTVBSRVJPVVRJTkcgLWkgYmx1ZTAgLXAgdGNw IC1tIHRjcCAtLWRwb3J0IDUzIC1qIFJFRElSRUNUID4vZGV2L251bGwgMj4mMTsgdGhlbg0KKwkJ aXB0YWJsZXMgLXQgbmF0IC1EIENVU1RPTVBSRVJPVVRJTkcgLWkgYmx1ZTAgLXAgdGNwIC1tIHRj cCAtLWRwb3J0IDUzIC1qIFJFRElSRUNUID4vZGV2L251bGwgMj4mMQ0KKwlmaQ0KKw0KK2ZpDQor DQorIyBGb3JjZSBOVFAgUkVESVJFQ1Qgb24gR1JFRU4gKHVkcCwgMTIzKQ0KK2lmIFsgIiROVFBf Rk9SQ0VfT05fR1JFRU4iID09ICJvbiIgXTsgdGhlbg0KKwlpZiAhIGlwdGFibGVzIC10IG5hdCAt QyBDVVNUT01QUkVST1VUSU5HIC1pIGdyZWVuMCAtcCB1ZHAgLW0gdWRwIC0tZHBvcnQgMTIzIC1q IFJFRElSRUNUID4vZGV2L251bGwgMj4mMTsgdGhlbg0KKwkJaXB0YWJsZXMgLXQgbmF0IC1BIENV U1RPTVBSRVJPVVRJTkcgLWkgZ3JlZW4wIC1wIHVkcCAtbSB1ZHAgLS1kcG9ydCAxMjMgLWogUkVE SVJFQ1QNCisJZmkNCisNCitlbHNlDQorDQorCWlmIGlwdGFibGVzIC10IG5hdCAtQyBDVVNUT01Q UkVST1VUSU5HIC1pIGdyZWVuMCAtcCB1ZHAgLW0gdWRwIC0tZHBvcnQgMTIzIC1qIFJFRElSRUNU ID4vZGV2L251bGwgMj4mMTsgdGhlbg0KKwkJaXB0YWJsZXMgLXQgbmF0IC1EIENVU1RPTVBSRVJP VVRJTkcgLWkgZ3JlZW4wIC1wIHVkcCAtbSB1ZHAgLS1kcG9ydCAxMjMgLWogUkVESVJFQ1QgPi9k ZXYvbnVsbCAyPiYxDQorCWZpDQorDQorZmkNCisNCisjIEZvcmNlIEROUyBSRURJUkVDVCBvbiBC TFVFICh1ZHAsIDEyMykNCitpZiBbICIkTlRQX0ZPUkNFX09OX0JMVUUiID09ICJvbiIgXTsgdGhl bg0KKwlpZiAhIGlwdGFibGVzIC10IG5hdCAtQyBDVVNUT01QUkVST1VUSU5HIC1pIGJsdWUwIC1w IHVkcCAtbSB1ZHAgLS1kcG9ydCAxMjMgLWogUkVESVJFQ1QgPi9kZXYvbnVsbCAyPiYxOyB0aGVu DQorCQlpcHRhYmxlcyAtdCBuYXQgLUEgQ1VTVE9NUFJFUk9VVElORyAtaSBibHVlMCAtcCB1ZHAg LW0gdWRwIC0tZHBvcnQgMTIzIC1qIFJFRElSRUNUDQorCWZpDQorDQorZWxzZQ0KKw0KKwlpZiBp cHRhYmxlcyAtdCBuYXQgLUMgQ1VTVE9NUFJFUk9VVElORyAtaSBibHVlMCAtcCB1ZHAgLW0gdWRw IC0tZHBvcnQgMTIzIC1qIFJFRElSRUNUID4vZGV2L251bGwgMj4mMTsgdGhlbg0KKwkJaXB0YWJs ZXMgLXQgbmF0IC1EIENVU1RPTVBSRVJPVVRJTkcgLWkgYmx1ZTAgLXAgdWRwIC1tIHVkcCAtLWRw b3J0IDEyMyAtaiBSRURJUkVDVCA+L2Rldi9udWxsIDI+JjENCisJZmkNCisNCitmaQ0KKw0KIAkj IEFjY2VwdCBldmVyeXRoaW5nIGNvbm5lY3RlZA0KIAlmb3IgaSBpbiBJTlBVVCBGT1JXQVJEIE9V VFBVVDsgZG8NCiAJCWlwdGFibGVzIC1BICR7aX0gLWogQ09OTlRSQUNLDQo= --===============5107245272089449805== Content-Type: text/plain Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="03_firewall_restart_in_optionsfw_cgi.patch" MIME-Version: 1.0 ZGlmZiAtVSAzIEM6L0NvbXBhcmUvZm9yY2UgZG5zL3R1bmVkIDAxL29wdGlvbnNmdy5jZ2kgQzov Q29tcGFyZS9mb3JjZSBkbnMvdHVuZWQgMDIvb3B0aW9uc2Z3LmNnaQ0KLS0tIEM6L0NvbXBhcmUv Zm9yY2UgZG5zL3R1bmVkIDAxL29wdGlvbnNmdy5jZ2kJU3VuIE5vdiAgOCAyMDoxNzo1NCAyMDIw DQorKysgQzovQ29tcGFyZS9mb3JjZSBkbnMvdHVuZWQgMDIvb3B0aW9uc2Z3LmNnaQlTdW4gTm92 IDIyIDIwOjA2OjU2IDIwMjANCkBAIC02OSw2ICs2OSwzMSBAQA0KIAkmR2VuZXJhbDo6cmVhZGhh c2goJGZpbGVuYW1lLCBcJXNldHRpbmdzKTsgICAgICAgICAgICAgIyBMb2FkIGdvb2Qgc2V0dGlu Z3MNCiB9DQogDQoraWYgKCRzZXR0aW5nc3snQUNUSU9OJ30gZXEgJExhbmc6OnRyeydmdyBzZXR0 aW5ncyBzYXZlIGFuZCByZXN0YXJ0J30pIHsNCisJaWYgKCRzZXR0aW5nc3snZGVmcG9sJ30gbmUg JzEnKXsNCisJCSRlcnJvcm1lc3NhZ2UgLj0gJExhbmc6OnRyeyduZXcgb3B0aW9uc2Z3IGxhdGVy J307DQorCQkmR2VuZXJhbDo6d3JpdGVoYXNoKCRmaWxlbmFtZSwgXCVzZXR0aW5ncyk7ICAgICAg ICAgICAgICMgU2F2ZSBnb29kIHNldHRpbmdzDQorCQlzeXN0ZW0oIi91c3IvbG9jYWwvYmluL2Zp cmV3YWxsY3RybCIpOw0KKwl9ZWxzZXsNCisJCWlmICgkc2V0dGluZ3N7J1BPTElDWSd9IG5lICcn KXsNCisJCQkkZndkZndzZXR0aW5nc3snUE9MSUNZJ30gPSAkc2V0dGluZ3N7J1BPTElDWSd9Ow0K KwkJfQ0KKwkJaWYgKCRzZXR0aW5nc3snUE9MSUNZMSd9IG5lICcnKXsNCisJCQkkZndkZndzZXR0 aW5nc3snUE9MSUNZMSd9ID0gJHNldHRpbmdzeydQT0xJQ1kxJ307DQorCQl9DQorCQlteSAkTU9E RSA9ICRmd2Rmd3NldHRpbmdzeydQT0xJQ1knfTsNCisJCW15ICRNT0RFMSA9ICRmd2Rmd3NldHRp bmdzeydQT0xJQ1kxJ307DQorCQklZndkZndzZXR0aW5ncyA9ICgpOw0KKwkJJGZ3ZGZ3c2V0dGlu Z3N7J1BPTElDWSd9ID0gIiRNT0RFIjsNCisJCSRmd2Rmd3NldHRpbmdzeydQT0xJQ1kxJ30gPSAi JE1PREUxIjsNCisJCSZHZW5lcmFsOjp3cml0ZWhhc2goIiR7R2VuZXJhbDo6c3dyb290fS9maXJl d2FsbC9zZXR0aW5ncyIsIFwlZndkZndzZXR0aW5ncyk7DQorCQkmR2VuZXJhbDo6cmVhZGhhc2go IiR7R2VuZXJhbDo6c3dyb290fS9maXJld2FsbC9zZXR0aW5ncyIsIFwlZndkZndzZXR0aW5ncyk7 DQorCQlzeXN0ZW0oIi91c3IvbG9jYWwvYmluL2ZpcmV3YWxsY3RybCIpOw0KKwkJc3lzdGVtKCIv ZXRjL3JjLmQvaW5pdC5kL2ZpcmV3YWxsIHJlc3RhcnQgPi9kZXYvbnVsbCAyPiYxICIpOw0KKwl9 DQorCSZHZW5lcmFsOjpyZWFkaGFzaCgkZmlsZW5hbWUsIFwlc2V0dGluZ3MpOyAgICAgICAgICAg ICAjIExvYWQgZ29vZCBzZXR0aW5ncw0KK30NCisNCiAmSGVhZGVyOjpvcGVucGFnZSgkTGFuZzo6 dHJ7J29wdGlvbnMgZncnfSwgMSwgJycpOw0KICZIZWFkZXI6Om9wZW5iaWdib3goJzEwMCUnLCAn bGVmdCcsICcnLCAkZXJyb3JtZXNzYWdlKTsNCiAmR2VuZXJhbDo6cmVhZGhhc2goJGZpbGVuYW1l LCBcJXNldHRpbmdzKTsNCkBAIC0zNzAsNyArMzk1LDggQEANCiA8YnIgLz4NCiA8dGFibGUgd2lk dGg9JzEwMCUnIGNlbGxzcGFjaW5nPScwJz4NCiA8dHI+PHRkIGFsaWduPSdyaWdodCc+PGZvcm0g bWV0aG9kPSdwb3N0JyBhY3Rpb249JyRFTlZ7J1NDUklQVF9OQU1FJ30nPg0KLTxpbnB1dCB0eXBl PSdzdWJtaXQnIG5hbWU9J0FDVElPTicgdmFsdWU9JExhbmc6OnRyeydzYXZlJ30gLz4NCis8aW5w dXQgdHlwZT0nc3VibWl0JyBuYW1lPSdBQ1RJT04nIHZhbHVlPSckTGFuZzo6dHJ7J3NhdmUnfScg Lz4NCis8aW5wdXQgdHlwZT0nc3VibWl0JyBuYW1lPSdBQ1RJT04nIHZhbHVlPSckTGFuZzo6dHJ7 J2Z3IHNldHRpbmdzIHNhdmUgYW5kIHJlc3RhcnQnfScgLz4NCiA8L2Zvcm0+PC90ZD48L3RyPg0K IDwvdGFibGU+DQogPC9mb3JtPg0K --===============5107245272089449805== Content-Type: text/plain Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="04_optionsfwctrl.c" MIME-Version: 1.0 LyogVGhpcyBmaWxlIGlzIHBhcnQgb2YgdGhlIElQRmlyZSBGaXJld2FsbC4KICoKICogVGhpcyBw cm9ncmFtIGlzIGRpc3RyaWJ1dGVkIHVuZGVyIHRoZSB0ZXJtcyBvZiB0aGUgR05VIEdlbmVyYWwg UHVibGljCiAqIExpY2VuY2UuICBTZWUgdGhlIGZpbGUgQ09QWUlORyBmb3IgZGV0YWlscy4KICoK ICovCgojaW5jbHVkZSA8c3RkbGliLmg+CiNpbmNsdWRlICJzZXR1aWQuaCIKCmludCBtYWluKHZv aWQpCnsKCWlmICghKGluaXRzZXR1aWQoKSkpCgkJZXhpdCgxKTsKCglzYWZlX3N5c3RlbSgiL2V0 Yy9yYy5kL2luaXQuZC9maXJld2FsbCByZXN0YXJ0ID4vZGV2L251bGwgMj4mMSIpOwoKCXJldHVy biAwOwp9Cg== --===============5107245272089449805==--