From cf30dc0e7a0aee4a86efdd2007bdd0f8440c7dd4 Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Sun, 19 Nov 2006 01:03:47 +0000
Subject: [PATCH] reorganize nat helper packages, move ftp and irc nat to a
 package that is enabled by default, for security reasons - see #917 for more
 information

SVN-Revision: 5581
---
 openwrt/target/linux/Config.in                | 30 ++++++++++++++-----
 .../control/kmod-ipt-nat-default.control      |  4 +++
 .../linux/control/kmod-ipt-nat-pptp.control   |  2 +-
 openwrt/target/linux/linux-2.4/Makefile       |  3 ++
 openwrt/target/linux/linux-2.4/config/brcm    |  8 ++---
 openwrt/target/linux/netfilter.mk             | 13 +++++---
 6 files changed, 43 insertions(+), 17 deletions(-)
 create mode 100644 openwrt/target/linux/control/kmod-ipt-nat-default.control

diff --git a/openwrt/target/linux/Config.in b/openwrt/target/linux/Config.in
index 79ad1c1f13..865ec284f4 100644
--- a/openwrt/target/linux/Config.in
+++ b/openwrt/target/linux/Config.in
@@ -49,6 +49,9 @@ config BR2_PACKAGE_KMOD_IPTABLES_EXTRA
 	select BR2_PACKAGE_KMOD_IPT_IPOPT
 	select BR2_PACKAGE_KMOD_IPT_IPSEC
 	select BR2_PACKAGE_KMOD_IPT_NAT
+	select BR2_PACKAGE_KMOD_IPT_NAT_PPTP
+	select BR2_PACKAGE_KMOD_IPT_NAT_H323
+	select BR2_PACKAGE_KMOD_IPT_NAT_RTSP
 	select BR2_PACKAGE_KMOD_IPT_NAT_EXTRA
 	select BR2_PACKAGE_KMOD_IPT_QUEUE
 	select BR2_PACKAGE_KMOD_IPT_ULOG
@@ -114,17 +117,30 @@ config BR2_PACKAGE_KMOD_IPT_NAT
 	  Includes: 
 	    * ipt_REDIRECT
 
-config BR2_PACKAGE_KMOD_IPT_NAT_H323
-	tristate "Netfilter NAT modules for H.323"
-	default m
+config BR2_PACKAGE_KMOD_IPT_NAT_DEFAULT
+	tristate "Netfilter NAT modules for special protocols"
+	default y
 	help
-	  Netfilter (IPv4) NAT kernel modules for H.323
+	  Default Netfilter (IPv4) NAT kernel modules for special protocols
+	  
+	  Includes:
+	    * ip_conntrack_ftp
+	    * ip_nat_ftp
+	    * ip_conntrack_irc
+	    * ip_nat_irc
+	    * ip_conntrack_tftp
 
 config BR2_PACKAGE_KMOD_IPT_NAT_PPTP
-	tristate "Netfilter NAT modules for PPTP"
+	tristate "Netfilter NAT modules for GRE and PPTP"
 	default m
 	help
-	  Netfilter (IPv4) NAT kernel modules for PPTP
+	  Netfilter (IPv4) NAT kernel modules for GRE and PPTP
+
+config BR2_PACKAGE_KMOD_IPT_NAT_H323
+	tristate "Netfilter NAT modules for H.323"
+	default m
+	help
+	  Netfilter (IPv4) NAT kernel modules for H.323
 
 config BR2_PACKAGE_KMOD_IPT_NAT_RTSP
 	tristate "Netfilter NAT modules for RTSP"
@@ -140,8 +156,6 @@ config BR2_PACKAGE_KMOD_IPT_NAT_EXTRA
 	  
 	  Includes:
 	    * ip_conntrack_amanda
-	    * ip_conntrack_proto_gre
-	    * ip_nat_proto_gre
 	    * ip_nat_snmp_basic
 	    * ip_conntrack_tftp
 
diff --git a/openwrt/target/linux/control/kmod-ipt-nat-default.control b/openwrt/target/linux/control/kmod-ipt-nat-default.control
new file mode 100644
index 0000000000..c443b1b81d
--- /dev/null
+++ b/openwrt/target/linux/control/kmod-ipt-nat-default.control
@@ -0,0 +1,4 @@
+Package: kmod-ipt-nat-default
+Priority: optional
+Section: net
+Description: Default Netfilter (IPv4) NAT kernel modules for special protocols
diff --git a/openwrt/target/linux/control/kmod-ipt-nat-pptp.control b/openwrt/target/linux/control/kmod-ipt-nat-pptp.control
index b4ae5eaed8..377315cbf9 100644
--- a/openwrt/target/linux/control/kmod-ipt-nat-pptp.control
+++ b/openwrt/target/linux/control/kmod-ipt-nat-pptp.control
@@ -1,4 +1,4 @@
 Package: kmod-ipt-nat-pptp
 Priority: optional
 Section: net
-Description: Netfilter (IPv4) NAT kernel modules for PPTP
+Description: Netfilter (IPv4) NAT kernel modules for GRE and PPTP
diff --git a/openwrt/target/linux/linux-2.4/Makefile b/openwrt/target/linux/linux-2.4/Makefile
index ee465b54f1..1fffa68095 100644
--- a/openwrt/target/linux/linux-2.4/Makefile
+++ b/openwrt/target/linux/linux-2.4/Makefile
@@ -76,6 +76,9 @@ $(eval $(call KMOD_template,IPT_IPOPT,ipt-ipopt,\
 $(eval $(call KMOD_template,IPT_IPSEC,ipt-ipsec,\
 	$(foreach mod,$(IPT_IPSEC-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \
 ))
+$(eval $(call KMOD_template,IPT_NAT_DEFAULT,ipt-nat-default,\
+	$(foreach mod,$(IPT_NAT_DEFAULT-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \
+))
 $(eval $(call KMOD_template,IPT_NAT,ipt-nat,\
 	$(foreach mod,$(IPT_NAT-m),$(MODULES_DIR)/kernel/net/ipv4/netfilter/$(mod).o) \
 ))
diff --git a/openwrt/target/linux/linux-2.4/config/brcm b/openwrt/target/linux/linux-2.4/config/brcm
index a2fa435a5f..f2feb79520 100644
--- a/openwrt/target/linux/linux-2.4/config/brcm
+++ b/openwrt/target/linux/linux-2.4/config/brcm
@@ -353,10 +353,10 @@ CONFIG_SYN_COOKIES=y
 #
 CONFIG_IP_NF_CONNTRACK=y
 CONFIG_IP_NF_CONNTRACK_MARK=y
-CONFIG_IP_NF_FTP=y
+CONFIG_IP_NF_FTP=m
 CONFIG_IP_NF_AMANDA=m
 CONFIG_IP_NF_TFTP=m
-CONFIG_IP_NF_IRC=y
+CONFIG_IP_NF_IRC=m
 CONFIG_IP_NF_CT_PROTO_GRE=m
 CONFIG_IP_NF_PPTP=m
 CONFIG_IP_NF_H323=m
@@ -402,8 +402,8 @@ CONFIG_IP_NF_NAT_AMANDA=m
 CONFIG_IP_NF_NAT_H323=m
 CONFIG_IP_NF_NAT_RTSP=m
 CONFIG_IP_NF_NAT_SNMP_BASIC=m
-CONFIG_IP_NF_NAT_IRC=y
-CONFIG_IP_NF_NAT_FTP=y
+CONFIG_IP_NF_NAT_IRC=m
+CONFIG_IP_NF_NAT_FTP=m
 CONFIG_IP_NF_NAT_TFTP=m
 CONFIG_IP_NF_MANGLE=y
 CONFIG_IP_NF_TARGET_TOS=m
diff --git a/openwrt/target/linux/netfilter.mk b/openwrt/target/linux/netfilter.mk
index 94f9a6c1b9..36820f561c 100644
--- a/openwrt/target/linux/netfilter.mk
+++ b/openwrt/target/linux/netfilter.mk
@@ -53,11 +53,20 @@ IPT_NAT-$(CONFIG_IP_NF_TARGET_MASQUERADE) += ipt_MASQUERADE
 IPT_NAT-$(CONFIG_IP_NF_TARGET_MIRROR) += ipt_MIRROR
 IPT_NAT-$(CONFIG_IP_NF_TARGET_REDIRECT) += ipt_REDIRECT
 
+IPT_NAT_DEFAULT-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp
+IPT_NAT_DEFAULT-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp
+IPT_NAT_DEFAULT-$(CONFIG_IP_NF_FTP) += ip_conntrack_ftp
+IPT_NAT_DEFAULT-$(CONFIG_IP_NF_NAT_FTP) += ip_nat_ftp
+IPT_NAT_DEFAULT-$(CONFIG_IP_NF_IRC) += ip_conntrack_irc
+IPT_NAT_DEFAULT-$(CONFIG_IP_NF_NAT_IRC) += ip_nat_irc
+
 IPT_NAT_H323-m := 
 IPT_NAT_H323-$(CONFIG_IP_NF_H323) += ip_conntrack_h323
 IPT_NAT_H323-$(CONFIG_IP_NF_NAT_H323) += ip_nat_h323
 
 IPT_NAT_PPTP-m +=
+IPT_NAT_PPTP-$(CONFIG_IP_NF_CT_PROTO_GRE) += ip_conntrack_proto_gre
+IPT_NAT_PPTP-$(CONFIG_IP_NF_NAT_PROTO_GRE) += ip_nat_proto_gre
 IPT_NAT_PPTP-$(CONFIG_IP_NF_PPTP) += ip_conntrack_pptp
 IPT_NAT_PPTP-$(CONFIG_IP_NF_NAT_PPTP) += ip_nat_pptp
 
@@ -67,11 +76,7 @@ IPT_NAT_RTSP-$(CONFIG_IP_NF_NAT_RTSP) += ip_nat_rtsp
 
 IPT_NAT_EXTRA-m := 
 IPT_NAT_EXTRA-$(CONFIG_IP_NF_AMANDA) += ip_conntrack_amanda
-IPT_NAT_EXTRA-$(CONFIG_IP_NF_CT_PROTO_GRE) += ip_conntrack_proto_gre
-IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_PROTO_GRE) += ip_nat_proto_gre
 IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic
-IPT_NAT_EXTRA-$(CONFIG_IP_NF_TFTP) += ip_conntrack_tftp
-IPT_NAT_EXTRA-$(CONFIG_IP_NF_NAT_TFTP) += ip_nat_tftp
 
 IPT_QUEUE-m :=
 IPT_QUEUE-$(CONFIG_IP_NF_QUEUE) += ip_queue
-- 
2.30.2