An extra option (AllowedClientIPs:list) is available to allow
specific clients to use this service.

Testing done:
root@OpenWrt:~# uci show dropbear
dropbear.lan=dropbear
dropbear.lan.enable='1'
dropbear.lan.Interface='lan'
dropbear.lan.PasswordAuth='on'
dropbear.lan.RootPasswordAuth='on'
dropbear.lan.Port='22'
dropbear.lan.IdleTimeout='600'
dropbear.wan=dropbear
dropbear.wan.Interface='wan'
dropbear.wan.PasswordAuth='on'
dropbear.wan.RootPasswordAuth='on'
dropbear.wan.Port='2223'
dropbear.wan.IdleTimeout='600'
dropbear.wan.enable='1'
dropbear.wan.AllowedClientIPs='1.2.3.4'
dropbear.wan.RootLogin='0'

root@OpenWrt:~# fw3 print | grep dropbear
iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment 
--comment "!fw3: ubus:dropbear[lan] rule 0" -j ACCEPT
iptables -t filter -A zone_wan_input -p tcp -s 1.2.3.4/255.255.255.255 -m tcp 
--dport 2223 -m comment --comment "!fw3: ubus:dropbear[wan] rule 0" -j ACCEPT

Signed-off-by: Pierre Lebleu <pme.leb...@gmail.com>
---
 package/network/services/dropbear/files/dropbear.init  | 47 
++++++++++++++++++++--
 1 file changed, 44 insertions(+), 3 deletions(-)

diff --git a/package/network/services/dropbear/files/dropbear.init 
b/package/network/services/dropbear/files/dropbear.init
index 2225113..2704554 100755
--- a/package/network/services/dropbear/files/dropbear.init
+++ b/package/network/services/dropbear/files/dropbear.init
@@ -43,15 +43,37 @@ validate_section_dropbear()
                'IdleTimeout:uinteger:0' \
                'MaxAuthTries:uinteger:3' \
                'RecvWindowSize:uinteger:0' \
+               'AllowedClientIPs:list(ipaddr)' \
                'mdns:bool:1'
 }
 
+add_fw_rules()
+{
+       local intf="$1"
+       local port="$2"
+       local client="$3"
+
+       [ -z "${intf}" ] && return
+       local zone=$(fw3 -q network "${intf}")
+       [ -z "${zone}" ] && return
+
+       json_add_object ""
+       json_add_string type rule
+       json_add_string src "${zone}"
+       json_add_string proto tcp
+       json_add_string dest_port "${port}"
+       [ -n "${client}" ] && json_add_string src_ip "${client}"
+       json_add_string target ACCEPT
+       json_close_object
+}
+
 dropbear_instance()
 {
        local PasswordAuth enable Interface GatewayPorts \
                RootPasswordAuth RootLogin rsakeyfile \
                BannerFile Port SSHKeepAlive IdleTimeout \
-               MaxAuthTries RecvWindowSize mdns ipaddrs
+               MaxAuthTries RecvWindowSize AllowedClientIPs \
+               mdns ipaddrs
 
        validate_section_dropbear "${1}" || {
                echo "validation failed"
@@ -69,7 +91,8 @@ dropbear_instance()
        PIDCOUNT="$(( ${PIDCOUNT} + 1))"
        local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
 
-       procd_open_instance
+       procd_open_instance "${1}"
+
        procd_set_param command "$PROG" -F -P "$pid_file"
        [ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
        [ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
@@ -83,8 +106,22 @@ dropbear_instance()
        [ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T 
"${MaxAuthTries}"
        [ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \
                procd_append_param command -W "${RecvWindowSize}"
-       [ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" 
"daemon=dropbear"
        procd_set_param respawn
+
+       procd_open_data
+
+       [ "${mdns}" -ne 0 ] && {
+               json_add_object "mdns"
+               procd_add_mdns_service "ssh" "tcp" "$Port" "daemon=dropbear"
+               json_close_object
+       }
+
+       json_add_array firewall
+       add_fw_rules "${Interface}" "${Port}" "${AllowedClientIPs}"
+       json_close_array
+
+       procd_close_data
+
        procd_close_instance
 }
 
@@ -130,6 +167,10 @@ start_service()
        config_foreach dropbear_instance dropbear
 }
 
+service_started() {
+       procd_set_config_changed firewall
+}
+
 service_triggers()
 {
        local interfaces
-- 
1.9.1


_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev

Reply via email to