From 25f0fbb3370352bbccdac2902186732673b9b173 Mon Sep 17 00:00:00 2001
From: Tommaso Bailetti <tommaso.bailetti@nethesis.it>
Date: Thu, 24 Jul 2025 10:08:06 +0200
Subject: [PATCH 1/3] fix(firewall): disabling synflood check from fw4

---
 files/etc/config/firewall | 1 -
 1 file changed, 1 deletion(-)

diff --git a/files/etc/config/firewall b/files/etc/config/firewall
index 4033cf6d3..2f1f93313 100644
--- a/files/etc/config/firewall
+++ b/files/etc/config/firewall
@@ -1,5 +1,4 @@
 config defaults 'ns_defaults'
-	option syn_flood	1
 	option input		REJECT
 	option output		ACCEPT
 	option forward		REJECT

From 4eb0652c648bea6afc284fa29f6f8606c0483e59 Mon Sep 17 00:00:00 2001
From: Tommaso Bailetti <tommaso.bailetti@nethesis.it>
Date: Thu, 24 Jul 2025 12:13:26 +0200
Subject: [PATCH 2/3] feat(threat shield ip): add custom management of DoS
 limits

---
 packages/ns-api/files/ns.threatshield | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/packages/ns-api/files/ns.threatshield b/packages/ns-api/files/ns.threatshield
index 1cb010452..ccad0ffbb 100644
--- a/packages/ns-api/files/ns.threatshield
+++ b/packages/ns-api/files/ns.threatshield
@@ -177,9 +177,9 @@ def list_settings(e_uci):
             'ban_loglimit': True if int(e_uci.get('banip', 'global', 'ban_loglimit', default=100)) > 0 else False,
             'ban_logcount': e_uci.get('banip', 'global', 'ban_logcount', default=1),
             'ban_logterm': e_uci.get('banip', 'global', 'ban_logterm', list=True, default=[]),
-            'ban_icmplimit': True if int(e_uci.get('banip', 'global', 'ban_icmplimit', default=10)) > 0 else False,
-            'ban_synlimit': True if int(e_uci.get('banip', 'global', 'ban_synlimit', default=10)) > 0 else False,
-            'ban_udplimit': True if int(e_uci.get('banip', 'global', 'ban_udplimit', default=100)) > 0 else False,
+            'ban_icmplimit': e_uci.get('banip', 'global', 'ban_icmplimit', default=10, dtype=int),
+            'ban_synlimit': e_uci.get('banip', 'global', 'ban_synlimit', default=10, dtype=int),
+            'ban_udplimit': e_uci.get('banip', 'global', 'ban_udplimit', default=100, dtype=int),
             'ban_nftexpiry': e_uci.get('banip', 'global', 'ban_nftexpiry', default='30m')
         }
     }
@@ -232,15 +232,15 @@ def edit_settings(e_uci, payload):
             raise ValidationError('ban_logforwardlan', 'invalid', payload['ban_logforwardlan'])
         if 'ban_icmplimit' not in payload:
             raise ValidationError('ban_icmplimit', 'required')
-        if not isinstance(payload['ban_icmplimit'], bool):
+        if not (isinstance(payload['ban_icmplimit'], bool) or isinstance(payload['ban_icmplimit'], int)):
             raise ValidationError('ban_icmplimit', 'invalid', payload['ban_icmplimit'])
         if 'ban_synlimit' not in payload:
             raise ValidationError('ban_synlimit', 'required')
-        if not isinstance(payload['ban_synlimit'], bool):
+        if not (isinstance(payload['ban_synlimit'], bool) or isinstance(payload['ban_synlimit'], int)):
             raise ValidationError('ban_synlimit', 'invalid', payload['ban_synlimit'])
         if 'ban_udplimit' not in payload:
             raise ValidationError('ban_udplimit', 'required')
-        if not isinstance(payload['ban_udplimit'], bool):
+        if not (isinstance(payload['ban_udplimit'], bool) or isinstance(payload['ban_udplimit'], int)):
             raise ValidationError('ban_udplimit', 'invalid', payload['ban_udplimit'])
         if 'ban_loglimit' not in payload:
             raise ValidationError('ban_loglimit', 'required')
@@ -273,9 +273,18 @@ def edit_settings(e_uci, payload):
         e_uci.set('banip', 'global', 'ban_logforwardlan', payload['ban_logforwardlan'])
         e_uci.set('banip', 'global', 'ban_loglimit', 100 if payload['ban_loglimit'] else 0)
 
-        e_uci.set('banip', 'global', 'ban_icmplimit', 10 if payload['ban_icmplimit'] else 0)
-        e_uci.set('banip', 'global', 'ban_synlimit', 10 if payload['ban_synlimit'] else 0)
-        e_uci.set('banip', 'global', 'ban_udplimit', 100 if payload['ban_udplimit'] else 0)
+        if isinstance(payload['ban_icmplimit'], int):
+            e_uci.set('banip', 'global', 'ban_icmplimit', max(0, payload['ban_icmplimit']))
+        else:
+            e_uci.set('banip', 'global', 'ban_icmplimit', 10 if payload['ban_icmplimit'] else 0)
+        if isinstance(payload['ban_synlimit'], int):
+            e_uci.set('banip', 'global', 'ban_synlimit', max(0, payload['ban_synlimit']))
+        else:
+            e_uci.set('banip', 'global', 'ban_synlimit', 10 if payload['ban_synlimit'] else 0)
+        if isinstance(payload['ban_udplimit'], int):
+            e_uci.set('banip', 'global', 'ban_udplimit', max(0, payload['ban_udplimit']))
+        else:
+            e_uci.set('banip', 'global', 'ban_udplimit', 100 if payload['ban_udplimit'] else 0)
 
         if payload['ban_loglimit']:
             e_uci.set('banip', 'global', 'ban_logcount', payload['ban_logcount'])

From 3a530c2a8f74639969d4e32bde66a235a2e1c366 Mon Sep 17 00:00:00 2001
From: Tommaso Bailetti <tommaso.bailetti@nethesis.it>
Date: Fri, 25 Jul 2025 11:45:01 +0200
Subject: [PATCH 3/3] fix: added defaults

---
 packages/ns-api/files/ns.threatshield | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/packages/ns-api/files/ns.threatshield b/packages/ns-api/files/ns.threatshield
index ccad0ffbb..45fc5b391 100644
--- a/packages/ns-api/files/ns.threatshield
+++ b/packages/ns-api/files/ns.threatshield
@@ -167,6 +167,9 @@ def list_blocklist(e_uci):
     return { "data": ret }
 
 def list_settings(e_uci):
+    ban_icmplimit_default = 25
+    ban_synlimit_default = 10
+    ban_udplimit_default = 100
     return {
         'data': {
             'enabled': e_uci.get('banip', 'global', 'ban_enabled') == '1',
@@ -177,10 +180,13 @@ def list_settings(e_uci):
             'ban_loglimit': True if int(e_uci.get('banip', 'global', 'ban_loglimit', default=100)) > 0 else False,
             'ban_logcount': e_uci.get('banip', 'global', 'ban_logcount', default=1),
             'ban_logterm': e_uci.get('banip', 'global', 'ban_logterm', list=True, default=[]),
-            'ban_icmplimit': e_uci.get('banip', 'global', 'ban_icmplimit', default=10, dtype=int),
-            'ban_synlimit': e_uci.get('banip', 'global', 'ban_synlimit', default=10, dtype=int),
-            'ban_udplimit': e_uci.get('banip', 'global', 'ban_udplimit', default=100, dtype=int),
-            'ban_nftexpiry': e_uci.get('banip', 'global', 'ban_nftexpiry', default='30m')
+            'ban_icmplimit': e_uci.get('banip', 'global', 'ban_icmplimit', default=ban_icmplimit_default, dtype=int),
+            'ban_synlimit': e_uci.get('banip', 'global', 'ban_synlimit', default=ban_synlimit_default, dtype=int),
+            'ban_udplimit': e_uci.get('banip', 'global', 'ban_udplimit', default=ban_udplimit_default, dtype=int),
+            'ban_nftexpiry': e_uci.get('banip', 'global', 'ban_nftexpiry', default='30m'),
+            'ban_icmplimit_default': ban_icmplimit_default,
+            'ban_synlimit_default': ban_synlimit_default,
+            'ban_udplimit_default': ban_udplimit_default,
         }
     }