From 6ada49b194c90eee550313bbf866b71023e24add Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Wed, 24 Apr 2013 14:17:24 +0000 Subject: [PATCH] firewall3: Make IPv6 ULA-Border generation dynamic This fixes working behind another router which gives out ULAs. git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36416 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- package/network/config/firewall3/Makefile | 4 ++- .../config/firewall3/files/firewall.config | 26 +++++-------------- .../config/firewall3/files/ipv6-ula-border.sh | 6 +++++ 3 files changed, 16 insertions(+), 20 deletions(-) create mode 100644 package/network/config/firewall3/files/ipv6-ula-border.sh diff --git a/package/network/config/firewall3/Makefile b/package/network/config/firewall3/Makefile index 5455f8f08d..0e9053f1e4 100644 --- a/package/network/config/firewall3/Makefile +++ b/package/network/config/firewall3/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall3 -PKG_VERSION:=2013-03-22 +PKG_VERSION:=2013-04-24 PKG_RELEASE:=$(PKG_SOURCE_VERSION) PKG_SOURCE_PROTO:=git @@ -49,6 +49,8 @@ define Package/firewall3/install $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall $(INSTALL_DIR) $(1)/etc/ $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user + $(INSTALL_DIR) $(1)/usr/share/firewall/ + $(INSTALL_BIN) ./files/ipv6-ula-border.sh $(1)/usr/share/firewall/ipv6-ula-border.sh endef $(eval $(call BuildPackage,firewall3)) diff --git a/package/network/config/firewall3/files/firewall.config b/package/network/config/firewall3/files/firewall.config index 6acfe1e86a..fa09b6819e 100644 --- a/package/network/config/firewall3/files/firewall.config +++ b/package/network/config/firewall3/files/firewall.config @@ -95,29 +95,17 @@ config rule option family ipv6 option target ACCEPT -# Block ULA-traffic from leaking out -config rule - option name Enforce-ULA-Border-Src - option src * - option dest wan - option proto all - option src_ip fc00::/7 - option family ipv6 - option target REJECT - -config rule - option name Enforce-ULA-Border-Dest - option src * - option dest wan - option proto all - option dest_ip fc00::/7 - option family ipv6 - option target REJECT - # include a file with users custom iptables rules config include option path /etc/firewall.user +# include IPv6 ULA-border +config include + option type script + option path /usr/share/firewall/ipv6-ula-border.sh + option family IPv6 + option reload 1 + ### EXAMPLE CONFIG SECTIONS # do not allow a specific ip to access wan diff --git a/package/network/config/firewall3/files/ipv6-ula-border.sh b/package/network/config/firewall3/files/ipv6-ula-border.sh new file mode 100644 index 0000000000..ebd23a9851 --- /dev/null +++ b/package/network/config/firewall3/files/ipv6-ula-border.sh @@ -0,0 +1,6 @@ +#!/bin/sh +ULA_PREFIX=$(uci -q get network.globals.ula_prefix) +[ -n "$ULA_PREFIX" ] || exit 0 + +ip6tables -I delegate_forward -s $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT +ip6tables -I delegate_forward -d $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT