firewall3: Make IPv6 ULA-Border generation dynamic
This fixes working behind another router which gives out ULAs. git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36416 3c298f89-4303-0410-b956-a3cf2f4a3e73master
parent
c8635ed842
commit
6ada49b194
|
@ -8,7 +8,7 @@
|
||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=firewall3
|
PKG_NAME:=firewall3
|
||||||
PKG_VERSION:=2013-03-22
|
PKG_VERSION:=2013-04-24
|
||||||
PKG_RELEASE:=$(PKG_SOURCE_VERSION)
|
PKG_RELEASE:=$(PKG_SOURCE_VERSION)
|
||||||
|
|
||||||
PKG_SOURCE_PROTO:=git
|
PKG_SOURCE_PROTO:=git
|
||||||
|
@ -49,6 +49,8 @@ define Package/firewall3/install
|
||||||
$(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
|
$(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
|
||||||
$(INSTALL_DIR) $(1)/etc/
|
$(INSTALL_DIR) $(1)/etc/
|
||||||
$(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
|
$(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
|
||||||
|
$(INSTALL_DIR) $(1)/usr/share/firewall/
|
||||||
|
$(INSTALL_BIN) ./files/ipv6-ula-border.sh $(1)/usr/share/firewall/ipv6-ula-border.sh
|
||||||
endef
|
endef
|
||||||
|
|
||||||
$(eval $(call BuildPackage,firewall3))
|
$(eval $(call BuildPackage,firewall3))
|
||||||
|
|
|
@ -95,29 +95,17 @@ config rule
|
||||||
option family ipv6
|
option family ipv6
|
||||||
option target ACCEPT
|
option target ACCEPT
|
||||||
|
|
||||||
# Block ULA-traffic from leaking out
|
|
||||||
config rule
|
|
||||||
option name Enforce-ULA-Border-Src
|
|
||||||
option src *
|
|
||||||
option dest wan
|
|
||||||
option proto all
|
|
||||||
option src_ip fc00::/7
|
|
||||||
option family ipv6
|
|
||||||
option target REJECT
|
|
||||||
|
|
||||||
config rule
|
|
||||||
option name Enforce-ULA-Border-Dest
|
|
||||||
option src *
|
|
||||||
option dest wan
|
|
||||||
option proto all
|
|
||||||
option dest_ip fc00::/7
|
|
||||||
option family ipv6
|
|
||||||
option target REJECT
|
|
||||||
|
|
||||||
# include a file with users custom iptables rules
|
# include a file with users custom iptables rules
|
||||||
config include
|
config include
|
||||||
option path /etc/firewall.user
|
option path /etc/firewall.user
|
||||||
|
|
||||||
|
# include IPv6 ULA-border
|
||||||
|
config include
|
||||||
|
option type script
|
||||||
|
option path /usr/share/firewall/ipv6-ula-border.sh
|
||||||
|
option family IPv6
|
||||||
|
option reload 1
|
||||||
|
|
||||||
|
|
||||||
### EXAMPLE CONFIG SECTIONS
|
### EXAMPLE CONFIG SECTIONS
|
||||||
# do not allow a specific ip to access wan
|
# do not allow a specific ip to access wan
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
#!/bin/sh
|
||||||
|
ULA_PREFIX=$(uci -q get network.globals.ula_prefix)
|
||||||
|
[ -n "$ULA_PREFIX" ] || exit 0
|
||||||
|
|
||||||
|
ip6tables -I delegate_forward -s $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT
|
||||||
|
ip6tables -I delegate_forward -d $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT
|
Loading…
Reference in New Issue