firewall3: Make IPv6 ULA-Border generation dynamic

This fixes working behind another router which gives out ULAs.

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36416 3c298f89-4303-0410-b956-a3cf2f4a3e73
master
Steven Barth 2013-04-24 14:17:24 +00:00
parent c8635ed842
commit 6ada49b194
3 changed files with 16 additions and 20 deletions

View File

@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=firewall3 PKG_NAME:=firewall3
PKG_VERSION:=2013-03-22 PKG_VERSION:=2013-04-24
PKG_RELEASE:=$(PKG_SOURCE_VERSION) PKG_RELEASE:=$(PKG_SOURCE_VERSION)
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
@ -49,6 +49,8 @@ define Package/firewall3/install
$(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
$(INSTALL_DIR) $(1)/etc/ $(INSTALL_DIR) $(1)/etc/
$(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
$(INSTALL_DIR) $(1)/usr/share/firewall/
$(INSTALL_BIN) ./files/ipv6-ula-border.sh $(1)/usr/share/firewall/ipv6-ula-border.sh
endef endef
$(eval $(call BuildPackage,firewall3)) $(eval $(call BuildPackage,firewall3))

View File

@ -95,29 +95,17 @@ config rule
option family ipv6 option family ipv6
option target ACCEPT option target ACCEPT
# Block ULA-traffic from leaking out
config rule
option name Enforce-ULA-Border-Src
option src *
option dest wan
option proto all
option src_ip fc00::/7
option family ipv6
option target REJECT
config rule
option name Enforce-ULA-Border-Dest
option src *
option dest wan
option proto all
option dest_ip fc00::/7
option family ipv6
option target REJECT
# include a file with users custom iptables rules # include a file with users custom iptables rules
config include config include
option path /etc/firewall.user option path /etc/firewall.user
# include IPv6 ULA-border
config include
option type script
option path /usr/share/firewall/ipv6-ula-border.sh
option family IPv6
option reload 1
### EXAMPLE CONFIG SECTIONS ### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan # do not allow a specific ip to access wan

View File

@ -0,0 +1,6 @@
#!/bin/sh
ULA_PREFIX=$(uci -q get network.globals.ula_prefix)
[ -n "$ULA_PREFIX" ] || exit 0
ip6tables -I delegate_forward -s $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT
ip6tables -I delegate_forward -d $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT