firewall: Add ULA site border for IPv6 traffic

This prevents private traffic from leaking out to the internet

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@35012 3c298f89-4303-0410-b956-a3cf2f4a3e73

2 files changed, 20 insertions, 1 deletions

diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
index 4d7970a502..1cfc734a32 100644
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=firewall
 
 PKG_VERSION:=2
-PKG_RELEASE:=55
+PKG_RELEASE:=56
 
 include $(INCLUDE_DIR)/package.mk
 
diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config
index a87413904d..6acfe1e86a 100644
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -95,6 +95,25 @@ config rule
 	option family		ipv6
 	option target		ACCEPT
 
+# Block ULA-traffic from leaking out
+config rule
+	option name		Enforce-ULA-Border-Src
+	option src		*
+	option dest		wan
+	option proto		all
+	option src_ip		fc00::/7
+	option family		ipv6
+	option target		REJECT
+
+config rule
+	option name		Enforce-ULA-Border-Dest
+	option src		*
+	option dest		wan
+	option proto		all
+	option dest_ip		fc00::/7
+	option family		ipv6
+	option target		REJECT
+
 # include a file with users custom iptables rules
 config include
 	option path /etc/firewall.user