aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteven Barth <cyrus@openwrt.org>2013-04-24 14:17:24 +0000
committerSteven Barth <cyrus@openwrt.org>2013-04-24 14:17:24 +0000
commit2c78c1457b2a0f44dd295bbf5fc7c6e6465409a5 (patch)
tree132dfc7d1dee8c95a3069eea91249467594d0bc9
parentaf30e5e6bb5dcf1b615ea862fd8bb7b902c7a852 (diff)
downloadupstream-2c78c1457b2a0f44dd295bbf5fc7c6e6465409a5.tar.gz
upstream-2c78c1457b2a0f44dd295bbf5fc7c6e6465409a5.tar.bz2
upstream-2c78c1457b2a0f44dd295bbf5fc7c6e6465409a5.zip
firewall3: Make IPv6 ULA-Border generation dynamic
This fixes working behind another router which gives out ULAs. SVN-Revision: 36416
-rw-r--r--package/network/config/firewall3/Makefile4
-rw-r--r--package/network/config/firewall3/files/firewall.config26
-rw-r--r--package/network/config/firewall3/files/ipv6-ula-border.sh6
3 files changed, 16 insertions, 20 deletions
diff --git a/package/network/config/firewall3/Makefile b/package/network/config/firewall3/Makefile
index 5455f8f08d..0e9053f1e4 100644
--- a/package/network/config/firewall3/Makefile
+++ b/package/network/config/firewall3/Makefile
@@ -8,7 +8,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=firewall3
-PKG_VERSION:=2013-03-22
+PKG_VERSION:=2013-04-24
PKG_RELEASE:=$(PKG_SOURCE_VERSION)
PKG_SOURCE_PROTO:=git
@@ -49,6 +49,8 @@ define Package/firewall3/install
$(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
$(INSTALL_DIR) $(1)/etc/
$(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
+ $(INSTALL_DIR) $(1)/usr/share/firewall/
+ $(INSTALL_BIN) ./files/ipv6-ula-border.sh $(1)/usr/share/firewall/ipv6-ula-border.sh
endef
$(eval $(call BuildPackage,firewall3))
diff --git a/package/network/config/firewall3/files/firewall.config b/package/network/config/firewall3/files/firewall.config
index 6acfe1e86a..fa09b6819e 100644
--- a/package/network/config/firewall3/files/firewall.config
+++ b/package/network/config/firewall3/files/firewall.config
@@ -95,29 +95,17 @@ config rule
option family ipv6
option target ACCEPT
-# Block ULA-traffic from leaking out
-config rule
- option name Enforce-ULA-Border-Src
- option src *
- option dest wan
- option proto all
- option src_ip fc00::/7
- option family ipv6
- option target REJECT
-
-config rule
- option name Enforce-ULA-Border-Dest
- option src *
- option dest wan
- option proto all
- option dest_ip fc00::/7
- option family ipv6
- option target REJECT
-
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
+# include IPv6 ULA-border
+config include
+ option type script
+ option path /usr/share/firewall/ipv6-ula-border.sh
+ option family IPv6
+ option reload 1
+
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
diff --git a/package/network/config/firewall3/files/ipv6-ula-border.sh b/package/network/config/firewall3/files/ipv6-ula-border.sh
new file mode 100644
index 0000000000..ebd23a9851
--- /dev/null
+++ b/package/network/config/firewall3/files/ipv6-ula-border.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+ULA_PREFIX=$(uci -q get network.globals.ula_prefix)
+[ -n "$ULA_PREFIX" ] || exit 0
+
+ip6tables -I delegate_forward -s $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT
+ip6tables -I delegate_forward -d $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT