Adds basic package skeleton for the ffpb-ebtables-net-rules into a feature branch.

This is NOT a complete package NOR has the current implementation been tested. It just reflects the state of the work as it exists on my harddrive, hence it is committed into a feature-branch such that someone else can continue the work ...

Adds basic package skeleton for the ffpb-ebtables-net-rules into a feature branch.
This is NOT a complete package NOR has the current implementation been tested. It just reflects the state of the work as it exists on my harddrive, hence it is committed into a feature-branch such that someone else can continue the work ...
90e82ca4 · Stefan Laudemann · d849dd8d · 90e82ca4 · 90e82ca4 · 90e82ca4
Commit 90e82ca4 authored 10 years ago by Stefan Laudemann
--- a/ffpb/ffpb-ebtables-net-rules/Makefile
+++ b/ffpb/ffpb-ebtables-net-rules/Makefile
+include $(TOPDIR)/rules.mk
+PKG_NAME:=ffpb-ebtables-net-rules
+PKG_VERSION:=1
+PKG_RELEASE:=$(GLUON_VERSION).$(GLUON_SITE_CODE)-$(GLUON_RELEASE).$(GLUON_CONFIG_VERSION)
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+include $(INCLUDE_DIR)/package.mk
+define Package/ffpb-ebtables-net-rules
+  SECTION:=ffpb
+  CATEGORY:=Gluon
+  TITLE:=FFPB net-specific ebtables rules to filter unreasonable L2 traffic.
+  DEPENDS:=+gluon-core +gluon-ebtables
+  MAINTAINER:=Freifunk Paderborn <maschinenraum@paderborn.freifunk.net>
+  URL:=https://git.c3pb.de/freifunk-pb/ffpb-packages
+  SOURCE:=git@git.c3pb.de:freifunk-pb/ffpb-packages.git
+endef
+define Package/ffpb-ebtables-net-rules/description
+	This package adds an additional layer-2 filter-ruleset to prevent traffic,
+	which is not destined for any Freifunk Paderborn layer-3 specific target,
+	from entering the network via the nodes.
+endef
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+define Build/Configure
+endef
+define Build/Compile
+endef
+define Package/ffpb-ebtables-net-rules/install
+	$(INSTALL_DIR) $(1)/lib/gluon/ebtables/
+	$(CP) ./files/lib/gluon/ebtables/100-ffpb-net-chain $(1)/lib/gluon/ebtables/
+	$(CP) ./files/lib/gluon/ebtables/110-ffpb-net-allow-ipv4-space $(1)/lib/gluon/ebtables/
+	$(CP) ./files/lib/gluon/ebtables/110-ffpb-net-allow-ipv6-spaces $(1)/lib/gluon/ebtables/
+	$(CP) ./files/lib/gluon/ebtables/400-add-ffpb-net-chain $(1)/lib/gluon/ebtables/
+endef
+$(eval $(call BuildPackage,ffpb-ebtables-net-rules))
--- a/ffpb/ffpb-ebtables-net-rules/files/lib/gluon/ebtables/100-ffpb-net-chain
+++ b/ffpb/ffpb-ebtables-net-rules/files/lib/gluon/ebtables/100-ffpb-net-chain
+chain('FFPB_NET_ONLY', 'DROP') 
--- a/ffpb/ffpb-ebtables-net-rules/files/lib/gluon/ebtables/110-ffpb-net-allow-ipv4-space
+++ b/ffpb/ffpb-ebtables-net-rules/files/lib/gluon/ebtables/110-ffpb-net-allow-ipv4-space
+rule 'FFPB_NET_ONLY -p IPv4 --ip-src 10.132.0.0/17 -j RETURN'
+rule 'FFPB_NET_ONLY -p ARP --arp-ip-src 10.132.0.0/17 -j RETURN'
--- a/ffpb/ffpb-ebtables-net-rules/files/lib/gluon/ebtables/110-ffpb-net-allow-ipv6-spaces
+++ b/ffpb/ffpb-ebtables-net-rules/files/lib/gluon/ebtables/110-ffpb-net-allow-ipv6-spaces
+rule 'FFPB_NET_ONLY -p IPv6 --ip6-src fe80::/10 -j RETURN'
+rule 'FFPB_NET_ONLY -p IPv6 --ip6-dst ff00::/8 -j RETURN'
+rule 'FFPB_NET_ONLY -p IPv6 --ip6-src fdca:ffee:ff12:132::/64 -j RETURN'
+rule 'FFPB_NET_ONLY -p IPv6 --ip6-src 2001:470:6d:860::/64 -j RETURN'
+rule 'FFPB_NET_ONLY -p IPv6 --ip6-src 2a03:2260:113::/48 -j RETURN'
--- a/ffpb/ffpb-ebtables-net-rules/files/lib/gluon/ebtables/400-add-ffpb-net-chain
+++ b/ffpb/ffpb-ebtables-net-rules/files/lib/gluon/ebtables/400-add-ffpb-net-chain
+rule 'FORWARD --logical-in br-client -i ! bat0 -j FFPB_NET_ONLY'