Skip to content
Snippets Groups Projects
Commit 90e82ca4 authored by Stefan Laudemann's avatar Stefan Laudemann
Browse files

Adds basic package skeleton for the ffpb-ebtables-net-rules into a feature branch.

This is NOT a complete package NOR has the current implementation been tested.
It just reflects the state of the work as it exists on my harddrive, hence it
is committed into a feature-branch such that someone else can continue the
work ...
parent d849dd8d
No related branches found
No related tags found
No related merge requests found
include $(TOPDIR)/rules.mk
PKG_NAME:=ffpb-ebtables-net-rules
PKG_VERSION:=1
PKG_RELEASE:=$(GLUON_VERSION).$(GLUON_SITE_CODE)-$(GLUON_RELEASE).$(GLUON_CONFIG_VERSION)
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
include $(INCLUDE_DIR)/package.mk
define Package/ffpb-ebtables-net-rules
SECTION:=ffpb
CATEGORY:=Gluon
TITLE:=FFPB net-specific ebtables rules to filter unreasonable L2 traffic.
DEPENDS:=+gluon-core +gluon-ebtables
MAINTAINER:=Freifunk Paderborn <maschinenraum@paderborn.freifunk.net>
URL:=https://git.c3pb.de/freifunk-pb/ffpb-packages
SOURCE:=git@git.c3pb.de:freifunk-pb/ffpb-packages.git
endef
define Package/ffpb-ebtables-net-rules/description
This package adds an additional layer-2 filter-ruleset to prevent traffic,
which is not destined for any Freifunk Paderborn layer-3 specific target,
from entering the network via the nodes.
endef
define Build/Prepare
mkdir -p $(PKG_BUILD_DIR)
endef
define Build/Configure
endef
define Build/Compile
endef
define Package/ffpb-ebtables-net-rules/install
$(INSTALL_DIR) $(1)/lib/gluon/ebtables/
$(CP) ./files/lib/gluon/ebtables/100-ffpb-net-chain $(1)/lib/gluon/ebtables/
$(CP) ./files/lib/gluon/ebtables/110-ffpb-net-allow-ipv4-space $(1)/lib/gluon/ebtables/
$(CP) ./files/lib/gluon/ebtables/110-ffpb-net-allow-ipv6-spaces $(1)/lib/gluon/ebtables/
$(CP) ./files/lib/gluon/ebtables/400-add-ffpb-net-chain $(1)/lib/gluon/ebtables/
endef
$(eval $(call BuildPackage,ffpb-ebtables-net-rules))
chain('FFPB_NET_ONLY', 'DROP')
rule 'FFPB_NET_ONLY -p IPv4 --ip-src 10.132.0.0/17 -j RETURN'
rule 'FFPB_NET_ONLY -p ARP --arp-ip-src 10.132.0.0/17 -j RETURN'
rule 'FFPB_NET_ONLY -p IPv6 --ip6-src fe80::/10 -j RETURN'
rule 'FFPB_NET_ONLY -p IPv6 --ip6-dst ff00::/8 -j RETURN'
rule 'FFPB_NET_ONLY -p IPv6 --ip6-src fdca:ffee:ff12:132::/64 -j RETURN'
rule 'FFPB_NET_ONLY -p IPv6 --ip6-src 2001:470:6d:860::/64 -j RETURN'
rule 'FFPB_NET_ONLY -p IPv6 --ip6-src 2a03:2260:113::/48 -j RETURN'
rule 'FORWARD --logical-in br-client -i ! bat0 -j FFPB_NET_ONLY'
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment