[v2,5/5] fff-network: enable forwarding; filter forwarding

Details

Message ID	20180303171136.9423-5-tim@tn-x.org
State	Superseded
Headers	show Return-Path: <franken-dev-bounces@freifunk.net> From: Tim Niemeyer <tim@tn-x.org> To: franken-dev@freifunk.net Subject: [PATCH v2 5/5] fff-network: enable forwarding; filter forwarding Date: Sat, 3 Mar 2018 18:11:36 +0100 Message-Id: <20180303171136.9423-5-tim@tn-x.org> In-Reply-To: <20180303171136.9423-1-tim@tn-x.org> References: <20180303171136.9423-1-tim@tn-x.org> Precedence: list Reply-To: Tim Niemeyer <tim@tn-x.org>, franken-dev@freifunk.net MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: franken-dev-bounces@freifunk.net Sender: "franken-dev" <franken-dev-bounces@freifunk.net>

Message ID

20180303171136.9423-5-tim@tn-x.org

State

Superseded

Headers

From: Tim Niemeyer <tim@tn-x.org>
To: franken-dev@freifunk.net
Subject: [PATCH v2 5/5] fff-network: enable forwarding; filter forwarding
Date: Sat,  3 Mar 2018 18:11:36 +0100
Message-Id: <20180303171136.9423-5-tim@tn-x.org>
In-Reply-To: <20180303171136.9423-1-tim@tn-x.org>
References: <20180303171136.9423-1-tim@tn-x.org>
Precedence: list
Reply-To: Tim Niemeyer <tim@tn-x.org>, franken-dev@freifunk.net
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Errors-To: franken-dev-bounces@freifunk.net
Sender: "franken-dev" <franken-dev-bounces@freifunk.net>

Commit Message

Tim Niemeyer March 3, 2018, 5:11 p.m.

Fixes #83
Signed-off-by: Tim Niemeyer <tim@tn-x.org>

---

Changes in v2:
- remove max_addresses (defaults now to 16)
- swap forwarding on default/all
- Add $iface to the filename

 src/packages/fff/fff-network/Makefile                              | 2 +-
 .../fff/fff-network/files/etc/sysctl.d/50-fff-network.conf         | 7 +++----
 .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding | 2 ++
 src/packages/fff/fff-network/files/usr/sbin/configurenetwork       | 1 +
 4 files changed, 7 insertions(+), 5 deletions(-)
 create mode 100644 src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding

Patch hide | download patch | download mbox

diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile
index 348897d..980800a 100644
--- a/src/packages/fff/fff-network/Makefile
+++ b/src/packages/fff/fff-network/Makefile
@@ -13,7 +13,7 @@  define Package/$(PKG_NAME)
     CATEGORY:=Freifunk
     TITLE:= Freifunk-Franken network configuration
     URL:=http://www.freifunk-franken.de
-    DEPENDS:=+fff-uradvd +fff-boardname
+    DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
 endef
 
 define Package/$(PKG_NAME)/description
diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
index 7fe4725..c4b4396 100644
--- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
+++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
@@ -26,7 +26,6 @@  net.ipv4.conf.default.accept_redirects=0
 net.ipv4.icmp_echo_ignore_broadcasts=1
 net.ipv4.icmp_ignore_bogus_error_responses=1
 net.ipv4.ip_forward=0
-# net.ipv6.conf.all.forwarding=1
 
 # disable bridge firewalling by default
 net.bridge.bridge-nf-call-arptables=0
@@ -65,6 +64,6 @@  net.ipv6.conf.all.autoconf = 0
 net.ipv6.conf.default.dad_transmits = 3
 net.ipv6.conf.all.dad_transmits = 3
 
-# How many global unicast IPv6 addresses can be assigned to each interface?
-net.ipv6.conf.default.max_addresses = 0
-net.ipv6.conf.all.max_addresses = 0
+# Enable forwarding, otherwise not all local route are examined
+net.ipv6.conf.all.forwarding=1
+net.ipv6.conf.default.forwarding=0
diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
new file mode 100644
index 0000000..793b0d8
--- /dev/null
+++ b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
@@ -0,0 +1,2 @@ 
+/sbin/iptables -P FORWARD DROP
+/sbin/ip6tables -P FORWARD DROP
diff --git a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
index b5cd6c7..9239a0f 100755
--- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
+++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
@@ -40,6 +40,7 @@  setAutoConf() {
     echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> "/etc/sysctl.d/51-fff-network-$iface.conf"
     echo "net.ipv6.conf.$iface.autoconf = $on" >> "/etc/sysctl.d/51-fff-network-$iface.conf"
     echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> "/etc/sysctl.d/51-fff-network-$iface.conf"
+    echo "net.ipv6.conf.$iface.forwarding = 0" >> "w/etc/sysctl.d/51-fff-network-$iface.conf"
 
     /sbin/sysctl -p "/etc/sysctl.d/51-fff-network-$iface.conf"
 }

Comments

Tim Niemeyer March 3, 2018, 7:49 p.m.

Hi

Am 3. März 2018 18:11:36 MEZ schrieb Tim Niemeyer <tim@tn-x.org>:
>Fixes #83
>Signed-off-by: Tim Niemeyer <tim@tn-x.org>
>
>---
>
>Changes in v2:
>- remove max_addresses (defaults now to 16)
>- swap forwarding on default/all
>- Add $iface to the filename
>
>src/packages/fff/fff-network/Makefile                              | 2
>+-
>.../fff/fff-network/files/etc/sysctl.d/50-fff-network.conf         | 7
>+++----
>.../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding | 2
>++
>src/packages/fff/fff-network/files/usr/sbin/configurenetwork       | 1
>+
> 4 files changed, 7 insertions(+), 5 deletions(-)
>create mode 100644
>src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>
>diff --git a/src/packages/fff/fff-network/Makefile
>b/src/packages/fff/fff-network/Makefile
>index 348897d..980800a 100644
>--- a/src/packages/fff/fff-network/Makefile
>+++ b/src/packages/fff/fff-network/Makefile
>@@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
>     CATEGORY:=Freifunk
>     TITLE:= Freifunk-Franken network configuration
>     URL:=http://www.freifunk-franken.de
>-    DEPENDS:=+fff-uradvd +fff-boardname
>+    DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
> endef
> 
> define Package/$(PKG_NAME)/description
>diff --git
>a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>index 7fe4725..c4b4396 100644
>---
>a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>+++
>b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
>@@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0
> net.ipv4.icmp_echo_ignore_broadcasts=1
> net.ipv4.icmp_ignore_bogus_error_responses=1
> net.ipv4.ip_forward=0
>-# net.ipv6.conf.all.forwarding=1
> 
> # disable bridge firewalling by default
> net.bridge.bridge-nf-call-arptables=0
>@@ -65,6 +64,6 @@ net.ipv6.conf.all.autoconf = 0
> net.ipv6.conf.default.dad_transmits = 3
> net.ipv6.conf.all.dad_transmits = 3
> 
>-# How many global unicast IPv6 addresses can be assigned to each
>interface?
>-net.ipv6.conf.default.max_addresses = 0
>-net.ipv6.conf.all.max_addresses = 0
>+# Enable forwarding, otherwise not all local route are examined
>+net.ipv6.conf.all.forwarding=1
>+net.ipv6.conf.default.forwarding=0
>diff --git
>a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>new file mode 100644
>index 0000000..793b0d8
>--- /dev/null
>+++
>b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>@@ -0,0 +1,2 @@
>+/sbin/iptables -P FORWARD DROP
>+/sbin/ip6tables -P FORWARD DROP
>diff --git
>a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>index b5cd6c7..9239a0f 100755
>--- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>+++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
>@@ -40,6 +40,7 @@ setAutoConf() {
>echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >>
>"/etc/sysctl.d/51-fff-network-$iface.conf"
>echo "net.ipv6.conf.$iface.autoconf = $on" >>
>"/etc/sysctl.d/51-fff-network-$iface.conf"
>echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >>
>"/etc/sysctl.d/51-fff-network-$iface.conf"
>+    echo "net.ipv6.conf.$iface.forwarding = 0" >>
>"w/etc/sysctl.d/51-fff-network-$iface.conf"

Da ist ein w zu viel. :(

Tim

> 
>     /sbin/sysctl -p "/etc/sysctl.d/51-fff-network-$iface.conf"
> }