From patchwork Sat Mar 3 17:11:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [v2,5/5] fff-network: enable forwarding; filter forwarding From: Tim Niemeyer X-Patchwork-Id: 797 Message-Id: <20180303171136.9423-5-tim@tn-x.org> To: franken-dev@freifunk.net Date: Sat, 3 Mar 2018 18:11:36 +0100 Fixes #83 Signed-off-by: Tim Niemeyer --- Changes in v2: - remove max_addresses (defaults now to 16) - swap forwarding on default/all - Add $iface to the filename src/packages/fff/fff-network/Makefile | 2 +- .../fff/fff-network/files/etc/sysctl.d/50-fff-network.conf | 7 +++---- .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding | 2 ++ src/packages/fff/fff-network/files/usr/sbin/configurenetwork | 1 + 4 files changed, 7 insertions(+), 5 deletions(-) create mode 100644 src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile index 348897d..980800a 100644 --- a/src/packages/fff/fff-network/Makefile +++ b/src/packages/fff/fff-network/Makefile @@ -13,7 +13,7 @@ define Package/$(PKG_NAME) CATEGORY:=Freifunk TITLE:= Freifunk-Franken network configuration URL:=http://www.freifunk-franken.de - DEPENDS:=+fff-uradvd +fff-boardname + DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall endef define Package/$(PKG_NAME)/description diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf index 7fe4725..c4b4396 100644 --- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0 net.ipv4.icmp_echo_ignore_broadcasts=1 net.ipv4.icmp_ignore_bogus_error_responses=1 net.ipv4.ip_forward=0 -# net.ipv6.conf.all.forwarding=1 # disable bridge firewalling by default net.bridge.bridge-nf-call-arptables=0 @@ -65,6 +64,6 @@ net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.default.dad_transmits = 3 net.ipv6.conf.all.dad_transmits = 3 -# How many global unicast IPv6 addresses can be assigned to each interface? -net.ipv6.conf.default.max_addresses = 0 -net.ipv6.conf.all.max_addresses = 0 +# Enable forwarding, otherwise not all local route are examined +net.ipv6.conf.all.forwarding=1 +net.ipv6.conf.default.forwarding=0 diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding new file mode 100644 index 0000000..793b0d8 --- /dev/null +++ b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding @@ -0,0 +1,2 @@ +/sbin/iptables -P FORWARD DROP +/sbin/ip6tables -P FORWARD DROP diff --git a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork index b5cd6c7..9239a0f 100755 --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork @@ -40,6 +40,7 @@ setAutoConf() { echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> "/etc/sysctl.d/51-fff-network-$iface.conf" echo "net.ipv6.conf.$iface.autoconf = $on" >> "/etc/sysctl.d/51-fff-network-$iface.conf" echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> "/etc/sysctl.d/51-fff-network-$iface.conf" + echo "net.ipv6.conf.$iface.forwarding = 0" >> "w/etc/sysctl.d/51-fff-network-$iface.conf" /sbin/sysctl -p "/etc/sysctl.d/51-fff-network-$iface.conf" }