From patchwork Thu Dec  6 13:47:01 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: fff-hoods: firewall fe80::1 from Client to Batman and Node
From: Christian Dresel <fff@chrisi01.de>
X-Patchwork-Id: 968
Message-Id: <20181206134701.19543-1-fff@chrisi01.de>
To: franken-dev@freifunk.net
Date: Thu,  6 Dec 2018 14:47:01 +0100

This firewall block all communication with fe80::1 from a
Client to Batman and to the Node.

We need this because some crap devices (e.g. some wrong
connectet router on a clientport) have the fe80::1 as address
and break our setup.

This is an alternative Patch to
https://pw.freifunk-franken.de/patch/967/

Signed-off-by: Christian Dresel <fff@chrisi01.de>
Tested-by: Robert Langhammer <rlanghammer@web.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>
Tested-by: Robert Langhammer <rlanghammer@web.de <mailto:rlanghammer@web.de> > 
Reviewed-by: Robert Langhammer <rlanghammer@web.de <mailto:rlanghammer@web.de> > 
---
 src/packages/fff/fff-hoods/Makefile                                 | 2 +-
 .../fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801         | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)
 create mode 100644 src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801

diff --git a/src/packages/fff/fff-hoods/Makefile b/src/packages/fff/fff-hoods/Makefile
index 264d28a..fb1ae18 100644
--- a/src/packages/fff/fff-hoods/Makefile
+++ b/src/packages/fff/fff-hoods/Makefile
@@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
     CATEGORY:=Freifunk
     TITLE:= Freifunk-Franken hoods
     URL:=http://www.freifunk-franken.de
-    DEPENDS:=+fff-hoodutils +fff-macnock +fff-vpn-select
+    DEPENDS:=+fff-hoodutils +fff-macnock +fff-vpn-select +fff-firewall
 endef
 
 define Package/$(PKG_NAME)/description
diff --git a/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801 b/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801
new file mode 100644
index 0000000..754e070
--- /dev/null
+++ b/src/packages/fff/fff-hoods/files/usr/lib/firewall.d/30-gateway-fe801
@@ -0,0 +1,6 @@
+# Erlaube nur fe80::1 von BATMAN -> CLIENT
+ebtables -A FORWARD -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+
+# Erlaube nur fe80::1 von KNOTEN -> CLIENT
+ebtables -A INPUT -p IPv6 --ip6-source fe80::1 -j IN_ONLY
+