From 16060d25d51017a8694edeba93281ca2653e9d3b Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Mon, 14 Jul 2014 17:53:41 +0200
Subject: [PATCH] Move essential firewall rules from gluon-firewall to
gluon-core and gluon-mesh-batman-adv
The now empty gluon-firewall is removed.
---
package/gluon-core/Makefile | 2 +-
.../core/invariant/014-firewall-rules} | 11 ------
package/gluon-firewall/Makefile | 37 -------------------
.../mesh-batman-adv/invariant/011-mesh | 12 ++++++
4 files changed, 13 insertions(+), 49 deletions(-)
rename package/{gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-firewall-rules => gluon-core/files/lib/gluon/upgrade/core/invariant/014-firewall-rules} (79%)
delete mode 100644 package/gluon-firewall/Makefile
diff --git a/package/gluon-core/Makefile b/package/gluon-core/Makefile
index 27babd758..17cde4d4f 100644
--- a/package/gluon-core/Makefile
+++ b/package/gluon-core/Makefile
@@ -12,7 +12,7 @@ define Package/gluon-core
SECTION:=gluon
CATEGORY:=Gluon
TITLE:=Base files of Gluon
- DEPENDS:=+gluon-config +lua-platform-info +luci-lib-core +odhcp6c
+ DEPENDS:=+gluon-config +lua-platform-info +luci-lib-core +odhcp6c +firewall
endef
define Package/gluon-core/description
diff --git a/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-firewall-rules b/package/gluon-core/files/lib/gluon/upgrade/core/invariant/014-firewall-rules
similarity index 79%
rename from package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-firewall-rules
rename to package/gluon-core/files/lib/gluon/upgrade/core/invariant/014-firewall-rules
index 1a422ca37..792e06a2c 100755
--- a/package/gluon-firewall/files/lib/gluon/upgrade/firewall/invariant/011-firewall-rules
+++ b/package/gluon-core/files/lib/gluon/upgrade/core/invariant/014-firewall-rules
@@ -26,16 +26,5 @@ c:section('firewall', 'rule', 'wan_ssh',
}
)
-
-c:section('firewall', 'rule', 'client_dns',
- {
- name = 'client_dns',
- src = 'client',
- dest_port = '53',
- target = 'REJECT',
- }
-)
-
-
c:save('firewall')
c:commit('firewall')
diff --git a/package/gluon-firewall/Makefile b/package/gluon-firewall/Makefile
deleted file mode 100644
index ceb4820ce..000000000
--- a/package/gluon-firewall/Makefile
+++ /dev/null
@@ -1,37 +0,0 @@
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=gluon-firewall
-PKG_VERSION:=1
-
-PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/gluon-firewall
- SECTION:=gluon
- CATEGORY:=Gluon
- TITLE:=Restrictive firewall rules
- DEPENDS:=+gluon-core +firewall
-endef
-
-define Package/gluon-firewall/description
- Gluon community wifi mesh firmware framework:
- Firewall rules which try to ensure a node can't be abused
- (e.g. for DNS amplification attacks)
-endef
-
-define Build/Prepare
- mkdir -p $(PKG_BUILD_DIR)
-endef
-
-define Build/Configure
-endef
-
-define Build/Compile
-endef
-
-define Package/gluon-firewall/install
- $(CP) ./files/* $(1)/
-endef
-
-$(eval $(call BuildPackage,gluon-firewall))
diff --git a/package/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/invariant/011-mesh b/package/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/invariant/011-mesh
index 565505d20..ab80bd3d2 100755
--- a/package/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/invariant/011-mesh
+++ b/package/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/invariant/011-mesh
@@ -31,6 +31,7 @@ uci:section('network', 'interface', 'bat0',
uci:save('network')
uci:commit('network')
+
uci:delete('firewall', 'client')
uci:section('firewall', 'zone', 'client',
{
@@ -41,9 +42,20 @@ uci:section('firewall', 'zone', 'client',
forward = 'REJECT',
}
)
+
+c:section('firewall', 'rule', 'client_dns',
+ {
+ name = 'client_dns',
+ src = 'client',
+ dest_port = '53',
+ target = 'REJECT',
+ }
+)
+
uci:save('firewall')
uci:commit('firewall')
+
local dnsmasq = uci:get_first('dhcp', 'dnsmasq')
uci:set('dhcp', dnsmasq, 'boguspriv', 0)
uci:set('dhcp', dnsmasq, 'localise_queries', 0)
--
GitLab