OpenWrt: bump to v23.05 #289
|
@ -6,10 +6,10 @@ This disables all OpenWrt config migration mechanisms except for
|
|||
files listed in /etc/sysupgrade.conf
|
||||
|
||||
diff --git a/package/base-files/files/sbin/sysupgrade b/package/base-files/files/sbin/sysupgrade
|
||||
index 7e0a00e13b8ee4be7163936fd01a7beff0ce5c99..97f50dc83088e29fba651741fff28c70f7585b3f 100755
|
||||
index 9315091302..be8325463e 100755
|
||||
--- a/package/base-files/files/sbin/sysupgrade
|
||||
+++ b/package/base-files/files/sbin/sysupgrade
|
||||
@@ -135,14 +135,14 @@ list_static_conffiles() {
|
||||
@@ -139,14 +139,14 @@ list_static_conffiles() {
|
||||
local filter=$1
|
||||
|
||||
find $(sed -ne '/^[[:space:]]*$/d; /^#/d; p' \
|
||||
|
|
|
@ -3,7 +3,7 @@ Date: Sat, 8 Jul 2017 10:47:28 +0200
|
|||
Subject: set root password
|
||||
|
||||
diff --git a/package/base-files/files/etc/shadow b/package/base-files/files/etc/shadow
|
||||
index 4b4154f21f478cc025a350363b3e34319c6afacc..b8d180a95691ab09f9c4d759ffd97da34a022623 100644
|
||||
index 39bdb9c90a..b8d180a956 100644
|
||||
--- a/package/base-files/files/etc/shadow
|
||||
+++ b/package/base-files/files/etc/shadow
|
||||
@@ -1,4 +1,4 @@
|
||||
|
|
|
@ -5,13 +5,12 @@ Subject: build: remove libustream and certs from default packages
|
|||
This effectively reverts upstream commit e79df3516d3e ("build: add
|
||||
libustream and certs to default pkgs").
|
||||
|
||||
The libustream-wolfssl library conflicts with the libustream-mbedtls
|
||||
we are selecting in fff-web-ui and is probably much bigger.
|
||||
|
||||
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
||||
[fabian@blaese.de: Rebase onto OpenWrt 23.05]
|
||||
Signed-off-by: Fabian Bläse <fabian@blaese.de>
|
||||
|
||||
diff --git a/include/target.mk b/include/target.mk
|
||||
index 7526224972e18148fec8a12318ca7f90a382475f..338e97f836759fc454986210e5818ad390ba6efb 100644
|
||||
index b5e3e7ff6f..2324b6cc11 100644
|
||||
--- a/include/target.mk
|
||||
+++ b/include/target.mk
|
||||
@@ -12,12 +12,10 @@ DEVICE_TYPE?=router
|
||||
|
@ -23,7 +22,7 @@ index 7526224972e18148fec8a12318ca7f90a382475f..338e97f836759fc454986210e5818ad3
|
|||
fstools \
|
||||
libc \
|
||||
libgcc \
|
||||
- libustream-wolfssl \
|
||||
- libustream-mbedtls \
|
||||
logd \
|
||||
mtd \
|
||||
netifd \
|
||||
|
|
|
@ -1,132 +0,0 @@
|
|||
From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
|
||||
Date: Sat, 7 Aug 2021 00:40:34 +0200
|
||||
Subject: [PATCH] Disable ipq40xx lan/wan separation
|
||||
|
||||
While the ipq40xx only has a single MDIO connection to the switch chip,
|
||||
the ipq40xx essedma ethernet driver configures two gmac interfaces,
|
||||
which are seperated into WAN and LAN ports using vlan cid at driver
|
||||
level. Linux is not aware of these vlan tags.
|
||||
|
||||
However, this configuration does interfere with the vlan ids we use in
|
||||
our firmware. Therefore, this feature is disabled by setting the default
|
||||
vlan id for all gmacs to 0, changing the port mask so all physical ports
|
||||
are connected to the first gmac, and reducing the amount of configured
|
||||
gmacs to one. The definition of the second gmac is kept, because it is
|
||||
referenced by some devices. The default configuration of the switch chip
|
||||
is removed accordingly.
|
||||
|
||||
These changes are currently only done with the FritzBox 4040 in mind.
|
||||
---
|
||||
.../linux/ipq40xx/base-files/etc/board.d/01_leds | 2 +-
|
||||
.../ipq40xx/base-files/etc/board.d/02_network | 3 +--
|
||||
.../ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c | 2 ++
|
||||
.../drivers/net/ethernet/qualcomm/essedma/edma.h | 16 ++++++++--------
|
||||
...1-dts-ipq4019-add-ethernet-essedma-node.patch | 6 +++---
|
||||
5 files changed, 15 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/target/linux/ipq40xx/base-files/etc/board.d/01_leds b/target/linux/ipq40xx/base-files/etc/board.d/01_leds
|
||||
index 884b265dcb..77b0754635 100644
|
||||
--- a/target/linux/ipq40xx/base-files/etc/board.d/01_leds
|
||||
+++ b/target/linux/ipq40xx/base-files/etc/board.d/01_leds
|
||||
@@ -24,7 +24,7 @@ asus,rt-ac58u)
|
||||
;;
|
||||
avm,fritzbox-4040)
|
||||
ucidef_set_led_wlan "wlan" "WLAN" "green:wlan" "phy0tpt" "phy1tpt"
|
||||
- ucidef_set_led_netdev "wan" "WAN" "green:wan" "eth1"
|
||||
+ ucidef_set_led_switch "wan" "WAN" "green:wan" "switch0" "0x20"
|
||||
ucidef_set_led_switch "lan" "LAN" "green:lan" "switch0" "0x1e"
|
||||
;;
|
||||
avm,fritzbox-7530 |\
|
||||
diff --git a/target/linux/ipq40xx/base-files/etc/board.d/02_network b/target/linux/ipq40xx/base-files/etc/board.d/02_network
|
||||
index 2aa4886e6a..7390769661 100644
|
||||
--- a/target/linux/ipq40xx/base-files/etc/board.d/02_network
|
||||
+++ b/target/linux/ipq40xx/base-files/etc/board.d/02_network
|
||||
@@ -68,9 +68,8 @@ ipq40xx_setup_interfaces()
|
||||
avm,fritzbox-4040|\
|
||||
linksys,ea6350v3|\
|
||||
linksys,ea8300)
|
||||
- ucidef_set_interfaces_lan_wan "eth0" "eth1"
|
||||
ucidef_add_switch "switch0" \
|
||||
- "0u@eth0" "1:lan" "2:lan" "3:lan" "4:lan"
|
||||
+ "0@eth0" "1:lan" "2:lan" "3:lan" "4:lan" "5:wan"
|
||||
;;
|
||||
linksys,mr8300)
|
||||
ucidef_set_interfaces_lan_wan "eth0" "eth1"
|
||||
diff --git a/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c b/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c
|
||||
index f7ce42b9ff..a8da7ac653 100644
|
||||
--- a/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c
|
||||
+++ b/target/linux/ipq40xx/files-5.10/drivers/net/mdio/ar40xx.c
|
||||
@@ -1481,6 +1481,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv)
|
||||
unsigned long bmp;
|
||||
|
||||
/* By default Enable VLAN */
|
||||
+ /*
|
||||
priv->vlan = 1;
|
||||
priv->vlan_table[AR40XX_LAN_VLAN] = priv->cpu_bmp | priv->lan_bmp;
|
||||
priv->vlan_table[AR40XX_WAN_VLAN] = priv->cpu_bmp | priv->wan_bmp;
|
||||
@@ -1492,6 +1493,7 @@ ar40xx_vlan_init(struct ar40xx_priv *priv)
|
||||
bmp = priv->wan_bmp;
|
||||
for_each_set_bit(port, &bmp, AR40XX_NUM_PORTS)
|
||||
priv->pvid[port] = AR40XX_WAN_VLAN;
|
||||
+ */
|
||||
|
||||
return 0;
|
||||
}
|
||||
diff --git a/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h b/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h
|
||||
index 015e5f5026..daa60639d1 100644
|
||||
--- a/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h
|
||||
+++ b/target/linux/ipq40xx/files/drivers/net/ethernet/qualcomm/essedma/edma.h
|
||||
@@ -57,14 +57,14 @@
|
||||
#define EDMA_LAN 1
|
||||
|
||||
/* VLAN tag */
|
||||
-#define EDMA_LAN_DEFAULT_VLAN 1
|
||||
-#define EDMA_WAN_DEFAULT_VLAN 2
|
||||
-
|
||||
-#define EDMA_DEFAULT_GROUP1_VLAN 1
|
||||
-#define EDMA_DEFAULT_GROUP2_VLAN 2
|
||||
-#define EDMA_DEFAULT_GROUP3_VLAN 3
|
||||
-#define EDMA_DEFAULT_GROUP4_VLAN 4
|
||||
-#define EDMA_DEFAULT_GROUP5_VLAN 5
|
||||
+#define EDMA_LAN_DEFAULT_VLAN 0
|
||||
+#define EDMA_WAN_DEFAULT_VLAN 0
|
||||
+
|
||||
+#define EDMA_DEFAULT_GROUP1_VLAN 0
|
||||
+#define EDMA_DEFAULT_GROUP2_VLAN 0
|
||||
+#define EDMA_DEFAULT_GROUP3_VLAN 0
|
||||
+#define EDMA_DEFAULT_GROUP4_VLAN 0
|
||||
+#define EDMA_DEFAULT_GROUP5_VLAN 0
|
||||
|
||||
/* Queues exposed to linux kernel */
|
||||
#define EDMA_NETDEV_TX_QUEUE 4
|
||||
diff --git a/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch b/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch
|
||||
index 3567eb7810..b13b312a91 100644
|
||||
--- a/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch
|
||||
+++ b/target/linux/ipq40xx/patches-5.10/711-dts-ipq4019-add-ethernet-essedma-node.patch
|
||||
@@ -36,7 +36,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
||||
+ qcom,rx_head_buf_size = <1540>;
|
||||
+ qcom,mdio_supported;
|
||||
+ qcom,poll_required = <1>;
|
||||
-+ qcom,num_gmac = <2>;
|
||||
++ qcom,num_gmac = <1>;
|
||||
+ interrupts = <0 65 IRQ_TYPE_EDGE_RISING
|
||||
+ 0 66 IRQ_TYPE_EDGE_RISING
|
||||
+ 0 67 IRQ_TYPE_EDGE_RISING
|
||||
@@ -74,7 +74,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
||||
+
|
||||
+ gmac0: gmac0 {
|
||||
+ local-mac-address = [00 00 00 00 00 00];
|
||||
-+ vlan_tag = <1 0x1f>;
|
||||
++ vlan_tag = <0 0x3f>;
|
||||
+ };
|
||||
+
|
||||
+ gmac1: gmac1 {
|
||||
@@ -83,7 +83,7 @@ Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|
||||
+ qcom,poll_required = <1>;
|
||||
+ qcom,forced_speed = <1000>;
|
||||
+ qcom,forced_duplex = <1>;
|
||||
-+ vlan_tag = <2 0x20>;
|
||||
++ vlan_tag = <0 0x00>;
|
||||
+ };
|
||||
+ };
|
||||
+
|
|
@ -0,0 +1,27 @@
|
|||
From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
|
||||
Date: Sun, 6 Aug 2023 19:57:16 +0200
|
||||
Subject: [PATCH 1/2] ipq40xx: re-add label MAC address for FritzBox 4040
|
||||
|
||||
The MAC address of the GMAC is contained inside the CWMP-Account
|
||||
number on the label.
|
||||
|
||||
The label MAC address alias was defined previously, but it has been
|
||||
removed with the switch to IPQESS / DSA.
|
||||
|
||||
Restore the label MAC address alias.
|
||||
|
||||
Fixes: 27b441cbaf42 ("ipq40xx: drop ESSEDMA + AR40xx DTS nodes")
|
||||
Signed-off-by: Fabian Bläse <fabian@blaese.de>
|
||||
|
||||
diff --git a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts
|
||||
index e448206c36..ec1112ee2b 100644
|
||||
--- a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts
|
||||
+++ b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-fritzbox-4040.dts
|
||||
@@ -14,6 +14,7 @@
|
||||
led-failsafe = &flash;
|
||||
led-running = &power;
|
||||
led-upgrade = &flash;
|
||||
+ label-mac-device = &gmac;
|
||||
};
|
||||
|
||||
soc {
|
|
@ -0,0 +1,17 @@
|
|||
From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
|
||||
Date: Tue, 8 Aug 2023 20:59:16 +0200
|
||||
Subject: [PATCH] ipq40xx: retain old compat_version
|
||||
|
||||
diff --git a/target/linux/ipq40xx/image/Makefile b/target/linux/ipq40xx/image/Makefile
|
||||
index 2ba4c779a0..5851b29875 100644
|
||||
--- a/target/linux/ipq40xx/image/Makefile
|
||||
+++ b/target/linux/ipq40xx/image/Makefile
|
||||
@@ -10,8 +10,6 @@ define Device/Default
|
||||
IMAGES := sysupgrade.bin
|
||||
IMAGE/sysupgrade.bin = sysupgrade-tar | append-metadata
|
||||
IMAGE/sysupgrade.bin/squashfs :=
|
||||
- DEVICE_COMPAT_VERSION := 1.1
|
||||
- DEVICE_COMPAT_MESSAGE := Config cannot be migrated from swconfig to DSA
|
||||
endef
|
||||
|
||||
include $(SUBTARGET).mk
|
|
@ -6,13 +6,13 @@ Subject: [PATCH] Add hack which fixes forwarding on a stacked bridge
|
|||
---
|
||||
.../999-fix-stacked-bridge-forwarding.patch | 12 ++++++++++++
|
||||
1 file changed, 12 insertions(+)
|
||||
create mode 100644 target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch
|
||||
create mode 100644 target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch
|
||||
|
||||
diff --git a/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch b/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch
|
||||
diff --git a/target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch b/target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch
|
||||
new file mode 100644
|
||||
index 0000000000..e1d4cb9cd5
|
||||
--- /dev/null
|
||||
+++ b/target/linux/generic/hack-5.10/999-fix-stacked-bridge-forwarding.patch
|
||||
+++ b/target/linux/generic/hack-5.15/999-fix-stacked-bridge-forwarding.patch
|
||||
@@ -0,0 +1,12 @@
|
||||
+--- a/net/bridge/br_input.c
|
||||
++++ b/net/bridge/br_input.c
|
||||
|
|
|
@ -7,9 +7,9 @@ set -o pipefail
|
|||
builddir=./build
|
||||
|
||||
# OpenWrt: package hashes correspond to core repo version
|
||||
OPENWRTREV="v22.03.3"
|
||||
PACKAGEREV="2048c5bbf6c482e45b080eef4c1c531936f7f41b"
|
||||
ROUTINGREV="1a87333f268bcf0a11e3a665a357cb0d4ec2d680"
|
||||
OPENWRTREV="v23.05.0"
|
||||
PACKAGEREV="0da9f622975aa1e4efe452da4acbae15479bee63"
|
||||
ROUTINGREV="2272106e0839ee06957e88e3596489e1b510d3c2"
|
||||
|
||||
# Gluon packages: master from 2020-02-04
|
||||
GLUONREV="12e41d0ff07ec54bbd67a31ab50d12ca04f2238c"
|
||||
|
|
|
@ -12,8 +12,6 @@ define Package/fff-base
|
|||
URL:=https://www.freifunk-franken.de
|
||||
DEFAULT:=y
|
||||
DEPENDS:= \
|
||||
+iptables-legacy \
|
||||
+ip6tables-legacy \
|
||||
+micrond \
|
||||
+odhcp6c \
|
||||
+fff-config \
|
||||
|
|
|
@ -10,11 +10,7 @@ define Package/$(PKG_NAME)
|
|||
CATEGORY:=Freifunk
|
||||
TITLE:=Freifunk-Franken firewall
|
||||
URL:=https://www.freifunk-franken.de
|
||||
DEPENDS:=+arptables-legacy \
|
||||
+ebtables-legacy +ebtables-legacy-utils \
|
||||
+kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
|
||||
+iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra \
|
||||
+kmod-nf-conntrack6
|
||||
DEPENDS:=+nftables
|
||||
endef
|
||||
|
||||
define Package/$(PKG_NAME)/description
|
||||
|
|
|
@ -1,6 +1,3 @@
|
|||
######## CLEAN UP ############
|
||||
ebtables -F
|
||||
ebtables -X
|
||||
|
||||
iptables-save | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; } /COMMIT/ { print $0; }' | iptables-restore
|
||||
ip6tables-save | awk '/^[*]/ { print $1 } /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; } /COMMIT/ { print $0; }' | ip6tables-restore
|
||||
nft -f - <<__EOF
|
||||
flush ruleset
|
||||
__EOF
|
||||
|
|
|
@ -1,5 +1,15 @@
|
|||
# Erlaube nur fe80::1 von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv6 --ip6-source fe80::1 -j IN_ONLY
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain INPUT {
|
||||
# Erlaube nur fe80::1 von BATMAN -> CLIENT
|
||||
# -p IPv6 --ip6-src fe80::1 -j IN_ONLY
|
||||
ether type ip6 ip6 saddr fe80::1 counter jump IN_ONLY
|
||||
}
|
||||
|
||||
# Erlaube nur fe80::1 von KNOTEN -> CLIENT
|
||||
ebtables -A INPUT -p IPv6 --ip6-source fe80::1 -j IN_ONLY
|
||||
chain FORWARD {
|
||||
# Erlaube nur fe80::1 von KNOTEN -> CLIENT
|
||||
# -p IPv6 --ip6-src fe80::1 -j IN_ONLY
|
||||
ether type ip6 ip6 saddr fe80::1 counter jump IN_ONLY
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -13,7 +13,7 @@ define Package/fff-layer3-snat
|
|||
DEPENDS:= \
|
||||
+fff-firewall \
|
||||
+fff-layer3-config \
|
||||
+kmod-ipt-nat
|
||||
+kmod-nft-nat
|
||||
endef
|
||||
|
||||
define Package/fff-layer3-snat/description
|
||||
|
|
|
@ -1,4 +1,10 @@
|
|||
if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then
|
||||
iptables -t mangle -A PREROUTING -i br-client -j MARK --set-mark 0x736e6174
|
||||
iptables -t nat -A POSTROUTING -m mark --mark 0x736e6174 -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip)
|
||||
nft add table ip mangle
|
||||
nft add chain ip mangle PREROUTING '{ type filter hook prerouting priority mangle; policy accept; }'
|
||||
|
||||
nft add table ip nat
|
||||
nft add chain ip nat POSTROUTING '{ type nat hook postrouting priority srcnat; policy accept; }'
|
||||
|
||||
nft add rule ip mangle PREROUTING iifname "br-client" counter mark set 0x736e6174
|
||||
nft add rule ip nat POSTROUTING meta mark 0x736e6174 counter snat ip to $(uci -q get network.client.fff_snat_sourceip)
|
||||
fi
|
||||
|
|
|
@ -23,21 +23,13 @@ define Package/fff-layer3
|
|||
+fff-ra \
|
||||
+fff-web-mqtt \
|
||||
+fff-wireguard \
|
||||
+arptables-legacy \
|
||||
+bmon \
|
||||
+ebtables-legacy \
|
||||
+ebtables-legacy-utils \
|
||||
+kmod-ebtables-ipv4 \
|
||||
+kmod-ebtables-ipv6 \
|
||||
+kmod-sched-cake \
|
||||
+gre \
|
||||
+@PACKAGE_grev4 \
|
||||
+@PACKAGE_grev6 \
|
||||
+iperf3 \
|
||||
+ip-full \
|
||||
+iptables-mod-filter \
|
||||
+iptables-mod-ipopt \
|
||||
+iptables-mod-conntrack-extra \
|
||||
+mtr \
|
||||
+nftables \
|
||||
+snmp-utils \
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
# Ensure nothing is forwarded onto WAN interface
|
||||
if [ -n "$IF_WAN" ]; then
|
||||
iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
|
||||
ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
|
||||
nft add table ip filter
|
||||
nft add chain ip filter FORWARD '{ type filter hook forward priority filter; policy accept; }'
|
||||
nft add table ip6 filter
|
||||
nft add chain ip6 filter FORWARD '{ type filter hook forward priority filter; policy accept; }'
|
||||
|
||||
nft add rule ip filter FORWARD oifname "$IF_WAN" counter reject with icmp net-unreachable
|
||||
nft add rule ip6 filter FORWARD oifname "$IF_WAN" counter reject with icmpv6 no-route
|
||||
fi
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
WANDEV=eth0
|
||||
SWITCHDEV=eth0
|
||||
CLIENT_PORTS="0t 3 4"
|
||||
WAN_PORTS="0t 5"
|
||||
BATMAN_PORTS="0t 1 2"
|
||||
WANDEV=switch0
|
||||
SWITCHDEV=switch0
|
||||
CLIENT_PORTS="lan3 lan4"
|
||||
WAN_PORTS="wan"
|
||||
BATMAN_PORTS="lan1 lan2"
|
||||
DSA=1
|
||||
|
|
|
@ -7,9 +7,6 @@ get_port_order() {
|
|||
local PORTORDER
|
||||
|
||||
case "$BOARD" in
|
||||
avm,fritzbox-4040)
|
||||
PORTORDER="5 1 2 3 4"
|
||||
;;
|
||||
glinet,gl-ar150)
|
||||
PORTORDER="1"
|
||||
;;
|
||||
|
|
|
@ -1,34 +1,44 @@
|
|||
######## IN_ONLY ############
|
||||
ebtables -N IN_ONLY -P RETURN
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
# IN_ONLY wird angesprungen, wenn dieses Paket nur
|
||||
# vom Gateway (also vom BATMAN) kommen darf.
|
||||
chain IN_ONLY {
|
||||
# -i ! bat0 --logical-in br-client -j DROP
|
||||
iifname != "bat0" counter drop
|
||||
counter
|
||||
}
|
||||
|
||||
# Daten aus dem BATMAN werden erlaubt
|
||||
# Alles ausser Daten von BATMAN werden DROP'ed
|
||||
ebtables -A IN_ONLY -i ! bat0 --logical-in br-client -j DROP
|
||||
# OUT_ONLY wird angesprungen, wenn dieses Paket nur
|
||||
# in Richtung Gateway (also ins BATMAN) gesendet werden darf.
|
||||
chain OUT_ONLY {
|
||||
# --logical-out br-client -o ! bat0 -j DROP
|
||||
oifname != "bat0" counter drop
|
||||
counter
|
||||
}
|
||||
|
||||
######## OUT_ONLY ############
|
||||
ebtables -N OUT_ONLY -P RETURN
|
||||
# MULTICAST_OUT filtert/reduziert Multicast-Frames, die ins BATMAN gesendet werden.
|
||||
chain MULTICAST_OUT {
|
||||
}
|
||||
|
||||
# Daten ins BATMAN werden erlaubt
|
||||
# Alles ausser Daten ins BATMAN werden DROP'ed
|
||||
ebtables -A OUT_ONLY --logical-out br-client -o ! bat0 -j DROP
|
||||
chain INPUT {
|
||||
type filter hook input priority filter; policy accept;
|
||||
|
||||
######## MULTICAST_OUT ############
|
||||
ebtables -N MULTICAST_OUT -P DROP
|
||||
# -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT
|
||||
iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 accept
|
||||
}
|
||||
|
||||
######## INPUT ############
|
||||
ebtables -P INPUT ACCEPT
|
||||
chain FORWARD {
|
||||
type filter hook forward priority filter; policy accept;
|
||||
|
||||
# Regelt alles was an Multicast/Broadcast von CLIENT -> KNOTEN geht bei MULTICAST_OUT
|
||||
ebtables -A INPUT -d Multicast --logical-in br-client -i ! bat0 -j ACCEPT
|
||||
# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
||||
oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
|
||||
}
|
||||
|
||||
######## FORWARD ############
|
||||
ebtables -P FORWARD ACCEPT
|
||||
chain OUTPUT {
|
||||
type filter hook output priority filter; policy accept;
|
||||
|
||||
# Regelt alles was an Multicast/Broadcast von CLIENT -> BATMAN geht bei MULTICAST_OUT
|
||||
ebtables -A FORWARD -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
||||
|
||||
######## OUTPUT ############
|
||||
ebtables -P OUTPUT ACCEPT
|
||||
|
||||
# Regelt alles was an Multicast/Broadcast von KNOTEN -> BATMAN geht bei MULTICAST_OUT
|
||||
ebtables -A OUTPUT -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
||||
# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
|
||||
oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,2 +1,12 @@
|
|||
/usr/sbin/iptables -P FORWARD DROP
|
||||
/usr/sbin/ip6tables -P FORWARD DROP
|
||||
nft -f - <<__EOF
|
||||
table ip filter {
|
||||
chain FORWARD {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
}
|
||||
}
|
||||
table ip6 filter {
|
||||
chain FORWARD {
|
||||
type filter hook forward priority filter; policy drop;
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,8 +1,19 @@
|
|||
# Erlaube DHCP Requests
|
||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain MULTICAST_OUT {
|
||||
# Erlaube DHCP Requests
|
||||
# -p IPv4 --ip-proto udp --ip-dport 67 -j RETURN
|
||||
ether type ip udp dport 67 counter return
|
||||
}
|
||||
|
||||
# Erlaube nur DHCP Request von CLIENT -> BATMAN
|
||||
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
||||
chain FORWARD {
|
||||
# Erlaube nur DHCP Request von CLIENT -> BATMAN
|
||||
# -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
||||
ether type ip udp dport 67 counter jump OUT_ONLY
|
||||
|
||||
# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
||||
# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
|
||||
# -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
||||
ether type ip udp dport 68 counter jump IN_ONLY
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,8 +1,19 @@
|
|||
# Erlaube DHCPv6 Requests
|
||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain MULTICAST_OUT {
|
||||
# Erlaube DHCPv6 Requests
|
||||
# -p IPv6 --ip6-proto udp --ip6-dport 547 -j RETURN
|
||||
ether type ip6 udp dport 547 counter return
|
||||
}
|
||||
|
||||
# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
||||
chain FORWARD {
|
||||
# Erlaube nur DHCPv6 Request von CLIENT -> BATMAN
|
||||
# -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
||||
ether type ip6 udp dport 547 counter jump OUT_ONLY
|
||||
|
||||
# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
||||
# Erlaube nur DHCPv6 Antworten von BATMAN -> CLIENT
|
||||
# -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
||||
ether type ip6 udp dport 546 counter jump IN_ONLY
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,5 +1,13 @@
|
|||
# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain FORWARD {
|
||||
# Erlaube nur Router-Solicitation von CLIENT -> BATMAN
|
||||
# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||
ether type ip6 icmpv6 type nd-router-solicit counter jump OUT_ONLY
|
||||
|
||||
# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
|
||||
ebtables -A FORWARD -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||
# Erlaube nur Router-Advertisment von BATMAN -> CLIENT
|
||||
# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||
ether type ip6 icmpv6 type nd-router-advert counter jump IN_ONLY
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,5 +1,15 @@
|
|||
# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain INPUT {
|
||||
# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
|
||||
# -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
|
||||
ether type ip udp dport 68 counter jump IN_ONLY
|
||||
}
|
||||
|
||||
# Erlaube nur DHCP Request von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
||||
chain OUTPUT {
|
||||
# Erlaube nur DHCP Request von KNOTEN -> BATMAN
|
||||
# -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
|
||||
ether type ip udp dport 67 counter jump OUT_ONLY
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,5 +1,15 @@
|
|||
# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain INPUT {
|
||||
# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
|
||||
# -p IPv6 --ip6-proto udp --ip6-dport 546 -j IN_ONLY
|
||||
ether type ip6 udp dport 546 counter jump IN_ONLY
|
||||
}
|
||||
|
||||
# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
||||
chain OUTPUT {
|
||||
# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
|
||||
# -p IPv6 --ip6-proto udp --ip6-dport 547 -j OUT_ONLY
|
||||
ether type ip6 udp dport 547 counter jump OUT_ONLY
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,11 +1,23 @@
|
|||
# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain INPUT {
|
||||
# Erlaube nur Router-Advertisment von BATMAN -> KNOTEN
|
||||
# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||
ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-advert counter jump IN_ONLY
|
||||
|
||||
# Verbiete Router-Solicitation von BATMAN -> KNOTEN
|
||||
ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
|
||||
# Verbiete Router-Solicitation von BATMAN -> KNOTEN
|
||||
# -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j DROP
|
||||
iifname "bat0" ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter drop
|
||||
}
|
||||
|
||||
# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||
chain OUTPUT {
|
||||
# Erlaube nur Router-Solicitation von KNOTEN -> BATMAN
|
||||
# -p IPv6 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||
ether type ip6 icmpv6 type nd-router-solicit counter jump OUT_ONLY
|
||||
|
||||
# Verbiete Router-Advertisment von KNOTEN -> BATMAN
|
||||
ebtables -A OUTPUT -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
|
||||
# Verbiete Router-Advertisment von KNOTEN -> BATMAN
|
||||
# -p IPv6 -o bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j DROP
|
||||
oifname "bat0" ether type ip6 icmpv6 type nd-router-advert counter drop
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,6 +1,13 @@
|
|||
# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
|
||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto 0 -j RETURN
|
||||
|
||||
# Erlaube Organisation der Multicast Gruppen
|
||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain MULTICAST_OUT {
|
||||
# Erlaube alles was nicht IP ?? ist " hop-by-hop " ??
|
||||
# -p IPv6 --ip6-proto ip -j RETURN
|
||||
ether type ip6 ip6 nexthdr 0 counter return
|
||||
|
||||
# Erlaube Organisation der Multicast Gruppen
|
||||
# -p IPv4 --ip-proto igmp -j RETURN
|
||||
ether type ip meta l4proto igmp counter return
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,8 +1,17 @@
|
|||
# Verbiete ARP Antworten an alle
|
||||
ebtables -A MULTICAST_OUT -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain MULTICAST_OUT {
|
||||
# Verbiete ARP Antworten an alle
|
||||
# -p ARP --arp-op Reply --arp-ip-src 0.0.0.0 -j DROP
|
||||
ether type arp arp operation reply arp daddr ip 0.0.0.0 counter drop
|
||||
|
||||
# Verbiete ARP Requests an alle
|
||||
ebtables -A MULTICAST_OUT -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
|
||||
# Verbiete ARP Requests an alle
|
||||
# -p ARP --arp-op Request --arp-ip-dst 0.0.0.0 -j DROP
|
||||
ether type arp arp operation request arp daddr ip 0.0.0.0 counter drop
|
||||
|
||||
# Erlaube alle anderen ARP's
|
||||
ebtables -A MULTICAST_OUT -p ARP -j RETURN
|
||||
# Erlaube alle anderen ARP's
|
||||
# -p ARP -j RETURN
|
||||
ether type arp counter return
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -1,6 +1,13 @@
|
|||
# Erlaube PING
|
||||
ebtables -A MULTICAST_OUT -p IPv4 --ip-proto icmp -j RETURN
|
||||
|
||||
# Erlaube PINGv6
|
||||
ebtables -A MULTICAST_OUT -p IPv6 --ip6-proto ipv6-icmp -j RETURN
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain MULTICAST_OUT {
|
||||
# Erlaube PING
|
||||
# -p IPv4 --ip-proto icmp -j RETURN
|
||||
ether type ip meta l4proto icmp counter return
|
||||
|
||||
# Erlaube PINGv6
|
||||
# -p IPv6 --ip6-proto ipv6-icmp -j RETURN
|
||||
ether type ip6 meta l4proto icmpv6 counter return
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain MULTICAST_OUT {
|
||||
# policy: DROP
|
||||
counter drop
|
||||
}
|
||||
}
|
||||
__EOF
|
|
@ -1,11 +1,30 @@
|
|||
# No input from/to local node ip from batman
|
||||
ebtables -A INPUT --logical-in br-client -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||
ebtables -A INPUT --logical-in br-client -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain INPUT {
|
||||
# No input from/to local node ip from batman
|
||||
|
||||
# Do not forward local node ip
|
||||
ebtables -A FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||
ebtables -A FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||
# -p IPv6 -i bat0 --logical-in br-client --ip6-src fdff::1 -j DROP
|
||||
iifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
|
||||
# -p IPv6 -i bat0 --logical-in br-client --ip6-dst fdff::1 -j DROP
|
||||
iifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
|
||||
}
|
||||
|
||||
# Do not output local node ip to batman
|
||||
ebtables -A OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
|
||||
ebtables -A OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
|
||||
chain FORWARD {
|
||||
# Do not forward local node ip
|
||||
|
||||
# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
|
||||
oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
|
||||
# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
|
||||
oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
|
||||
}
|
||||
|
||||
chain OUTPUT {
|
||||
# Do not output local node ip to batman
|
||||
|
||||
# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
|
||||
oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
|
||||
# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
|
||||
oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain INPUT {
|
||||
counter
|
||||
}
|
||||
|
||||
chain FORWARD {
|
||||
counter
|
||||
}
|
||||
|
||||
chain OUTPUT {
|
||||
counter
|
||||
}
|
||||
}
|
||||
__EOF
|
|
@ -1,5 +1,15 @@
|
|||
# Erlaube router solicitation von client zu knoten
|
||||
ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
|
||||
nft -f - <<__EOF
|
||||
table bridge filter {
|
||||
chain INPUT {
|
||||
# Erlaube router solicitation von client zu knoten
|
||||
# -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
|
||||
iifname != "bat0" ether type ip6 ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter accept
|
||||
}
|
||||
|
||||
# Erlaube router advertisment von knoten zu client
|
||||
ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
|
||||
chain OUTPUT {
|
||||
# Erlaube router advertisment von knoten zu client
|
||||
# -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
|
||||
oifname != "bat0" ether type ip6 icmpv6 type nd-router-advert counter accept
|
||||
}
|
||||
}
|
||||
__EOF
|
||||
|
|
Loading…
Reference in New Issue