From 1309eaaf11a8621837da4ad7c9fa5400c3731345 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= Date: Mon, 11 Mar 2024 21:51:02 +0100 Subject: [PATCH 1/2] fff-firewall: add user-customizable nftables hook MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently there is no way to persistently configure firewall rules on a router. This might be desirable as home-use of the Freifunk network is quite common these days. To allow for the most flexibility while keeping maintenance efforts low, add a persistent, user-customizable nftables hook. It is evaluated after all firewall rules have already been configured, so it is possible to override them. Users of this hook are responsible for keeping up with changes to the firmware and modify it appropriately, before updating the system. Fixes: #314 Signed-off-by: Fabian Bläse --- src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user | 1 + .../fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade | 1 + 2 files changed, 2 insertions(+) create mode 100644 src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user new file mode 100644 index 00000000..856459e8 --- /dev/null +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/90-user @@ -0,0 +1 @@ +nft -f /etc/nftables-fff.conf diff --git a/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade b/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade index d0f3d36a..3de48e05 100644 --- a/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade +++ b/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade @@ -12,6 +12,7 @@ cat > /etc/sysupgrade.conf <<-__EOF__ /etc/config/fff /etc/config/gateway /etc/hoodfile +/etc/nftables-fff.conf __EOF__ exit 0 -- 2.39.2 From 871e80eb35959e0e6ff2ccba758ff9f14a7979ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= Date: Mon, 11 Mar 2024 21:52:39 +0100 Subject: [PATCH 2/2] Consolidate sysupgrade.conf entries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Most of the entries in /etc/sysupgrade.conf are generated by a uci-defaults script in the fff-sysupgrade package. The only entry added in a different place is rc.local.fff_userconfig. Consolidate all entries to be added by the uci-defaults script in fff-sysupgrade. Signed-off-by: Fabian Bläse --- src/packages/fff/fff-support/files/etc/init.d/fff-userconfig | 2 -- .../fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/src/packages/fff/fff-support/files/etc/init.d/fff-userconfig b/src/packages/fff/fff-support/files/etc/init.d/fff-userconfig index 3c3de120..89a857d5 100755 --- a/src/packages/fff/fff-support/files/etc/init.d/fff-userconfig +++ b/src/packages/fff/fff-support/files/etc/init.d/fff-userconfig @@ -4,8 +4,6 @@ START=96 boot() { LOCALCONFIGSCRIPT="/etc/rc.local.fff_userconfig" - #add LOCALCONFIGSCRIPT to sysupgrade regardless if it already exists or not to prevent data loss - grep -q ^"${LOCALCONFIGSCRIPT}"$ /etc/sysupgrade.conf || echo "$LOCALCONFIGSCRIPT" >> /etc/sysupgrade.conf # process user commands [ -f "${LOCALCONFIGSCRIPT}" ] && { diff --git a/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade b/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade index 3de48e05..02215ac5 100644 --- a/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade +++ b/src/packages/fff/fff-sysupgrade/files/etc/uci-defaults/99-fff-sysupgrade @@ -13,6 +13,7 @@ cat > /etc/sysupgrade.conf <<-__EOF__ /etc/config/gateway /etc/hoodfile /etc/nftables-fff.conf +/etc/rc.local.fff_userconfig __EOF__ exit 0 -- 2.39.2