Add firewall rules

gluon-mesh-batman-adv should not be used without firewall to prevent forwarding
of packets from the mesh to the wan interface.

For some reason, the firewall package won't work at all without
kmod-ipt-nathelper.

gluon/gluon-mesh-batman-adv/Makefile

@@ -12,7 +12,7 @@ define Package/gluon-mesh-batman-adv
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Support for batman-adv meshing
-  DEPENDS:=+gluon-core +kmod-batman-adv
+  DEPENDS:=+gluon-core +kmod-batman-adv +firewall +kmod-ipt-nathelper
 endef
 
 define Package/gluon-mesh-batman-adv/description

gluon/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh

@@ -18,6 +18,14 @@ uci_set network client peerdns '0'
 uci_set network client macaddr "$(sysconfig primary_mac)"
 uci_commit network
 
+uci_add firewall zone client
+uci_set firewall client name 'client'
+uci add_list firewall.client.network='client'
+uci_set firewall client input 'ACCEPT'
+uci_set firewall client output 'ACCEPT'
+uci_set firewall client forward 'REJECT'
+uci_commit firewall
+
 uci_add dhcp dhcp client
 uci_set dhcp client interface 'client'
 uci_set dhcp client ignore '1'

gluon/gluon-next-node/generate/lib/gluon/upgrade/next-node/invariant/010-next-node

@@ -34,3 +34,12 @@ uci_set network local_node_route6 target '@prefix6@'
 uci_set network local_node_route6 gateway '::'
 
 uci_commit network
+
+uci_remove firewall local_node
+uci_add firewall zone local_node
+uci_set firewall local_node name 'local_node'
+uci add_list firewall.local_node.network='local_node'
+uci_set firewall local_node input 'ACCEPT'
+uci_set firewall local_node output 'ACCEPT'
+uci_set firewall local_node forward 'REJECT'
+uci_commit firewall