From f7cb80e7f8fbb49f9719aaa09ed69c45259fec4c Mon Sep 17 00:00:00 2001
From: Matthias Schiffer <mschiffer@universe-factory.net>
Date: Tue, 14 Jan 2014 01:50:59 +0100
Subject: [PATCH] Add firewall rules

gluon-mesh-batman-adv should not be used without firewall to prevent forwarding
of packets from the mesh to the wan interface.

For some reason, the firewall package won't work at all without
kmod-ipt-nathelper.
---
 gluon/gluon-mesh-batman-adv/Makefile                     | 2 +-
 .../lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh   | 8 ++++++++
 .../lib/gluon/upgrade/next-node/invariant/010-next-node  | 9 +++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/gluon/gluon-mesh-batman-adv/Makefile b/gluon/gluon-mesh-batman-adv/Makefile
index 2e99dfa..a800f97 100644
--- a/gluon/gluon-mesh-batman-adv/Makefile
+++ b/gluon/gluon-mesh-batman-adv/Makefile
@@ -12,7 +12,7 @@ define Package/gluon-mesh-batman-adv
   SECTION:=gluon
   CATEGORY:=Gluon
   TITLE:=Support for batman-adv meshing
-  DEPENDS:=+gluon-core +kmod-batman-adv
+  DEPENDS:=+gluon-core +kmod-batman-adv +firewall +kmod-ipt-nathelper
 endef
 
 define Package/gluon-mesh-batman-adv/description
diff --git a/gluon/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh b/gluon/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh
index d721264..3e3da51 100755
--- a/gluon/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh
+++ b/gluon/gluon-mesh-batman-adv/files/lib/gluon/upgrade/mesh-batman-adv/initial/010-mesh
@@ -18,6 +18,14 @@ uci_set network client peerdns '0'
 uci_set network client macaddr "$(sysconfig primary_mac)"
 uci_commit network
 
+uci_add firewall zone client
+uci_set firewall client name 'client'
+uci add_list firewall.client.network='client'
+uci_set firewall client input 'ACCEPT'
+uci_set firewall client output 'ACCEPT'
+uci_set firewall client forward 'REJECT'
+uci_commit firewall
+
 uci_add dhcp dhcp client
 uci_set dhcp client interface 'client'
 uci_set dhcp client ignore '1'
diff --git a/gluon/gluon-next-node/generate/lib/gluon/upgrade/next-node/invariant/010-next-node b/gluon/gluon-next-node/generate/lib/gluon/upgrade/next-node/invariant/010-next-node
index 445b6d4..bec0e1c 100755
--- a/gluon/gluon-next-node/generate/lib/gluon/upgrade/next-node/invariant/010-next-node
+++ b/gluon/gluon-next-node/generate/lib/gluon/upgrade/next-node/invariant/010-next-node
@@ -34,3 +34,12 @@ uci_set network local_node_route6 target '@prefix6@'
 uci_set network local_node_route6 gateway '::'
 
 uci_commit network
+
+uci_remove firewall local_node
+uci_add firewall zone local_node
+uci_set firewall local_node name 'local_node'
+uci add_list firewall.local_node.network='local_node'
+uci_set firewall local_node input 'ACCEPT'
+uci_set firewall local_node output 'ACCEPT'
+uci_set firewall local_node forward 'REJECT'
+uci_commit firewall