[RFC PATCH 5/5] fff-network: enable forwarding; filter forwarding
robert
rlanghammer at web.de
Mi Feb 14 11:31:01 CET 2018
Hallo Tim, s.u.
Am 13.02.2018 um 21:40 schrieb Tim Niemeyer:
> Fixes #83
> Signed-off-by: Tim Niemeyer <tim at tn-x.org>
> ---
>
> src/packages/fff/fff-network/Makefile | 2 +-
> src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf | 5 ++++-
> .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding | 2 ++
> src/packages/fff/fff-network/files/usr/sbin/configurenetwork | 1 +
> 4 files changed, 8 insertions(+), 2 deletions(-)
> create mode 100644 src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>
> diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile
> index 348897d..980800a 100644
> --- a/src/packages/fff/fff-network/Makefile
> +++ b/src/packages/fff/fff-network/Makefile
> @@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
> CATEGORY:=Freifunk
> TITLE:= Freifunk-Franken network configuration
> URL:=http://www.freifunk-franken.de
> - DEPENDS:=+fff-uradvd +fff-boardname
> + DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
> endef
>
> define Package/$(PKG_NAME)/description
> diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> index 7fe4725..4f1c24f 100644
> --- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0
> net.ipv4.icmp_echo_ignore_broadcasts=1
> net.ipv4.icmp_ignore_bogus_error_responses=1
> net.ipv4.ip_forward=0
> -# net.ipv6.conf.all.forwarding=1
>
> # disable bridge firewalling by default
> net.bridge.bridge-nf-call-arptables=0
> @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3
> # How many global unicast IPv6 addresses can be assigned to each interface?
> net.ipv6.conf.default.max_addresses = 0
> net.ipv6.conf.all.max_addresses = 0
Hier koennte man der Empfehlung folgen und den Wert auf 16 setzen. 0 ist
ja unbegrenzt.
> +
> +# Enable forwarding, otherwise not all local route are examined
> +net.ipv6.conf.default.forwarding=0
> +net.ipv6.conf.all.forwarding=1
Das muss man umdrehen. conf.all ueberschreibt auch conf.default und dann
ist es wieder ueberall an. Und auf br-mesh sollte es ja aus sein.
Damitdas IsRouter Flag nicht gesetzt wird.
Robert
> diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
> new file mode 100644
> index 0000000..793b0d8
> --- /dev/null
> +++ b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
> @@ -0,0 +1,2 @@
> +/sbin/iptables -P FORWARD DROP
> +/sbin/ip6tables -P FORWARD DROP
> diff --git a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
> index 38d7413..e0f2ba4 100755
> --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
> +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
> @@ -40,6 +40,7 @@ setAutoConf() {
> echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
> echo "net.ipv6.conf.$iface.autoconf = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
> echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
> + echo "net.ipv6.conf.$iface.forwarding = 0" >> /etc/sysctl.d/51-fff-network-wan.conf
>
> /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf
> }
Mehr Informationen über die Mailingliste franken-dev