[RFC PATCH 5/5] fff-network: enable forwarding; filter forwarding

robert rlanghammer at web.de
Mi Feb 14 11:31:01 CET 2018


Hallo Tim, s.u.


Am 13.02.2018 um 21:40 schrieb Tim Niemeyer:
> Fixes #83
> Signed-off-by: Tim Niemeyer <tim at tn-x.org>
> ---
>
>  src/packages/fff/fff-network/Makefile                                | 2 +-
>  src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf  | 5 ++++-
>  .../fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding   | 2 ++
>  src/packages/fff/fff-network/files/usr/sbin/configurenetwork         | 1 +
>  4 files changed, 8 insertions(+), 2 deletions(-)
>  create mode 100644 src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
>
> diff --git a/src/packages/fff/fff-network/Makefile b/src/packages/fff/fff-network/Makefile
> index 348897d..980800a 100644
> --- a/src/packages/fff/fff-network/Makefile
> +++ b/src/packages/fff/fff-network/Makefile
> @@ -13,7 +13,7 @@ define Package/$(PKG_NAME)
>      CATEGORY:=Freifunk
>      TITLE:= Freifunk-Franken network configuration
>      URL:=http://www.freifunk-franken.de
> -    DEPENDS:=+fff-uradvd +fff-boardname
> +    DEPENDS:=+fff-uradvd +fff-boardname +fff-firewall
>  endef
>  
>  define Package/$(PKG_NAME)/description
> diff --git a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> index 7fe4725..4f1c24f 100644
> --- a/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> +++ b/src/packages/fff/fff-network/files/etc/sysctl.d/50-fff-network.conf
> @@ -26,7 +26,6 @@ net.ipv4.conf.default.accept_redirects=0
>  net.ipv4.icmp_echo_ignore_broadcasts=1
>  net.ipv4.icmp_ignore_bogus_error_responses=1
>  net.ipv4.ip_forward=0
> -# net.ipv6.conf.all.forwarding=1
>  
>  # disable bridge firewalling by default
>  net.bridge.bridge-nf-call-arptables=0
> @@ -68,3 +67,7 @@ net.ipv6.conf.all.dad_transmits = 3
>  # How many global unicast IPv6 addresses can be assigned to each interface?
>  net.ipv6.conf.default.max_addresses = 0
>  net.ipv6.conf.all.max_addresses = 0
Hier koennte man der Empfehlung folgen und den Wert auf 16 setzen. 0 ist
ja unbegrenzt.
> +
> +# Enable forwarding, otherwise not all local route are examined
> +net.ipv6.conf.default.forwarding=0
> +net.ipv6.conf.all.forwarding=1
Das muss man umdrehen. conf.all ueberschreibt auch conf.default und dann
ist es wieder ueberall an. Und auf br-mesh sollte es ja aus sein.
Damitdas IsRouter Flag nicht gesetzt wird.

Robert
> diff --git a/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
> new file mode 100644
> index 0000000..793b0d8
> --- /dev/null
> +++ b/src/packages/fff/fff-network/files/usr/lib/firewall.d/06-disable-forwarding
> @@ -0,0 +1,2 @@
> +/sbin/iptables -P FORWARD DROP
> +/sbin/ip6tables -P FORWARD DROP
> diff --git a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
> index 38d7413..e0f2ba4 100755
> --- a/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
> +++ b/src/packages/fff/fff-network/files/usr/sbin/configurenetwork
> @@ -40,6 +40,7 @@ setAutoConf() {
>      echo "net.ipv6.conf.$iface.accept_ra_pinfo = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
>      echo "net.ipv6.conf.$iface.autoconf = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
>      echo "net.ipv6.conf.$iface.accept_ra_rtr_pref = $on" >> /etc/sysctl.d/51-fff-network-wan.conf
> +    echo "net.ipv6.conf.$iface.forwarding = 0" >> /etc/sysctl.d/51-fff-network-wan.conf
>  
>      /sbin/sysctl -p /etc/sysctl.d/51-fff-network-wan.conf
>  }



Mehr Informationen über die Mailingliste franken-dev