AA: firewall3: rename to firewall, move into base system menu, update to git head...
authorJo-Philipp Wich <jow@openwrt.org>
Tue, 4 Jun 2013 12:32:24 +0000 (12:32 +0000)
committerJo-Philipp Wich <jow@openwrt.org>
Tue, 4 Jun 2013 12:32:24 +0000 (12:32 +0000)
SVN-Revision: 36842

package/firewall/Makefile [new file with mode: 0644]
package/firewall/files/firewall.config [new file with mode: 0644]
package/firewall/files/firewall.hotplug [new file with mode: 0644]
package/firewall/files/firewall.init [new file with mode: 0755]
package/firewall/files/firewall.user [new file with mode: 0644]
package/firewall3/Makefile [deleted file]
package/firewall3/files/firewall.config [deleted file]
package/firewall3/files/firewall.hotplug [deleted file]
package/firewall3/files/firewall.init [deleted file]
package/firewall3/files/firewall.user [deleted file]

diff --git a/package/firewall/Makefile b/package/firewall/Makefile
new file mode 100644 (file)
index 0000000..18a8601
--- /dev/null
@@ -0,0 +1,66 @@
+#
+# Copyright (C) 2013 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=firewall
+PKG_VERSION:=2013-06-04
+PKG_RELEASE:=$(PKG_SOURCE_VERSION)
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=git://nbd.name/firewall3.git
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE_VERSION:=5ee2129eaa23a28bfef6d20c273cafc0be559b3d
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_MAINTAINER:=Jo-Philipp Wich <jow@openwrt.org>
+
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/kernel.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+define Package/firewall
+  SECTION:=net
+  CATEGORY:=Base system
+  TITLE:=OpenWrt C Firewall
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables
+endef
+
+define Package/firewall/description
+ This package provides a config-compatible C implementation of the UCI firewall.
+endef
+
+define Package/firewall/conffiles
+/etc/config/firewall
+/etc/firewall.user
+endef
+
+define Build/Configure
+       $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext.a)
+       $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext4.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext4.a)
+       $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext6.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext6.a)
+       $(call Build/Configure/Default)
+endef
+
+TARGET_CFLAGS += -ffunction-sections -fdata-sections
+TARGET_LDFLAGS += -Wl,--gc-sections
+CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1)
+
+define Package/firewall/install
+       $(INSTALL_DIR) $(1)/sbin
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3
+       $(INSTALL_DIR) $(1)/etc/init.d
+       $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
+       $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+       $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall
+       $(INSTALL_DIR) $(1)/etc/config/
+       $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
+       $(INSTALL_DIR) $(1)/etc/
+       $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
+endef
+
+$(eval $(call BuildPackage,firewall))
diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
new file mode 100644 (file)
index 0000000..acfb5e5
--- /dev/null
@@ -0,0 +1,177 @@
+config defaults
+       option syn_flood        1
+       option input            ACCEPT
+       option output           ACCEPT
+       option forward          REJECT
+# Uncomment this line to disable ipv6 rules
+#      option disable_ipv6     1
+
+config zone
+       option name             lan
+       list   network          'lan'
+       option input            ACCEPT
+       option output           ACCEPT
+       option forward          REJECT
+
+config zone
+       option name             wan
+       list   network          'wan'
+       list   network          'wan6'
+       option input            REJECT
+       option output           ACCEPT
+       option forward          REJECT
+       option masq             1
+       option mtu_fix          1
+
+config forwarding
+       option src              lan
+       option dest             wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+       option name             Allow-DHCP-Renew
+       option src              wan
+       option proto            udp
+       option dest_port        68
+       option target           ACCEPT
+       option family           ipv4
+
+# Allow IPv4 ping
+config rule
+       option name             Allow-Ping
+       option src              wan
+       option proto            icmp
+       option icmp_type        echo-request
+       option family           ipv4
+       option target           ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+       option name             Allow-DHCPv6
+       option src              wan
+       option proto            udp
+       option src_ip           fe80::/10
+       option src_port         547
+       option dest_ip          fe80::/10
+       option dest_port        546
+       option family           ipv6
+       option target           ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+       option name             Allow-ICMPv6-Input
+       option src              wan
+       option proto    icmp
+       list icmp_type          echo-request
+       list icmp_type          echo-reply
+       list icmp_type          destination-unreachable
+       list icmp_type          packet-too-big
+       list icmp_type          time-exceeded
+       list icmp_type          bad-header
+       list icmp_type          unknown-header-type
+       list icmp_type          router-solicitation
+       list icmp_type          neighbour-solicitation
+       list icmp_type          router-advertisement
+       list icmp_type          neighbour-advertisement
+       option limit            1000/sec
+       option family           ipv6
+       option target           ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+       option name             Allow-ICMPv6-Forward
+       option src              wan
+       option dest             *
+       option proto            icmp
+       list icmp_type          echo-request
+       list icmp_type          echo-reply
+       list icmp_type          destination-unreachable
+       list icmp_type          packet-too-big
+       list icmp_type          time-exceeded
+       list icmp_type          bad-header
+       list icmp_type          unknown-header-type
+       option limit            1000/sec
+       option family           ipv6
+       option target           ACCEPT
+
+# include a file with users custom iptables rules
+config include
+       option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#      option src              lan
+#      option src_ip   192.168.45.2
+#      option dest             wan
+#      option proto    tcp
+#      option target   REJECT
+
+# block a specific mac on wan
+#config rule
+#      option dest             wan
+#      option src_mac  00:11:22:33:44:66
+#      option target   REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#      option src              lan
+#      option proto    ICMP
+#      option target   DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#      option src                      wan
+#      option src_dport        80
+#      option dest                     lan
+#      option dest_ip          192.168.16.235
+#      option dest_port        80
+#      option proto            tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#      option src              wan
+#      option src_dport        22001
+#      option dest             lan
+#      option dest_port        22
+#      option proto            tcp
+
+# allow IPsec/ESP and ISAKMP passthrough
+#config rule
+#      option src              wan
+#      option dest             lan
+#      option protocol         esp
+#      option target           ACCEPT
+
+#config rule
+#      option src              wan
+#      option dest             lan
+#      option src_port         500
+#      option dest_port        500
+#      option proto            udp
+#      option target           ACCEPT
+
+### FULL CONFIG SECTIONS
+#config rule
+#      option src              lan
+#      option src_ip   192.168.45.2
+#      option src_mac  00:11:22:33:44:55
+#      option src_port 80
+#      option dest             wan
+#      option dest_ip  194.25.2.129
+#      option dest_port        120
+#      option proto    tcp
+#      option target   REJECT
+
+#config redirect
+#      option src              lan
+#      option src_ip   192.168.45.2
+#      option src_mac  00:11:22:33:44:55
+#      option src_port         1024
+#      option src_dport        80
+#      option dest_ip  194.25.2.129
+#      option dest_port        120
+#      option proto    tcp
diff --git a/package/firewall/files/firewall.hotplug b/package/firewall/files/firewall.hotplug
new file mode 100644 (file)
index 0000000..34f3afe
--- /dev/null
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+[ "$ACTION" = ifup ] || exit 0
+
+/etc/init.d/firewall enabled || exit 0
+
+fw3 -q network "$INTERFACE" >/dev/null || exit 0
+
+logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)"
+fw3 -q reload
diff --git a/package/firewall/files/firewall.init b/package/firewall/files/firewall.init
new file mode 100755 (executable)
index 0000000..64e3a8c
--- /dev/null
@@ -0,0 +1,25 @@
+#!/bin/sh /etc/rc.common
+
+START=19
+
+boot() {
+       # Be silent on boot, firewall might be started by hotplug already,
+       # so don't complain in syslog.
+       fw3 -q start
+}
+
+start() {
+       fw3 start
+}
+
+stop() {
+       fw3 flush
+}
+
+restart() {
+       fw3 restart
+}
+
+reload() {
+       fw3 reload
+}
diff --git a/package/firewall/files/firewall.user b/package/firewall/files/firewall.user
new file mode 100644 (file)
index 0000000..6f79906
--- /dev/null
@@ -0,0 +1,7 @@
+# This file is interpreted as shell script.
+# Put your custom iptables rules here, they will
+# be executed with each firewall (re-)start.
+
+# Internal uci firewall chains are flushed and recreated on reload, so
+# put custom rules into the root chains e.g. INPUT or FORWARD or into the
+# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
diff --git a/package/firewall3/Makefile b/package/firewall3/Makefile
deleted file mode 100644 (file)
index 76d756e..0000000
+++ /dev/null
@@ -1,66 +0,0 @@
-#
-# Copyright (C) 2013 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-#
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=firewall3
-PKG_VERSION:=2013-06-04
-PKG_RELEASE:=$(PKG_SOURCE_VERSION)
-
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=git://nbd.name/firewall3.git
-PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=182abe47ae4686944482580b42a972827a0e4b51
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
-PKG_MAINTAINER:=Jo-Philipp Wich <jow@openwrt.org>
-
-
-include $(INCLUDE_DIR)/package.mk
-include $(INCLUDE_DIR)/kernel.mk
-include $(INCLUDE_DIR)/cmake.mk
-
-define Package/firewall3
-  SECTION:=net
-  CATEGORY:=Network
-  TITLE:=UCI C Firewall
-  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables
-endef
-
-define Package/firewall3/description
- This package provides a config-compatible C implementation of the UCI firewall.
-endef
-
-define Package/firewall3/conffiles
-/etc/config/firewall
-/etc/firewall.user
-endef
-
-define Build/Configure
-       $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext.a)
-       $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext4.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext4.a)
-       $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext6.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext6.a)
-       $(call Build/Configure/Default)
-endef
-
-TARGET_CFLAGS += -ffunction-sections -fdata-sections
-TARGET_LDFLAGS += -Wl,--gc-sections
-CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1)
-
-define Package/firewall3/install
-       $(INSTALL_DIR) $(1)/sbin
-       $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3
-       $(INSTALL_DIR) $(1)/etc/init.d
-       $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
-       $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
-       $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall
-       $(INSTALL_DIR) $(1)/etc/config/
-       $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
-       $(INSTALL_DIR) $(1)/etc/
-       $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
-endef
-
-$(eval $(call BuildPackage,firewall3))
diff --git a/package/firewall3/files/firewall.config b/package/firewall3/files/firewall.config
deleted file mode 100644 (file)
index acfb5e5..0000000
+++ /dev/null
@@ -1,177 +0,0 @@
-config defaults
-       option syn_flood        1
-       option input            ACCEPT
-       option output           ACCEPT
-       option forward          REJECT
-# Uncomment this line to disable ipv6 rules
-#      option disable_ipv6     1
-
-config zone
-       option name             lan
-       list   network          'lan'
-       option input            ACCEPT
-       option output           ACCEPT
-       option forward          REJECT
-
-config zone
-       option name             wan
-       list   network          'wan'
-       list   network          'wan6'
-       option input            REJECT
-       option output           ACCEPT
-       option forward          REJECT
-       option masq             1
-       option mtu_fix          1
-
-config forwarding
-       option src              lan
-       option dest             wan
-
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
-config rule
-       option name             Allow-DHCP-Renew
-       option src              wan
-       option proto            udp
-       option dest_port        68
-       option target           ACCEPT
-       option family           ipv4
-
-# Allow IPv4 ping
-config rule
-       option name             Allow-Ping
-       option src              wan
-       option proto            icmp
-       option icmp_type        echo-request
-       option family           ipv4
-       option target           ACCEPT
-
-# Allow DHCPv6 replies
-# see https://dev.openwrt.org/ticket/10381
-config rule
-       option name             Allow-DHCPv6
-       option src              wan
-       option proto            udp
-       option src_ip           fe80::/10
-       option src_port         547
-       option dest_ip          fe80::/10
-       option dest_port        546
-       option family           ipv6
-       option target           ACCEPT
-
-# Allow essential incoming IPv6 ICMP traffic
-config rule
-       option name             Allow-ICMPv6-Input
-       option src              wan
-       option proto    icmp
-       list icmp_type          echo-request
-       list icmp_type          echo-reply
-       list icmp_type          destination-unreachable
-       list icmp_type          packet-too-big
-       list icmp_type          time-exceeded
-       list icmp_type          bad-header
-       list icmp_type          unknown-header-type
-       list icmp_type          router-solicitation
-       list icmp_type          neighbour-solicitation
-       list icmp_type          router-advertisement
-       list icmp_type          neighbour-advertisement
-       option limit            1000/sec
-       option family           ipv6
-       option target           ACCEPT
-
-# Allow essential forwarded IPv6 ICMP traffic
-config rule
-       option name             Allow-ICMPv6-Forward
-       option src              wan
-       option dest             *
-       option proto            icmp
-       list icmp_type          echo-request
-       list icmp_type          echo-reply
-       list icmp_type          destination-unreachable
-       list icmp_type          packet-too-big
-       list icmp_type          time-exceeded
-       list icmp_type          bad-header
-       list icmp_type          unknown-header-type
-       option limit            1000/sec
-       option family           ipv6
-       option target           ACCEPT
-
-# include a file with users custom iptables rules
-config include
-       option path /etc/firewall.user
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-#      option src              lan
-#      option src_ip   192.168.45.2
-#      option dest             wan
-#      option proto    tcp
-#      option target   REJECT
-
-# block a specific mac on wan
-#config rule
-#      option dest             wan
-#      option src_mac  00:11:22:33:44:66
-#      option target   REJECT
-
-# block incoming ICMP traffic on a zone
-#config rule
-#      option src              lan
-#      option proto    ICMP
-#      option target   DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-#      option src                      wan
-#      option src_dport        80
-#      option dest                     lan
-#      option dest_ip          192.168.16.235
-#      option dest_port        80
-#      option proto            tcp
-
-# port redirect of remapped ssh port (22001) on wan
-#config redirect
-#      option src              wan
-#      option src_dport        22001
-#      option dest             lan
-#      option dest_port        22
-#      option proto            tcp
-
-# allow IPsec/ESP and ISAKMP passthrough
-#config rule
-#      option src              wan
-#      option dest             lan
-#      option protocol         esp
-#      option target           ACCEPT
-
-#config rule
-#      option src              wan
-#      option dest             lan
-#      option src_port         500
-#      option dest_port        500
-#      option proto            udp
-#      option target           ACCEPT
-
-### FULL CONFIG SECTIONS
-#config rule
-#      option src              lan
-#      option src_ip   192.168.45.2
-#      option src_mac  00:11:22:33:44:55
-#      option src_port 80
-#      option dest             wan
-#      option dest_ip  194.25.2.129
-#      option dest_port        120
-#      option proto    tcp
-#      option target   REJECT
-
-#config redirect
-#      option src              lan
-#      option src_ip   192.168.45.2
-#      option src_mac  00:11:22:33:44:55
-#      option src_port         1024
-#      option src_dport        80
-#      option dest_ip  194.25.2.129
-#      option dest_port        120
-#      option proto    tcp
diff --git a/package/firewall3/files/firewall.hotplug b/package/firewall3/files/firewall.hotplug
deleted file mode 100644 (file)
index 34f3afe..0000000
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/sh
-
-[ "$ACTION" = ifup ] || exit 0
-
-/etc/init.d/firewall enabled || exit 0
-
-fw3 -q network "$INTERFACE" >/dev/null || exit 0
-
-logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)"
-fw3 -q reload
diff --git a/package/firewall3/files/firewall.init b/package/firewall3/files/firewall.init
deleted file mode 100755 (executable)
index 64e3a8c..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/sh /etc/rc.common
-
-START=19
-
-boot() {
-       # Be silent on boot, firewall might be started by hotplug already,
-       # so don't complain in syslog.
-       fw3 -q start
-}
-
-start() {
-       fw3 start
-}
-
-stop() {
-       fw3 flush
-}
-
-restart() {
-       fw3 restart
-}
-
-reload() {
-       fw3 reload
-}
diff --git a/package/firewall3/files/firewall.user b/package/firewall3/files/firewall.user
deleted file mode 100644 (file)
index 6f79906..0000000
+++ /dev/null
@@ -1,7 +0,0 @@
-# This file is interpreted as shell script.
-# Put your custom iptables rules here, they will
-# be executed with each firewall (re-)start.
-
-# Internal uci firewall chains are flushed and recreated on reload, so
-# put custom rules into the root chains e.g. INPUT or FORWARD or into the
-# special user chains, e.g. input_wan_rule or postrouting_lan_rule.