Home Explore Help
Register Sign In
FreifunkHochstift
/
gluon
6
0
Fork 0
Files Issues 0 Pull Requests 0
Browse Source

gluon-core, gluon-client-bridge: create local_client zone in core

As core defines basic rules for this zone, it makes sense to create it
there.
Matthias Schiffer 6 years ago
parent
8ea5810bda
commit
2b1ffb3034
2 changed files with 34 additions and 40 deletions
Split View Show Diff Stats
  1. 3 8
      package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network
  2. 31 32
      package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules

+ 3 - 8
package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network
View File 

@@ -51,14 +51,9 @@ uci:section('firewall', 'zone', 'drop', {
 
 	forward = 'DROP',
 
 })
 
 
-uci:section('firewall', 'zone', 'local_client', {
 
-	name = 'local_client',
 
-	network = {'local_node'},
 
-	input = 'REJECT',
 
-	output = 'ACCEPT',
 
-	forward = 'REJECT',
 
-})
 
-
 
+local networks = uci:get_list('firewall', 'local_client', 'network')
 
+util.add_to_set(networks, 'local_node')
 
+uci:set_list('firewall', 'local_client', 'network', networks)
 
 
 
 local dnsmasq = uci:get_first('dhcp', 'dnsmasq')

+ 31 - 32
package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
View File 

@@ -14,40 +14,16 @@ end
 
 
 uci:foreach('firewall', 'zone', reject_input_on_wan)
 
 
--- the client zone is set up by gluon-client-bridge
 
---
 
-uci:section('firewall', 'zone', 'mesh', {
 
-	name = 'mesh',
 
-	network = {},
 
-	input = 'REJECT',
 
-	output = 'ACCEPT',
 
-	forward = 'REJECT',
 
-})
 
-
 
--- allow inbound ssh from anywhere
 
-for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
 
-	uci:section('firewall', 'rule', zone .. '_ssh', {
 
-		name =  zone .. '_ssh',
 
-		src = zone,
 
-		dest_port = '22',
 
-		proto = 'tcp',
 
-		target = 'ACCEPT',
 
+for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
 
+	-- Other packages assign interfaces to these zones
 
+	uci:section('firewall', 'zone', zone, {
 
+		name = zone,
 
+		network = {},
 
+		input = 'REJECT',
 
+		output = 'ACCEPT',
 
+		forward = 'REJECT',
 
 	})
 
-end
 
-
 
 
--- allow icmp in/out on all relevant zones
 
-uci:section('firewall', 'rule',  'local_client_ICMPv4_in', {
 
-	src = 'local_client',
 
-	proto = 'icmp',
 
-	icmp_type = {
 
-		'echo-request',
 
-	},
 
-	family = 'ipv4',
 
-	target = 'ACCEPT',
 
-})
 
-
 
-for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
 
 	uci:section('firewall', 'rule',  zone .. '_ICMPv6_in', {
 
 		src = zone,
 
 		proto = 'icmp',
 
@@ -77,4 +53,27 @@ for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
 
 	uci:delete('firewall', zone .. '_ICMPv6_out')
 
 end
 
 
+uci:section('firewall', 'rule',  'local_client_ICMPv4_in', {
 
+	src = 'local_client',
 
+	proto = 'icmp',
 
+	icmp_type = {
 
+		'echo-request',
 
+	},
 
+	family = 'ipv4',
 
+	target = 'ACCEPT',
 
+})
 
+
 
+
 
+-- allow inbound SSH from anywhere
 
+for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
 
+	uci:section('firewall', 'rule', zone .. '_ssh', {
 
+		name =  zone .. '_ssh',
 
+		src = zone,
 
+		dest_port = '22',
 
+		proto = 'tcp',
 
+		target = 'ACCEPT',
 
+	})
 
+end
 
+
 
+
 
 uci:save('firewall')