nils/gluon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gluon-core, gluon-client-bridge: create local_client zone in core

Browse Source 
As core defines basic rules for this zone, it makes sense to create it
there.
This commit is contained in:
Matthias Schiffer 2017-12-26 23:15:57 +01:00
parent 8ea5810bda
commit 2b1ffb3034
No known key found for this signature in database
GPG Key ID: 16EF3F64CB201D9C
2 changed files with 35 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network
View File

@ -51,14 +51,9 @@ uci:section('firewall', 'zone', 'drop', {
forward = 'DROP', forward = 'DROP',
}) })
uci:section('firewall', 'zone', 'local_client', { local networks = uci:get_list('firewall', 'local_client', 'network')
name = 'local_client', util.add_to_set(networks, 'local_node')
network = {'local_node'}, uci:set_list('firewall', 'local_client', 'network', networks)
input = 'REJECT',
output = 'ACCEPT',
forward = 'REJECT',
})
local dnsmasq = uci:get_first('dhcp', 'dnsmasq') local dnsmasq = uci:get_first('dhcp', 'dnsmasq')

55
package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
View File

@ -14,40 +14,16 @@ end
uci:foreach('firewall', 'zone', reject_input_on_wan) uci:foreach('firewall', 'zone', reject_input_on_wan)
-- the client zone is set up by gluon-client-bridge for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
-- -- Other packages assign interfaces to these zones
uci:section('firewall', 'zone', 'mesh', { uci:section('firewall', 'zone', zone, {
name = 'mesh', name = zone,
network = {}, network = {},
input = 'REJECT', input = 'REJECT',
output = 'ACCEPT', output = 'ACCEPT',
forward = 'REJECT', forward = 'REJECT',
}) })
-- allow inbound ssh from anywhere
for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
uci:section('firewall', 'rule', zone .. '_ssh', {
name = zone .. '_ssh',
src = zone,
dest_port = '22',
proto = 'tcp',
target = 'ACCEPT',
})
end
-- allow icmp in/out on all relevant zones
uci:section('firewall', 'rule', 'local_client_ICMPv4_in', {
src = 'local_client',
proto = 'icmp',
icmp_type = {
'echo-request',
},
family = 'ipv4',
target = 'ACCEPT',
})
for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
uci:section('firewall', 'rule', zone .. '_ICMPv6_in', { uci:section('firewall', 'rule', zone .. '_ICMPv6_in', {
src = zone, src = zone,
proto = 'icmp', proto = 'icmp',
@ -77,4 +53,27 @@ for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
uci:delete('firewall', zone .. '_ICMPv6_out') uci:delete('firewall', zone .. '_ICMPv6_out')
end end
uci:section('firewall', 'rule', 'local_client_ICMPv4_in', {
src = 'local_client',
proto = 'icmp',
icmp_type = {
'echo-request',
},
family = 'ipv4',
target = 'ACCEPT',
})
-- allow inbound SSH from anywhere
for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
uci:section('firewall', 'rule', zone .. '_ssh', {
name = zone .. '_ssh',
src = zone,
dest_port = '22',
proto = 'tcp',
target = 'ACCEPT',
})
end
uci:save('firewall') uci:save('firewall')