Browse Source

Add BCP38 implementation package (from CeroWrt).

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
lilik-openwrt-22.03
Toke Høiland-Jørgensen 10 years ago
parent
commit
0a38785592
4 changed files with 201 additions and 0 deletions
  1. +62
    -0
      net/bcp38/Makefile
  2. +22
    -0
      net/bcp38/files/bcp38.config
  3. +13
    -0
      net/bcp38/files/bcp38.defaults
  4. +104
    -0
      net/bcp38/files/run.sh

+ 62
- 0
net/bcp38/Makefile View File

@ -0,0 +1,62 @@
#
# Copyright (C) 2014 Openwrt.org
#
# This is free software, licensed under the GNU General Public License v2.
include $(TOPDIR)/rules.mk
PKG_NAME:=bcp38
PKG_VERSION:=4
PKG_RELEASE:=1
PKG_LICENCE:=GPLv3
include $(INCLUDE_DIR)/package.mk
define Package/bcp38
SECTION:=net
CATEGORY:=Network
SUBMENU:=Routing and Redirection
TITLE:=BCP38 compliance
URL:=https://github.com/dtaht/ceropackages-3.10
MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
DEPENDS:=+ipset
endef
define Package/bcp38/description
bcp38 implements IETF BCP38 for home routers. See https://tools.ietf.org/html/bcp38.
endef
define Package/bcp38/conffiles
/etc/config/bcp38
endef
define Build/Prepare
endef
define Build/Configure
endef
define Build/Compile
endef
define Package/bcp38/install
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/bcp38.config $(1)/etc/config/bcp38
$(INSTALL_DIR) $(1)/usr/lib/bcp38
$(INSTALL_BIN) ./files/run.sh $(1)/usr/lib/bcp38/run.sh
$(INSTALL_DIR) $(1)/etc/uci-defaults
$(INSTALL_BIN) ./files/bcp38.defaults $(1)/etc/uci-defaults/bcp38
endef
define Package/bcp38/postinst
#!/bin/sh
[ -x /etc/uci-defaults/bcp38 ] && /etc/uci-defaults/bcp38 || exit 0
endef
define Package/bcp38/postrm
#!/bin/sh
uci delete firewall.bcp38
uci commit
endef
$(eval $(call BuildPackage,bcp38))

+ 22
- 0
net/bcp38/files/bcp38.config View File

@ -0,0 +1,22 @@
config bcp38
option enabled 1
option interface 'ge00'
option detect_upstream 1
list match '127.0.0.0/8'
list match '0.0.0.0/8' # RFC 1700
list match '240.0.0.0/4' # RFC 5745
list match '192.0.2.0/24' # RFC 5737
list match '198.51.100.0/24' # RFC 5737
list match '203.0.113.0/24' # RFC 5737
list match '192.168.0.0/16' # RFC 1918
list match '10.0.0.0/8' # RFC 1918
list match '172.16.0.0/12' # RFC 1918
list match '169.254.0.0/16' # RFC 3927
# list nomatch '172.26.0.0/21' # Example of something not to match
# There is a dhcp trigger to do this for the netmask of a
# double natted connection needed
# I will argue that this level of indirection doesn't scale
# very well - see how to block china as an example
# http://www.okean.com/china.txt

+ 13
- 0
net/bcp38/files/bcp38.defaults View File

@ -0,0 +1,13 @@
#!/bin/sh
uci -q batch <<-EOT
delete firewall.bcp38
set firewall.bcp38=include
set firewall.bcp38.type=script
set firewall.bcp38.path=/usr/lib/bcp38/run.sh
set firewall.bcp38.family=IPv4
set firewall.bcp38.reload=1
commit firewall
EOT
exit 0

+ 104
- 0
net/bcp38/files/run.sh View File

@ -0,0 +1,104 @@
#!/bin/sh
# BCP38 filtering implementation for CeroWrt.
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.
#
# Author: Toke Høiland-Jørgensen <toke@toke.dk>
STOP=$1
IPSET_NAME=bcp38-ipv4
IPTABLES_CHAIN=BCP38
. /lib/functions.sh
config_load bcp38
add_bcp38_rule()
{
local subnet="$1"
local action="$2"
if [ "$action" == "nomatch" ]; then
ipset add "$IPSET_NAME" "$subnet" nomatch
else
ipset add "$IPSET_NAME" "$subnet"
fi
}
detect_upstream()
{
local interface="$1"
subnets=$(ip route show dev "$interface" | grep 'scope link' | awk '{print $1}')
for subnet in $subnets; do
# ipset test doesn't work for subnets, so strip out the subnet part
# and test for that; add as exception if there's a match
addr=$(echo $subnet | sed 's|/[0-9]\+$||')
ipset test "$IPSET_NAME" $addr 2>/dev/null && add_bcp38_rule $subnet nomatch
done
}
run() {
local section="$1"
local enabled
local interface
local detect_upstream
config_get_bool enabled "$section" enabled 0
config_get interface "$section" interface
config_get detect_upstream "$section" detect_upstream
if [ "$enabled" -eq "1" -a -n "$interface" -a -z "$STOP" ] ; then
setup_ipset
setup_iptables "$interface"
config_list_foreach "$section" match add_bcp38_rule match
config_list_foreach "$section" nomatch add_bcp38_rule nomatch
[ "$detect_upstream" -eq "1" ] && detect_upstream "$interface"
fi
exit 0
}
setup_ipset()
{
ipset create "$IPSET_NAME" hash:net family ipv4
ipset flush "$IPSET_NAME"
}
setup_iptables()
{
local interface="$1"
iptables -N "$IPTABLES_CHAIN" 2>/dev/null
iptables -F "$IPTABLES_CHAIN" 2>/dev/null
iptables -I output_rule -j "$IPTABLES_CHAIN"
iptables -I input_rule -j "$IPTABLES_CHAIN"
iptables -I forwarding_rule -j "$IPTABLES_CHAIN"
# always accept DHCP traffic
iptables -A "$IPTABLES_CHAIN" -p udp --dport 67:68 --sport 67:68 -j RETURN
iptables -A "$IPTABLES_CHAIN" -o "$interface" -m set --match-set "$IPSET_NAME" dst -j REJECT --reject-with icmp-net-unreachable
iptables -A "$IPTABLES_CHAIN" -i "$interface" -m set --match-set "$IPSET_NAME" src -j DROP
}
destroy_ipset()
{
ipset flush "$IPSET_NAME" 2>/dev/null
ipset destroy "$IPSET_NAME" 2>/dev/null
}
destroy_iptables()
{
iptables -D output_rule -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -D input_rule -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -D forwarding_rule -j "$IPTABLES_CHAIN" 2>/dev/null
iptables -F "$IPTABLES_CHAIN" 2>/dev/null
iptables -X "$IPTABLES_CHAIN" 2>/dev/null
}
destroy_iptables
destroy_ipset
config_foreach run bcp38
exit 0

Loading…
Cancel
Save