+++ /dev/null
-#
-# Copyright (C) 2014 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-# Please note this is not an officially released version of bcp38
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=bcp38
-PKG_VERSION:=4
-PKG_RELEASE:=1
-PKG_LICENSE:=GPL-2.0
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/bcp38
- SECTION:=net
- CATEGORY:=Network
- SUBMENU:=Routing and Redirection
- TITLE:=BCP38 compliance
- URL:=http://www.github.com/dtaht/bcp38
- MAINTAINER:=Dave Taht <d+bcp38@taht.net>
- DEPENDS:=+ipset
-endef
-
-define Package/bcp38/description
- bcp38 implements rfc bcp 38 for home routers.
-endef
-
-define Package/bcp38/conffiles
-/etc/config/bcp38
-endef
-
-define Build/Prepare
-endef
-
-define Build/Configure
-endef
-
-define Build/Compile
-endef
-
-define Package/bcp38/install
- $(INSTALL_DIR) $(1)/etc/config
- $(INSTALL_CONF) ./files/bcp38.config $(1)/etc/config/bcp38
- $(INSTALL_DIR) $(1)/usr/lib/bcp38
- $(INSTALL_BIN) ./files/run.sh $(1)/usr/lib/bcp38/run.sh
- $(INSTALL_DIR) $(1)/etc/uci-defaults
- $(INSTALL_BIN) ./files/bcp38.defaults $(1)/etc/uci-defaults/bcp38
-endef
-
-define Package/bcp38/postinst
-#!/bin/sh
-[ -x /etc/uci-defaults/bcp38 ] && /etc/uci-defaults/bcp38 || exit 0
-endef
-
-define Package/bcp38/postrm
-#!/bin/sh
-uci delete firewall.bcp38
-uci commit
-endef
-
-$(eval $(call BuildPackage,bcp38))
+++ /dev/null
-config bcp38
- option enabled 1
- option interface 'ge00'
- option detect_upstream 1
- list match '127.0.0.0/8'
- list match '0.0.0.0/8' # RFC 1700
- list match '240.0.0.0/4' # RFC 5745
- list match '192.0.2.0/24' # RFC 5737
- list match '198.51.100.0/24' # RFC 5737
- list match '203.0.113.0/24' # RFC 5737
- list match '192.168.0.0/16' # RFC 1918
- list match '10.0.0.0/8' # RFC 1918
- list match '172.16.0.0/12' # RFC 1918
- list match '169.254.0.0/16' # RFC 3927
-
-# list nomatch '172.26.0.0/21' # Example of something not to match
-# There is a dhcp trigger to do this for the netmask of a
-# double natted connection needed
-
-# I will argue that this level of indirection doesn't scale
-# very well - see how to block china as an example
-# http://www.okean.com/china.txt
+++ /dev/null
-#!/bin/sh
-
-uci -q batch <<-EOT
- delete firewall.bcp38
- set firewall.bcp38=include
- set firewall.bcp38.type=script
- set firewall.bcp38.path=/usr/lib/bcp38/run.sh
- set firewall.bcp38.family=IPv4
- set firewall.bcp38.reload=1
- commit firewall
-EOT
-
-exit 0
+++ /dev/null
-#!/bin/sh
-
-STOP=$1
-IPSET_NAME=bcp38-ipv4
-IPTABLES_CHAIN=BCP38
-
-. /lib/functions.sh
-
-config_load bcp38
-
-add_bcp38_rule()
-{
- local subnet="$1"
- local action="$2"
-
- if [ "$action" == "nomatch" ]; then
- ipset add "$IPSET_NAME" "$subnet" nomatch
- else
- ipset add "$IPSET_NAME" "$subnet"
- fi
-}
-
-detect_upstream()
-{
- local interface="$1"
-
- subnets=$(ip route show dev "$interface" | grep 'scope link' | awk '{print $1}')
- for subnet in $subnets; do
- # ipset test doesn't work for subnets, so strip out the subnet part
- # and test for that; add as exception if there's a match
- addr=$(echo $subnet | sed 's|/[0-9]\+$||')
- ipset test "$IPSET_NAME" $addr 2>/dev/null && add_bcp38_rule $subnet nomatch
- done
-}
-
-run() {
- local section="$1"
- local enabled
- local interface
- local detect_upstream
- config_get_bool enabled "$section" enabled 0
- config_get interface "$section" interface
- config_get detect_upstream "$section" detect_upstream
-
- if [ "$enabled" -eq "1" -a -n "$interface" -a -z "$STOP" ] ; then
- setup_ipset
- setup_iptables "$interface"
- config_list_foreach "$section" match add_bcp38_rule match
- config_list_foreach "$section" nomatch add_bcp38_rule nomatch
- [ "$detect_upstream" -eq "1" ] && detect_upstream "$interface"
- fi
- exit 0
-}
-
-setup_ipset()
-{
- ipset create "$IPSET_NAME" hash:net family ipv4
- ipset flush "$IPSET_NAME"
-}
-
-setup_iptables()
-{
- local interface="$1"
- iptables -N "$IPTABLES_CHAIN" 2>/dev/null
- iptables -F "$IPTABLES_CHAIN" 2>/dev/null
-
- iptables -I output_rule -j "$IPTABLES_CHAIN"
- iptables -I input_rule -j "$IPTABLES_CHAIN"
- iptables -I forwarding_rule -j "$IPTABLES_CHAIN"
-
- # always accept DHCP traffic
- iptables -A "$IPTABLES_CHAIN" -p udp --dport 67:68 --sport 67:68 -j RETURN
- iptables -A "$IPTABLES_CHAIN" -o "$interface" -m set --match-set "$IPSET_NAME" dst -j REJECT --reject-with icmp-net-unreachable
- iptables -A "$IPTABLES_CHAIN" -i "$interface" -m set --match-set "$IPSET_NAME" src -j DROP
-}
-
-destroy_ipset()
-{
- ipset flush "$IPSET_NAME" 2>/dev/null
- ipset destroy "$IPSET_NAME" 2>/dev/null
-}
-
-destroy_iptables()
-{
- iptables -D output_rule -j "$IPTABLES_CHAIN" 2>/dev/null
- iptables -D input_rule -j "$IPTABLES_CHAIN" 2>/dev/null
- iptables -D forwarding_rule -j "$IPTABLES_CHAIN" 2>/dev/null
- iptables -F "$IPTABLES_CHAIN" 2>/dev/null
- iptables -X "$IPTABLES_CHAIN" 2>/dev/null
-}
-
-destroy_iptables
-destroy_ipset
-config_foreach run bcp38
-
-exit 0