blob: 3711452b761a60607a1915f6e538fe2123a345d8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
include $(TOPDIR)/rules.mk
PKG_NAME:=cni-protocol
PKG_VERSION:=20231008
PKG_RELEASE:=1
PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com>
include $(INCLUDE_DIR)/package.mk
define Package/cni-protocol
SECTION:=net
CATEGORY:=Network
TITLE:=cni netifd protocol
PKGARCH:=all
endef
define Package/cni-protocol/description
protocol support for netavark/cni networks for netifd
makes defining networks for podman and other similar
systems easier and simple.
with protocol, a network where firewall and portmapper
management is disabled, control of firewalling, whether
it was exposing ports, and forwarding to them from wan,
or limiting/accepting access to other networks such
as lan can made through openwrt's own firewalling
configuration.
example configuration could be as following:
- lan network: 10.0.0.0/16 (255.255.0.0)
- container network: 10.129.0.1/24 (255.255.255.0)
Add a network configuration for your container network
using cni protocol. Then create firewall zone for it.
You could create a new container/pod with static ip
address 10.129.0.2 (as 10.129.0.1 as container network's
gateway).
Easily define permissions so that local networks can
connect to cni network, but not the other way around.
Also you want to allow forwarding from/to wan.
Now, as cni cannot access local dns, make a rule for
your firewall to accept connections from cni network
to port 53 (dns).
Now all you have to do, is make redirects to your firewall
and point them to 10.129.0.2 and connections from wan are
redirectered to containers/pods.
Protocol has 2 settings: device and delay. Sometimes polling
interfaces takes some time, and in that case you might want
to add few seconds to delay. Otherwise, it can be excluded
from configuration.
endef
define Build/Configure
endef
define Build/Compile
endef
define Package/cni-protocol/install
$(INSTALL_DIR) $(1)/lib/netifd/proto
$(INSTALL_BIN) ./files/cni.sh $(1)/lib/netifd/proto/cni.sh
endef
$(eval $(call BuildPackage,cni-protocol))
|
