Changeset 914

Timestamp:

Jan 18, 2017, 8:30:28 PM (6 years ago)

Author:

amain

Message:

debwrt-net: various changes and new example configuration files

Location:

trunk/debian/packages/debwrt-net/trunk

Files:

• debian/changelog (modified) (1 diff)
• etc/dnsmasq-lan1.conf (added)
• etc/firewall/firewall.sh (modified) (6 diffs)
• etc/network/interfaces.ar71xx.rs (added)
• etc/network/interfaces.ar71xx.wr1043nd (added)
• etc/network/interfaces.octeon-native.erlite (added)
• etc/network/interfaces.octeon.erlite (added)
• etc/network/interfaces.wr1043nd (deleted)

trunk/debian/packages/debwrt-net/trunk/debian/changelog

@@ +1 @@
+debwrt-net (0.8~debwrtSTRETCH+3) stretch-debwrt-unstable; urgency=medium
+
+  * Add multi bss/vap example configuration to hostapd-wpa.conf
+  * Update ar71xx/wr1043nd interfaces example
+  * Add netfilter schema to firewall.sh
+  * Add list option to firewall.sh
+  * Add octeon/erlite interfaces example
+  * Add octeon/erlite-native interfaces example
+  * Add octeon/erlite-native lan1 dnsmasq example
+  * Add logging/traceing example to firewall.sh
+
+ -- Johan van Zoomeren <amain@debwrt.net>  Tue, 17 Jan 2017 22:03:46 +0100
+
 debwrt-net (0.8~debwrtSTRETCH+2) stretch-debwrt-unstable; urgency=medium
 

trunk/debian/packages/debwrt-net/trunk/etc/firewall/firewall.sh

@@ -1 +1 @@
 #!/bin/sh
 #
-# Minimal firewal script 
+# Minimal firewall script 
 #
 # Johan van Zoomeren <amain@debwrt.net>
+
+# PACKET IN
+#     |
+# PREROUTING--[routing]-->--FORWARD-->--POSTROUTING-->--OUT
+#  - nat (dst)   |           - filter      - nat (src)
+#                |                            |
+#                |                            |
+#               INPUT                       OUTPUT
+#               - filter                    - nat (dst)
+#                |                          - filter
+#                |                            |
+#                `----->-----[app]----->------'
+
 
 astop=
@@ -16 +29 @@
 IPT=/sbin/iptables
 
-modules() {
-    log_warning_msg 'Loading iptables/netfilter kernel modules manually. Auto loading is broken...'
-
-    modprobe -a nf_conntrack_ipv4 \
-                xt_state \
-                xt_multiport \
-                xt_mark
-}
-
 flush() {
     $IPT -t filter -F
@@ -30 +34 @@
     $IPT -t nat    -F
     $IPT -t nat    -X
+    #$IPT -t raw    -F
+    #$IPT -t raw    -X
 
     for flush in ${aflush}
@@ -51 +57 @@
     $IPT -t nat    -A POSTROUTING -o wan -j MASQUERADE
 
+    # Example debug settings
+    #modprobe xt_LOG
+    #modprobe nf_conntrack
+    #echo "ipt_LOG" >/proc/sys/net/netfilter/nf_log/2
+    #echo 255 >/proc/sys/net/netfilter/nf_conntrack_log_invalid
+    #$IPT -t raw    -A PREROUTING  -p tcp --dport nnnn -j TRACE
+    #$IPT -t raw    -A OUTPUT      -p tcp --dport nnnn -j TRACE
+    #$IPT -t raw    -A PREROUTING  -p tcp --sport nnnn -j TRACE
+    #$IPT -t raw    -A OUTPUT      -p tcp --sport nnnn -j TRACE
+
     for start in ${astart}
     do
@@ -66 +82 @@
 case $1 in
         start)
-                modules
                 log_action_begin_msg 'Loading firewall - starting'
                 start
@@ -74 +89 @@
                 stop
         ;;
+        list)
+                echo "====================== Filter ======================"
+                $IPT -L -v -n -t filter
+                echo
+                echo "======================= Nat ========================"
+                $IPT -L -v -n -t nat
+        ;;
         *)
-                echo "usage: `basename $0` start|stop"
+                echo "usage: `basename $0` start|stop|list"
         ;;
 esac