From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: cerowrt-devel@lists.bufferbloat.net
Subject: [Cerowrt-devel] BCP38 implementation
Date: Wed, 19 Mar 2014 21:59:18 +0100 [thread overview]
Message-ID: <87txataord.fsf@toke.dk> (raw)
[-- Attachment #1: Type: text/plain, Size: 4176 bytes --]
So I've hacked a bit on a BCP38 implementation for IPv4, and I think I
sorta have a working prototype. I ran out of steam trying to package
everything up properly, so thought I'd distribute it so that those
adventurous enough to do a manual install could give some feedback.
Install instructions (for 3.10.32-9 -- dunno if it will work in earlier versions):
1. Get and install the bcp38 package from
http://archive.tohojo.dk/cerowrt/wndr/3.10.32-9-tohojo/packages/bcp38_2-1_ar71xx.ipk
-- this will get you the script and it should be run from the firewall.
2. Add the following to your /etc/config/firewall, after the last
'forwarding' section:
config ipset
option name 'bcp38-ipv4'
option family 'ipv4'
option match 'dest_net'
option storage 'hash'
config ipset
option name 'bcp38-ipv4-ingress'
option external 'bcp38-ipv4'
option family 'ipv4'
option match 'src_net'
option storage 'hash'
config rule
option src 'wan'
option ipset 'bcp38-ipv4-ingress'
option family 'ipv4'
option name 'drop-bcp38-ipv4 input'
option target 'DROP'
option proto 'all'
config rule
option src 'wan'
option dest '*'
option ipset 'bcp38-ipv4-ingress'
option family 'ipv4'
option name 'drop-bcp38-ipv4'
option target 'DROP'
option proto 'all'
config rule
option dest 'wan'
option ipset 'bcp38-ipv4'
option name 'reject-bcp38-ipv4 output'
option family 'ipv4'
option target 'REJECT'
option proto 'all'
config rule
option dest 'wan'
option src '*'
option ipset 'bcp38-ipv4'
option name 'reject-bcp38-ipv4'
option family 'ipv4'
option target 'REJECT'
option proto 'all'
Those two steps should be enough to enable the basic mechanism. It is
controlled by adding a new option to the firewall config file, in the
defaults section. The option is called 'enable_bcp38'. So adding a line
like:
option enable_bcp38 '1'
to the end of the 'defaults' at the top of /etc/config/firewall should
enable the mechanism on firewall reload.
Additionally, an option called bcp38_whitelist can be set to one or more
CIDR style net addresses (space separated) which will be excluded from
the matching. This can be used to account for double nat'ing, so if your
WAN interface gets an address that would be blocked by the bcp38 rules,
add it here and it should go through.
To get a checkbox and a field in the firewall GUI to control this, apply
the following patch to /usr/lib/lua/luci/model/cbi/firewall/zones.lua
(with patch -p1; not sure if that is included in cerowrt, otherwise,
just paste in the added lines manually):
--- a/zones.lua
+++ b/zones.lua
@@ -32,6 +32,12 @@
o = s:option(Flag, "drop_invalid", translate("Drop invalid packets"))
o.default = o.disabled
+b = s:option(Flag, "enable_bcp38", translate("Enable BCP38 filtering"))
+b.default = b.disabled
+
+bip = s:option(Value, "bcp38_whitelist", translate("BCP38 whitelist subnet"))
+bip:depends("enable_bcp38", "1")
+
p = {
s:option(ListValue, "input", translate("Input")),
s:option(ListValue, "output", translate("Output")),
As I said, the basic functionality should be there, but there's some
outstanding issues. Including, but not necessarily limited to:
- Should there be a separate configuration page where the included
subnets can be specified? Or is the checkbox on the firewall page
sufficient? I think it logically belongs with the firewall, and indeed
it is needs the firewall config rules to function, but maybe more
configurability is good thing?
- Managing the different parts of the configuration can be brittle. I.e.
if the mechanism is disabled but the firewall rules are missing, or
vice versa, it's not going to work.
- Some sort of auto-detection of upstream private subnets would probably
be good, unless we risk people having no access before they change the
config manually.
- Right now blocked outgoing packets get a 'destination port
unreachable' -- this seems to be a hard-coded feature of the firewall
script setup. Should probably be a 'destination net unreachable'
instead.
Anyway, comments welcome. :)
-Toke
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 489 bytes --]
next reply other threads:[~2014-03-19 20:59 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-19 20:59 Toke Høiland-Jørgensen [this message]
2014-03-19 21:44 ` Dave Taht
2014-03-19 22:31 ` Toke Høiland-Jørgensen
2014-03-20 9:29 ` Toke Høiland-Jørgensen
2014-03-20 13:07 ` Toke Høiland-Jørgensen
2014-03-20 17:38 ` Dave Taht
2014-03-20 18:14 ` Toke Høiland-Jørgensen
2014-03-22 20:04 ` Norman Yarvin
[not found] ` <532AB801.6050702@openwrt.org>
2014-03-20 10:28 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87txataord.fsf@toke.dk \
--to=toke@toke.dk \
--cc=cerowrt-devel@lists.bufferbloat.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox