add bridging firewall stuff

- tested with a transparent squid proxy
- fix some minor other stuff
- not completely ready

mk/modules.mk

@@ -268,6 +268,45 @@ $(eval $(call KMOD_template,INET_XFRM_MODE_BEET,net-ipsec-beet,\
 ##
 ## Filtering / Firewalling
 ##
+#
+# Ethernet Bridging firewall
+#
+$(eval $(call KMOD_template,BRIDGE_NF_EBTABLES,nf-ebtables,\
+	$(MODULES_DIR)/kernel/net/bridge/netfilter/ebtables \
+,55))
+
+$(eval $(call KMOD_template,BRIDGE_EBT_BROUTE,nf-ebtables-broute,\
+	$(MODULES_DIR)/kernel/net/bridge/netfilter/ebtable_broute \
+,60))
+
+$(eval $(call KMOD_template,BRIDGE_EBT_T_FILTER,nf-ebtables-filter,\
+	$(MODULES_DIR)/kernel/net/bridge/netfilter/ebtable_filter \
+,60))
+
+$(eval $(call KMOD_template,BRIDGE_EBT_T_NAT,nf-ebtables-nat,\
+	$(MODULES_DIR)/kernel/net/bridge/netfilter/ebtable_nat \
+,60))
+
+$(eval $(call KMOD_template,BRIDGE_EBT_802_3,nf-ebtables-802-3,\
+	$(MODULES_DIR)/kernel/net/bridge/netfilter/ebt_802_3 \
+,65))
+
+$(eval $(call KMOD_template,BRIDGE_EBT_AMONG,nf-ebtables-among,\
+	$(MODULES_DIR)/kernel/net/bridge/netfilter/ebt_among \
+,65))
+
+$(eval $(call KMOD_template,BRIDGE_EBT_ARP,nf-ebtables-arp,\
+	$(MODULES_DIR)/kernel/net/bridge/netfilter/ebt_arpreply \
+,65))
+
+$(eval $(call KMOD_template,BRIDGE_EBT_IP,nf-ebtables-ip,\
+	$(MODULES_DIR)/kernel/net/bridge/netfilter/ebt_ip \
+,65))
+
+$(eval $(call KMOD_template,BRIDGE_EBT_REDIRECT,nf-ebtables-redirect,\
+	$(MODULES_DIR)/kernel/net/bridge/netfilter/ebt_redirect \
+,65))
+
 #
 # Netfilter Core
 #

package/base-files/extra/init

@@ -1,5 +1,5 @@
 #!/bin/sh
-echo "Pre-boot initializing"
+echo "Starting system ..."
 export PATH=/bin:/sbin:/usr/bin:/usr/sbin
 mount -nt proc proc /proc
 mount -o nosuid,nodev,noexec -t sysfs sysfs /sys
@@ -19,5 +19,4 @@ mount -o remount,rw /
 cat /etc/.rnd >/dev/urandom 2>&1
 [ -f /etc/fstab ] && mount -a
 [ -x /sbin/cfgfs ] && { cfgfs setup; mount -o remount,ro /;}
-echo "Starting system"
 exec /sbin/init

package/base-files/extra/sbin/update

@@ -18,17 +18,17 @@ check_exit() {
 }
 
 extract_from_file() {
-        cat $1 | gunzip -c | tar -xvf -
+        cat $1 | gunzip -c | tar -xf -
 	check_exit
 }
 
 extract_from_ssh() {
-        ssh $1 "cat $2" | gunzip -c | tar -xvf -
+        ssh $1 "cat $2" | gunzip -c | tar -xf -
 	check_exit
 }
 
 extract_from_http() {
-        wget -O - $1 | gunzip -c | tar -xvf -
+        wget -O - $1 | gunzip -c | tar -xf -
 	check_exit
 }
                 
@@ -61,5 +61,4 @@ esac
 sync
 mount -o bind /etc /tmp/.cfgfs/root
 
-echo "Check with cfgfs status if you need to merge and save any changes in /etc."
-echo "You should reboot now."
+echo "Update sucessful. You should reboot now."

package/busybox/config/procps/Config.in

@@ -64,7 +64,7 @@ config BUSYBOX_PIDOF
 
 config BUSYBOX_FEATURE_PIDOF_SINGLE
 	bool "Enable argument for single shot (-s)"
-	default n
+	default y
 	depends on BUSYBOX_PIDOF
 	help
 	  Support argument '-s' for returning only the first pid found.

package/cfinstall/src/cfinstall

@@ -35,7 +35,7 @@ chroot /mnt mount -t proc /proc /proc
 chroot /mnt mount -t sysfs /sys /sys
 cat << EOF > /mnt/boot/grub/grub.cfg
 set default=0
-set timeout=5
+set timeout=1
 serial --unit=0 --speed=$speed
 terminal_output serial 
 terminal_input serial 

package/ebtables/Makefile

@@ -23,7 +23,9 @@ BUILD_STYLE:=		auto
 INSTALL_STYLE:=		auto
 
 post-install:
+	${INSTALL_DIR} ${IDIR_EBTABLES}/etc
 	${INSTALL_DIR} ${IDIR_EBTABLES}/usr/sbin ${IDIR_EBTABLES}/usr/lib
+	${INSTALL_DATA} ${WRKINST}/etc/ethertypes ${IDIR_EBTABLES}/etc
 	${INSTALL_BIN} ${WRKINST}/usr/sbin/ebtables ${IDIR_EBTABLES}/usr/sbin
 	${CP} ${WRKINST}/usr/lib/*.so ${IDIR_EBTABLES}/usr/lib
 

package/ebtables/patches/patch-Makefile

@@ -1,6 +1,6 @@
 --- ebtables-v2.0.9-1.orig/Makefile	2009-06-21 15:13:25.000000000 +0200
-+++ ebtables-v2.0.9-1/Makefile	2009-11-29 12:54:31.000000000 +0100
-@@ -8,10 +8,10 @@ PROGDATE:=June\ 2009
++++ ebtables-v2.0.9-1/Makefile	2009-11-29 15:39:30.000000000 +0100
+@@ -8,17 +8,16 @@ PROGDATE:=June\ 2009
  
  # default paths
  LIBDIR:=/usr/lib
@@ -14,7 +14,25 @@
  SYSCONFIGDIR:=/etc/sysconfig
  DESTDIR:=
  
-@@ -154,28 +154,29 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
+-CFLAGS:=-Wall -Wunused
++CFLAGS?=-Wall -Wunused
+ CFLAGS_SH_LIB:=-fPIC
+-CC:=gcc
+-LD:=ld
++CC?=gcc
+ 
+ ifeq ($(shell uname -m),sparc64)
+ CFLAGS+=-DEBT_MIN_ALIGN=8 -DKERNEL_64_USERSPACE_32
+@@ -85,7 +84,7 @@ ebtables-standalone.o: ebtables-standalo
+ 
+ .PHONY: libebtc
+ libebtc: $(OBJECTS2)
+-	$(LD) -shared -soname libebtc.so -o libebtc.so -lc $(OBJECTS2)
++	$(CC) -shared -o libebtc.so -lc $(OBJECTS2)
+ 
+ ebtables: $(OBJECTS) ebtables-standalone.o libebtc
+ 	$(CC) $(CFLAGS) $(CFLAGS_SH_LIB) -o $@ ebtables-standalone.o -I$(KERNEL_INCLUDES) -L. -Lextensions -lebtc $(EXT_LIBSI) \
+@@ -154,28 +153,29 @@ tmp3:=$(shell printf $(PIPE) | sed 's/\/
  .PHONY: scripts
  scripts: ebtables-save ebtables.sysv ebtables-config
  	cat ebtables-save | sed 's/__EXEC_PATH__/$(tmp1)/g' > ebtables-save_
@@ -51,7 +69,7 @@
  
  .PHONY: install
  install: $(MANDIR)/man8/ebtables.8 $(ETHERTYPESFILE) exec scripts
-@@ -199,18 +200,18 @@ release:
+@@ -199,18 +199,18 @@ release:
  	rm -f extensions/ebt_inat.c
  	rm -rf $(CVSDIRS)
  	mkdir -p include/linux/netfilter_bridge

package/grub-bin/Makefile

@@ -8,7 +8,7 @@ include ${TOPDIR}/rules.mk
 PKG_NAME:=		grub-bin
 PKG_VERSION:=		1.97.1
 PKG_RELEASE:=		1
-PKG_MD5SUM:=		99ddead9dcb689a7ec2431c1e6b3cf0d
+PKG_MD5SUM:=		24961a39e63d8ec16d765aad3a301cda
 PKG_DESCR:=		GRUB bootloader
 PKG_SECTION:=		sys
 PKG_SITES:=		http://openadk.org/distfiles/

package/squid/Makefile

@@ -146,6 +146,9 @@ post-configure:
 	${SED} 's#postdeps="-lstdc.*#postdeps="-lm"#' \
 	    ${WRKBUILD}/libtool
 endif
+post-configure:
+	${SED} 's#\(hardcode_into_libs=\).*$$#\1no#' \
+		${WRKBUILD}/libtool
 
 post-install: ${INSTALL_MODS_y} ${INSTALL_MODS_m}
 	${INSTALL_DIR} ${IDIR_SQUID}/etc/squid

package/squid/files/squid.conf

@@ -1,27 +1,16 @@
 visible_hostname linux
+# for transparent proxy use following
+# http_port 3128 transparent
 http_port 3128
-# acl
-acl manager proto cache_object
-acl localhost src 127.0.0.1/32
-acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
-acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
-acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
-acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
-acl SSL_ports port 443
-acl Safe_ports port 80		# http
-acl Safe_ports port 21		# ftp
-acl Safe_ports port 443		# https
-acl Safe_ports port 70		# gopher
-acl Safe_ports port 210		# wais
-acl Safe_ports port 1025-65535	# unregistered ports
-acl Safe_ports port 280		# http-mgmt
-acl Safe_ports port 488		# gss-http
-acl Safe_ports port 591		# filemaker
-acl Safe_ports port 777		# multiling http
-acl CONNECT method CONNECT
-http_access allow manager localhost
-http_access deny manager
-http_access deny !Safe_ports
-http_access deny CONNECT !SSL_ports
-http_access allow localnet
-http_access deny all
+pid_filename /var/run/squid.pid
+# logging
+access_log syslog
+cache_store_log none
+cache_log /var/log/squid-cache.log
+# security
+cache_effective_user squid
+cache_effective_group squid
+# cache dir
+cache_dir ufs /var/squid/cache 10M 16 256
+# allow all
+http_access allow all

package/squid/files/squid.init

@@ -0,0 +1,37 @@
+#!/bin/sh
+#PKG squid
+#INIT 70
+
+. /etc/rc.conf
+
+case $1 in
+autostop) ;;
+autostart)
+	test x"${squid:-NO}" = x"NO" && exit 0
+	exec sh $0 start
+	;;
+start)
+	if [ ! -f /var/log/squid-cache.log ];then
+		touch /var/log/squid-cache.log
+		chown squid:squid /var/log/squid-cache.log
+	fi
+	if [ ! -d /var/squid/cache ];then
+		mkdir -p /var/squid/cache
+		chown squid:squid /var/squid/cache
+		squid -z 
+	fi
+	squid
+	;;
+stop)
+	squid -k kill
+	;;
+restart)
+	sh $0 stop
+	sh $0 start
+	;;
+
+*)
+	echo "usage: $0 {start | stop | restart}"
+	exit 1
+esac
+exit $?

package/squid/files/squid.postinst

@@ -0,0 +1,6 @@
+#!/bin/sh
+. $IPKG_INSTROOT/etc/functions.sh
+gid=$(get_next_gid)
+add_user squid $(get_next_uid) $gid /var/squid/cache
+add_group squid $gid
+add_rcconf squid squid NO

target/linux/config/Config.in.netfilter

@@ -8,6 +8,10 @@ config ADK_KERNEL_NETFILTER_ADVANCED
 	bool
 	default n
 
+config ADK_KERNEL_BRIDGE_NETFILTER
+	bool
+	default n
+
 config ADK_KERNEL_NETFILTER_XTABLES
 	bool
 	select ADK_KERNEL_NETFILTER
@@ -397,7 +401,7 @@ config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG
 
 config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT
 	tristate 'REDIRECT target support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_NAT
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
 	help
 	  REDIRECT is a special case of NAT: all incoming connections are
 	  mapped onto the incoming interface's address, causing the packets to
@@ -406,7 +410,7 @@ config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT
 
 config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP
 	tristate 'NETMAP target support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_NAT
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
 	help
 	  NETMAP is an implementation of static 1:1 NAT mapping of network
 	  addresses. It maps the network address part, while keeping the host
@@ -415,14 +419,14 @@ config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP
 
 config ADK_KPACKAGE_KMOD_IP_NF_TARGET_SAME
 	tristate 'SAME target support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_NAT
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
 	help
 	  This option adds a `SAME' target, which works like the standard SNAT
 	  target, but attempts to give clients the same IP for all connections.
 
 config ADK_KPACKAGE_KMOD_IP_NF_MANGLE
 	tristate 'Packet mangling'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
 	help
 	  This option adds a `mangle' table to iptables: see the man page for
 	  iptables(8).  This table is used for various packet alterations
@@ -441,4 +445,239 @@ config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN
 	  ECN support in general.
 
 endmenu
+
+menu "Ethernet bridge firewalling"
+
+config ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	tristate 'Ethernet Bridge tables (ebtables) support'
+	select ADK_KERNEL_BRIDGE_NETFILTER
+	help
+	  ebtables is a general, extensible frame/packet identification
+	  framework. Say 'Y' or 'M' here if you want to do Ethernet
+	  filtering/NAT/brouting on the Ethernet bridge.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_BROUTE
+	tristate "ebt: broute table support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  The ebtables broute table is used to define rules that decide between
+	  bridging and routing frames, giving Linux the functionality of a
+	  brouter. See the man page for ebtables(8) and examples on the ebtables
+	  website.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_T_FILTER
+	tristate "ebt: filter table support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  The ebtables filter table is used to define frame filtering rules at
+	  local input, forwarding and local output. See the man page for
+	  ebtables(8).
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_T_NAT
+	tristate "ebt: nat table support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  The ebtables nat table is used to define rules that alter the MAC
+	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).
+	  See the man page for ebtables(8).
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+#
+# matches
+#
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_802_3
+	tristate "ebt: 802.3 filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds matching support for 802.3 Ethernet frames.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_AMONG
+	tristate "ebt: among filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the among match, which allows matching the MAC source
+	  and/or destination address on a list of addresses. Optionally,
+	  MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_ARP
+	tristate "ebt: ARP filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the ARP match, which allows ARP and RARP header field
+	  filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_IP
+	tristate "ebt: IP filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the IP match, which allows basic IP header field
+	  filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_IP6
+	tristate "ebt: IP6 filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES && ADK_KPACKAGE_KMOD_IPV6
+	help
+	  This option adds the IP6 match, which allows basic IPV6 header field
+	  filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_LIMIT
+	tristate "ebt: limit match support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the limit match, which allows you to control
+	  the rate at which a rule can be matched. This match is the
+	  equivalent of the iptables limit match.
+
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_MARK
+	tristate "ebt: mark filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the mark match, which allows matching frames based on
+	  the 'nfmark' value in the frame. This can be set by the mark target.
+	  This value is the same as the one used in the iptables mark match and
+	  target.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_PKTTYPE
+	tristate "ebt: packet type filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the packet type match, which allows matching on the
+	  type of packet based on its Ethernet "class" (as determined by
+	  the generic networking code): broadcast, multicast,
+	  for this host alone or for another host.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_STP
+	tristate "ebt: STP filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the Spanning Tree Protocol match, which
+	  allows STP header field filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_VLAN
+	tristate "ebt: 802.1Q VLAN filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the 802.1Q vlan match, which allows the filtering of
+	  802.1Q vlan fields.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+#
+# targets
+#
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_ARPREPLY
+	tristate "ebt: arp reply target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the arp reply target, which allows
+	  automatically sending arp replies to arp requests.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_DNAT
+	tristate "ebt: dnat target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the MAC DNAT target, which allows altering the MAC
+	  destination address of frames.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_MARK_T
+	tristate "ebt: mark target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the mark target, which allows marking frames by
+	  setting the 'nfmark' value in the frame.
+	  This value is the same as the one used in the iptables mark match and
+	  target.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_REDIRECT
+	tristate "ebt: redirect target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the MAC redirect target, which allows altering the MAC
+	  destination address of a frame to that of the device it arrived on.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_SNAT
+	tristate "ebt: snat target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the MAC SNAT target, which allows altering the MAC
+	  source address of frames.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+#
+# watchers
+#
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_LOG
+	tristate "ebt: log support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the log watcher, that you can use in any rule
+	  in any ebtables table. It records info about the frame header
+	  to the syslog.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_ULOG
+	tristate "ebt: ulog support (OBSOLETE)"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option enables the old bridge-specific "ebt_ulog" implementation
+	  which has been obsoleted by the new "nfnetlink_log" code (see
+	  CONFIG_NETFILTER_NETLINK_LOG).
+
+	  This option adds the ulog watcher, that you can use in any rule
+	  in any ebtables table. The packet is passed to a userspace
+	  logging daemon using netlink multicast sockets. This differs
+	  from the log watcher in the sense that the complete packet is
+	  sent to userspace instead of a descriptive text and that
+	  netlink multicast sockets are used instead of the syslog.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_NFLOG
+	tristate "ebt: nflog support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option enables the nflog watcher, which allows to LOG
+	  messages through the netfilter logging API, which can use
+	  either the old LOG target, the old ULOG target or nfnetlink_log
+	  as backend.
+
+	  This option adds the nflog watcher, that you can use in any rule
+	  in any ebtables table.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+
+endmenu
+
 endmenu