From ca9db9efc8f2d67fd0162c294cbe87bded5f79a7 Mon Sep 17 00:00:00 2001 From: Handa Wang Date: Mon, 4 Sep 2023 16:15:01 +0800 Subject: [PATCH] save --- .github/workflows/macOS.yml | 2 +- etc/docker/Dockerfile | 4 ++++ etc/openwrt/openthread-br/Makefile | 2 +- script/_firewall | 10 ++++++++++ script/_otbr | 16 ++++++++++++++++ script/bootstrap | 2 ++ src/openwrt/CMakeLists.txt | 4 ++-- third_party/openthread/CMakeLists.txt | 2 ++ 8 files changed, 38 insertions(+), 4 deletions(-) diff --git a/.github/workflows/macOS.yml b/.github/workflows/macOS.yml index 0a314026506..5c0f9b5710f 100644 --- a/.github/workflows/macOS.yml +++ b/.github/workflows/macOS.yml @@ -63,4 +63,4 @@ jobs: brew reinstall boost cmake cpputest dbus jsoncpp ninja protobuf@21 pkg-config - name: Build run: | - OTBR_OPTIONS='-DOTBR_BORDER_AGENT=OFF -DOTBR_MDNS=OFF -DOT_FIREWALL=OFF -DOTBR_DBUS=OFF' ./script/test build + OTBR_OPTIONS='-DOTBR_BORDER_AGENT=OFF -DOTBR_MDNS=OFF -DOT_IPTABLES_FIREWALL=OFF -DOTBR_DBUS=OFF' ./script/test build diff --git a/etc/docker/Dockerfile b/etc/docker/Dockerfile index 7d7a59ba95b..a3f660e8b13 100644 --- a/etc/docker/Dockerfile +++ b/etc/docker/Dockerfile @@ -42,6 +42,8 @@ ARG RELEASE ARG REST_API ARG WEB_GUI ARG MDNS +ARG IPTABLES_FIREWALL +ARG CORE_FIREWALL ENV INFRA_IF_NAME=${INFRA_IF_NAME:-eth0} ENV BORDER_ROUTING=${BORDER_ROUTING:-1} @@ -59,6 +61,8 @@ ENV NAT64_DYNAMIC_POOL=${NAT64_DYNAMIC_POOL:-192.168.255.0/24} ENV DNS64=${DNS64:-0} ENV WEB_GUI=${WEB_GUI:-1} ENV REST_API=${REST_API:-1} +ENV IPTABLES_FIREWALL=${IPTABLES_FIREWALL:-1} +ENV CORE_FIREWALL=${CORE_FIREWALL:-0} ENV DOCKER 1 RUN env diff --git a/etc/openwrt/openthread-br/Makefile b/etc/openwrt/openthread-br/Makefile index 1a328c06bf4..c5a4101ceae 100644 --- a/etc/openwrt/openthread-br/Makefile +++ b/etc/openwrt/openthread-br/Makefile @@ -49,7 +49,7 @@ CMAKE_OPTIONS+= \ -DOTBR_MDNS="avahi" \ -DOTBR_OPENWRT=ON \ -DOTBR_SRP_ADVERTISING_PROXY=ON \ - -DOT_FIREWALL=ON \ + -DOT_IPTABLES_FIREWALL=ON \ -DOT_POSIX_SETTINGS_PATH=\"/etc/openthread\" \ -DOT_READLINE=OFF diff --git a/script/_firewall b/script/_firewall index 0a29c3699cc..f56d7702962 100755 --- a/script/_firewall +++ b/script/_firewall @@ -31,8 +31,12 @@ FIREWALL_SERVICE=/etc/init.d/otbr-firewall sudo modprobe ip6table_filter || true +IPTABLES_FIREWALL="${IPTABLES_FIREWALL:-1}" + firewall_uninstall() { + with IPTABLES_FIREWALL || return 0 + firewall_stop if have systemctl; then sudo systemctl disable otbr-firewall || true @@ -46,6 +50,8 @@ firewall_uninstall() firewall_install() { + with IPTABLES_FIREWALL || return 0 + sudo cp script/otbr-firewall $FIREWALL_SERVICE sudo chmod a+x $FIREWALL_SERVICE if have systemctl; then @@ -56,6 +62,8 @@ firewall_install() firewall_start() { + with IPTABLES_FIREWALL || return 0 + if with DOCKER; then service otbr-firewall start || die 'Failed to start firewall service' elif have systemctl; then @@ -65,6 +73,8 @@ firewall_start() firewall_stop() { + with IPTABLES_FIREWALL || return 0 + if with DOCKER; then service otbr-firewall stop || true elif have systemctl; then diff --git a/script/_otbr b/script/_otbr index 790ab10ae9e..6070b25389f 100644 --- a/script/_otbr +++ b/script/_otbr @@ -128,6 +128,22 @@ otbr_install() ) fi + if with IPTABLES_FIREWALL; then + otbr_options+=( + "-DOT_IPTABLES_FIREWALL=ON" + ) + else + otbr_options+=( + "-DOT_IPTABLES_FIREWALL=OFF" + ) + fi + + if with CORE_FIREWALL; then + otbr_options+=( + "-DOT_CORE_FIREWALL=ON" + ) + fi + (./script/cmake-build "${otbr_options[@]}" \ && cd "${OTBR_TOP_BUILDDIR}" \ && ninja \ diff --git a/script/bootstrap b/script/bootstrap index 2ad1d0800b8..7c4e90d4bd4 100755 --- a/script/bootstrap +++ b/script/bootstrap @@ -35,6 +35,8 @@ NAT64_SERVICE="${NAT64_SERVICE:-openthread}" +IPTABLES_FIREWALL="${IPTABLES_FIREWALL:-1}" + install_packages_apt() { sudo apt-get update diff --git a/src/openwrt/CMakeLists.txt b/src/openwrt/CMakeLists.txt index 8237f38b429..675983608d8 100644 --- a/src/openwrt/CMakeLists.txt +++ b/src/openwrt/CMakeLists.txt @@ -39,9 +39,9 @@ install(FILES ${CMAKE_CURRENT_BINARY_DIR}/otbr-agent.uci-config RENAME otbr-agent) -if(OT_FIREWALL) +if(OT_IPTABLES_FIREWALL) configure_file(otbr-firewall.init.in otbr-firewall.init) install(FILES ${CMAKE_CURRENT_BINARY_DIR}/otbr-firewall.init DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/init.d RENAME otbr-firewall) -endif(OT_FIREWALL) +endif(OT_IPTABLES_FIREWALL) diff --git a/third_party/openthread/CMakeLists.txt b/third_party/openthread/CMakeLists.txt index 03ad863352d..48495e01297 100644 --- a/third_party/openthread/CMakeLists.txt +++ b/third_party/openthread/CMakeLists.txt @@ -42,6 +42,7 @@ set(OT_CHILD_SUPERVISION ON CACHE STRING "enable child supervision" FORCE) set(OT_COAP ON CACHE STRING "Enable CoAP in OpenThread") set(OT_COAPS ON CACHE STRING "Enable secure CoAP in OpenThread") set(OT_COMMISSIONER ON CACHE STRING "enable commissioner") +set(OT_CORE_FIREWALL OFF CACHE STRING "disable firewall in OpenThread core") set(OT_DAEMON ON CACHE STRING "enable daemon mode" FORCE) set(OT_DATASET_UPDATER ON CACHE STRING "enable dataset updater" FORCE) set(OT_DNS_CLIENT ON CACHE STRING "enable DNS client" FORCE) @@ -49,6 +50,7 @@ set(OT_DNS_UPSTREAM_QUERY ${OTBR_DNS_UPSTREAM_QUERY} CACHE STRING "enable sendin set(OT_DNSSD_SERVER ${OTBR_DNSSD_DISCOVERY_PROXY} CACHE STRING "enable DNS-SD server support" FORCE) set(OT_ECDSA ON CACHE STRING "enable ECDSA" FORCE) set(OT_FIREWALL ON CACHE STRING "enable firewall feature") +set(OT_IPTABLES_FIREWALL ON CACHE STRING "enable firewall feature") set(OT_HISTORY_TRACKER ON CACHE STRING "enable history tracker" FORCE) set(OT_JOINER ON CACHE STRING "enable joiner" FORCE) set(OT_LOG_LEVEL_DYNAMIC ON CACHE STRING "enable dynamic log level control" FORCE)