From 4a7eefce73a2246e7437119ea2b6904ae7d50503 Mon Sep 17 00:00:00 2001
From: Bin Lu <bin.lu@arm.com>
Date: Wed, 23 May 2018 10:33:18 +0800
Subject: enable image building for openwrt demo

Change-Id: Id464f064e9a7c4a55244c3cec4b3303a4ed0a889
Signed-off-by: Bin Lu <bin.lu@arm.com>
---
 .../1_buildimage/resources/config/firewall         | 149 +++++++++++++++++++++
 .../1_buildimage/resources/config/firewall.user    |   9 ++
 .../1_buildimage/resources/config/network          |  27 ++++
 .../1_buildimage/resources/config/uhttpd           |  24 ++++
 4 files changed, 209 insertions(+)
 create mode 100644 src/arm/openwrt_demo/1_buildimage/resources/config/firewall
 create mode 100644 src/arm/openwrt_demo/1_buildimage/resources/config/firewall.user
 create mode 100644 src/arm/openwrt_demo/1_buildimage/resources/config/network
 create mode 100644 src/arm/openwrt_demo/1_buildimage/resources/config/uhttpd

(limited to 'src/arm/openwrt_demo/1_buildimage/resources/config')

diff --git a/src/arm/openwrt_demo/1_buildimage/resources/config/firewall b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall
new file mode 100644
index 0000000..faa8851
--- /dev/null
+++ b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall
@@ -0,0 +1,149 @@
+
+config rule
+	option name '-testcustomer'
+	option src '*'
+	option src_ip '192.168.10.1/32'
+	option dest '*'
+	option dest_ip '151.101.0.0/16'
+	option target 'REJECT'
+
+config rule
+	option name 'Allow-DHCP-Renew'
+	option src 'wan'
+	option proto 'udp'
+	option dest_port '68'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-Ping'
+	option src 'wan'
+	option proto 'icmp'
+	option icmp_type 'echo-request'
+	option family 'ipv4'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-IGMP'
+	option src 'wan'
+	option proto 'igmp'
+	option family 'ipv4'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-DHCPv6'
+	option src 'wan'
+	option proto 'udp'
+	option src_ip 'fc00::/6'
+	option dest_ip 'fc00::/6'
+	option dest_port '546'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-MLD'
+	option src 'wan'
+	option proto 'icmp'
+	option src_ip 'fe80::/10'
+	list icmp_type '130/0'
+	list icmp_type '131/0'
+	list icmp_type '132/0'
+	list icmp_type '143/0'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMPv6-Input'
+	option src 'wan'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	list icmp_type 'router-solicitation'
+	list icmp_type 'neighbour-solicitation'
+	list icmp_type 'router-advertisement'
+	list icmp_type 'neighbour-advertisement'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-ICMPv6-Forward'
+	option src 'wan'
+	option dest '*'
+	option proto 'icmp'
+	list icmp_type 'echo-request'
+	list icmp_type 'echo-reply'
+	list icmp_type 'destination-unreachable'
+	list icmp_type 'packet-too-big'
+	list icmp_type 'time-exceeded'
+	list icmp_type 'bad-header'
+	list icmp_type 'unknown-header-type'
+	option limit '1000/sec'
+	option family 'ipv6'
+	option target 'ACCEPT'
+
+config rule
+	option target 'ACCEPT'
+	option src 'lan'
+	option proto 'esp'
+	option src_ip '192.168.10.0/24'
+	option dest '*'
+	option name 'ipsecin'
+
+config rule
+	option target 'ACCEPT'
+	option proto 'esp'
+	option src '*'
+	option dest 'lan'
+	option dest_ip '192.168.10.0/24'
+	option name 'ipsecout'
+
+config rule
+	option target 'ACCEPT'
+	option proto 'udp'
+	option src 'lan'
+	option dest_port '500'
+	option name 'ipsec'
+
+config rule
+	option target 'ACCEPT'
+	option name '-ipsecnat'
+	option proto 'udp'
+	option src 'lan'
+	option dest_port '4500'
+
+config defaults
+	option syn_flood '1'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+
+config zone
+	option name 'lan'
+	list network 'lan'
+	option input 'ACCEPT'
+	option output 'ACCEPT'
+	option forward 'ACCEPT'
+
+config zone
+	option name 'wan'
+	list network 'wan'
+	list network 'wan6'
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+	option masq '1'
+	option mtu_fix '1'
+
+config forwarding
+	option src 'lan'
+	option dest 'wan'
+
+config include
+	option path '/etc/firewall.user'
+
diff --git a/src/arm/openwrt_demo/1_buildimage/resources/config/firewall.user b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall.user
new file mode 100644
index 0000000..ab61136
--- /dev/null
+++ b/src/arm/openwrt_demo/1_buildimage/resources/config/firewall.user
@@ -0,0 +1,9 @@
+# This file is interpreted as shell script.
+# Put your custom iptables rules here, they will
+# be executed with each firewall (re-)start.
+
+# Internal uci firewall chains are flushed and recreated on reload, so
+# put custom rules into the root chains e.g. INPUT or FORWARD or into the
+# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
+iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
+iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
diff --git a/src/arm/openwrt_demo/1_buildimage/resources/config/network b/src/arm/openwrt_demo/1_buildimage/resources/config/network
new file mode 100644
index 0000000..eef18e8
--- /dev/null
+++ b/src/arm/openwrt_demo/1_buildimage/resources/config/network
@@ -0,0 +1,27 @@
+
+config interface 'loopback'
+	option ifname 'lo'
+	option proto 'static'
+	option ipaddr '127.0.0.1'
+	option netmask '255.0.0.0'
+
+config globals 'globals'
+	option ula_prefix 'fd5f:b3f4:4633::/48'
+
+config interface 'lan'
+	option ifname 'eth0'
+	option proto 'static'
+	option ipaddr '10.244.1.42'
+	option netmask '255.255.255.0'
+	option gateway '10.244.1.1'
+
+config interface 'wan'
+	option ifname 'net0'
+	option proto 'dhcp'
+
+config route 'r6'
+	option interface 'eth0'
+	option target '10.244.0.0'
+	option netmask '255.255.0.0'
+	option gateway '10.244.1.1'
+
diff --git a/src/arm/openwrt_demo/1_buildimage/resources/config/uhttpd b/src/arm/openwrt_demo/1_buildimage/resources/config/uhttpd
new file mode 100644
index 0000000..fe0691d
--- /dev/null
+++ b/src/arm/openwrt_demo/1_buildimage/resources/config/uhttpd
@@ -0,0 +1,24 @@
+
+config uhttpd 'main'
+        list listen_http '0.0.0.0:80'
+        option redirect_https '1'
+        option home '/www'
+        option rfc1918_filter '1'
+        option max_requests '3'
+        option max_connections '100'
+        option cert '/etc/uhttpd.crt'
+        option key '/etc/uhttpd.key'
+        option cgi_prefix '/cgi-bin'
+        option script_timeout '60'
+        option network_timeout '30'
+        option http_keepalive '20'
+        option tcp_keepalive '1'
+        option ubus_prefix '/ubus'
+
+config cert 'px5g'
+        option days '730'
+        option bits '2048'
+        option country 'ZZ'
+        option state 'Somewhere'
+        option location 'Unknown'
+        option commonname 'OpenWrt'
-- 
cgit 1.2.3-korg