firewall3: Make IPv6 ULA-Border generation dynamic

This fixes working behind another router which gives out ULAs.

SVN-Revision: 36416

package/network/config/firewall3/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall3
-PKG_VERSION:=2013-03-22
+PKG_VERSION:=2013-04-24
 PKG_RELEASE:=$(PKG_SOURCE_VERSION)
 
 PKG_SOURCE_PROTO:=git
@@ -49,6 +49,8 @@ define Package/firewall3/install
 	$(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
 	$(INSTALL_DIR) $(1)/etc/
 	$(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user
+	$(INSTALL_DIR) $(1)/usr/share/firewall/
+	$(INSTALL_BIN) ./files/ipv6-ula-border.sh $(1)/usr/share/firewall/ipv6-ula-border.sh
 endef
 
 $(eval $(call BuildPackage,firewall3))

package/network/config/firewall3/files/firewall.config

@@ -95,29 +95,17 @@ config rule
 	option family		ipv6
 	option target		ACCEPT
 
-# Block ULA-traffic from leaking out
-config rule
-	option name		Enforce-ULA-Border-Src
-	option src		*
-	option dest		wan
-	option proto		all
-	option src_ip		fc00::/7
-	option family		ipv6
-	option target		REJECT
-
-config rule
-	option name		Enforce-ULA-Border-Dest
-	option src		*
-	option dest		wan
-	option proto		all
-	option dest_ip		fc00::/7
-	option family		ipv6
-	option target		REJECT
-
 # include a file with users custom iptables rules
 config include
 	option path /etc/firewall.user
 
+# include IPv6 ULA-border
+config include
+	option type script
+	option path /usr/share/firewall/ipv6-ula-border.sh
+	option family IPv6
+	option reload 1
+
 
 ### EXAMPLE CONFIG SECTIONS
 # do not allow a specific ip to access wan

package/network/config/firewall3/files/ipv6-ula-border.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+ULA_PREFIX=$(uci -q get network.globals.ula_prefix)
+[ -n "$ULA_PREFIX" ] || exit 0
+
+ip6tables -I delegate_forward -s $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT
+ip6tables -I delegate_forward -d $ULA_PREFIX -m comment --comment "Enforce ULA-Border" -j zone_wan_dest_REJECT