Commit graph

22 commits

Author SHA1 Message Date
Clayton Craft
fd16f66e4f
main/postmarketos-config-nftables: add openrc subpkg (MR 5172)
For installing openrc-specific dependencies, specifically
nftables-openrc which is needed because the post-install enables the
openrc service and expects the initd script to be available then

[ci:skip-build] already built successfully in CI
2024-05-27 13:27:16 -07:00
Markus Göllnitz
fef1a94b57
main/postmarketos-config-nftables: allow Wi-Fi Display traffic (MR 4391)
The port 7236 for TCP is registered with IANA by the
Wi-Fi Alliance for use for the Wi-Fi Display Protocol,
a.k.a. Miracast.

To establish the connection, the local DHCP server has to
be allowed to respond to requests on peer-to-peer Wi-Fi
networks.

Signed-off-by: Markus Göllnitz <camelcasenick@bewares.it>
[ci:skip-build]: already built successfully in CI
2023-09-14 20:40:33 +02:00
Arnav Singh
de08bca311
main/postmarketos-{base-ui,config-nftables}: reorganize NM configs and scripts (MR 4254)
1. Move all configs from /etc/NetworkManager/conf.d to
   /usr/lib/NetworkManager/conf.d since the latter is more appropriate for
   distribution-provided config files. In particular this means apk will
   update them when the package file is changed rather than creating
   `.apk-new` files. If a user wants to override such a file, they can create
   a file with the same name under /etc/NetworkManager/conf.d

2. Move all dispatcher scripts from /etc/NetworkManager/dispatcher.d to
   /usr/lib/NetworkManager/dispatcher.d for the same reason.

3. Rename all configs to have a "50-" prefix so that users can add their own
   "99-" overrides with a guarantee that they'll be processed after
   distribution-provided configs.

4. Rename dispatcher scripts to have a "50-" prefix instead of "85-" and "99-"
   since they're distribution-provided files.

5. Move 50-tethering.conf from the base-ui package to
   the base-ui-networkmanager package.

There are also some device packages that put config files without a numeric
prefix in /etc/NetworkManager/conf.d . This MR doesn't change those.

[ci:skip-build] already built successfully in CI
2023-07-17 10:06:52 -07:00
Raymond Hackley
6e2805898e
main/postmarketos-config-nftables: use $subpkgdir in chromecast subpkg (MR 3937) 2023-03-07 16:41:32 +01:00
Smits Katze
a2820d9c79
main/postmarketos-config-nftables: make mDNS rule more restrictive (MR 3755)
mDNS queries and replies are sent to port 5353.
Update firewall rule in order to make it as tight as possible.

[ci:skip-build]: already built successfully in CI
2023-01-17 08:34:20 +01:00
Raymond Hackley
db00e85baf
main/postmarketos-config-nftables: 50_*.nft: drop unused wwan rules (MR 3594)
There is "iifname "wwan*" drop" defined in 01_wwan.nft, which drops
any not "established, related" incoming packet from WWAN.

[ci:skip-build]: already built successfully in CI
2022-11-03 07:48:33 +01:00
Alexey Minnekhanov
4144c7631f
main/postmarketos-config-nftables: use versioned constraints in install_if (MR 3536)
Consistently use `install_if="$pkgname=$pkgver-r$pkgrel ...` everywhere,
this is recommended upstream.

See https://wiki.alpinelinux.org/wiki/APKBUILD_Reference#install_if
2022-10-16 08:19:21 +03:00
Raymond Hackley
1efe44bb36
main/postmarketos-config-nftables: add VLC chromecast rules (MR 3536) 2022-10-16 08:08:54 +03:00
Raymond Hackley
e0fa89db06
postmarketos-config-nftables: fix syntax errors and coding styles (MR 3535) 2022-10-14 09:35:31 +02:00
Raymond Hackley
b1e1d7f6d3
postmarketos-config-nftables: add upnp-client rules (MR 3533)
Add rules to accept SSDP/UPnP Replies, which can be used for discovery
in VLC.
2022-10-13 13:12:53 +02:00
Anjandev Momi
6b308af051
main/postmarketos-config-nftables: add mosh config (MR 2725)
https://social.linux.pizza/@jan_wagemakers/107393948283025525

[ci:skip-build] already built successfully in CI
2021-12-05 22:34:07 -08:00
Oliver Smith
e225134edb
main/postmarketos-config-nftables: bump pkgrel
Current package has a bad checksum error on armv7, so build it again.

Fixes: #2081
2021-11-29 07:56:49 +01:00
Oliver Smith
d88960dc39
main/postmarketos-config-nftables: remove anbox (MR 2710)
Prepare to drop anbox from pmaports in favor of waydroid. For waydroid,
there's an nftables rule packaged as waydroid-nftables subpackage of the
waydroid package in Alpine (see pmaports issue 1280).
2021-11-27 15:50:16 +01:00
wonderfulShrineMaidenOfParadise
d60ff7eb32
main/postmarketos-config-nftables: subpackage docker (MR 2629) 2021-10-24 15:13:11 +03:00
Clayton Craft
45ea9bec29
postmarketos-config-nftables: add forward rule to accept traffic on wlan (MR 2622)
This seems to fix the last missing piece to getting the hotspot stuff
working, at least when it's set up with networkmanager (I haven't tested
other methods, but assume this rule is still needed there too...)

fixes #1198
2021-10-22 18:35:23 +03:00
wonderfulShrineMaidenOfParadise
6e1dd3f820
main/postmarketos-config-nftables: subpackage vncserver (MR 2479)
Co-authored-by: clayton craft <clayton@craftyguy.net>
2021-09-01 11:28:33 +03:00
Clayton Craft
c1a6a6511b
postmarketos-config-nftables: allow DNS from wlan* (MR 2448)
This fixes DNS when a system is connected to a pmOS device as a hotspot.

The rule is in the default set of firewall rules, instead of a
subpackage.. I think this is OK. I don't believe anything should be
listening on port 53 except when the hotspot is running...
2021-08-21 20:33:52 +02:00
Martijn Braam
a52e82b3ee
main/postmarketos-config-nftables: fix hotspot with networkmanager (MR 2408)
The networkmanager hotspot needs to have DHCP input enabled on the wifi
interfaces so the temporary dnsmasq instance can work. The
networkmanager backend is also switched to the nftables one so it can
create the ad-hoc hotspot forwarding/masquerade table.
2021-08-07 16:54:59 +02:00
Clayton Craft
931ae03648
config-nftables: add rules for allowing usb inet access (MR 2274)
This rule is installed by default, since users that need usb inet won't
have an easy way to install a subpackage.

This is meant to facilitate:
https://wiki.postmarketos.org/wiki/USB_Internet
2021-06-25 23:00:11 -07:00
Clayton Craft
2a1b69db00
config-nftables-anbox: fix rule to allow matching on future iface (2274) (MR 2274)
The old rule would result in nftables failing to load if the iface
doesn't exist. Using `iifname` will match on any future ifaces if they
don't exist when the firewall starts.
2021-06-25 23:00:10 -07:00
samuel norbury
3960ad0c51
postmarketos-config-nftables: Add nftables rules for anbox (MR 2271)
Anbox needs a specific set of nftables rules to allow incoming and
outgoing traffic. Anbox makes it easy to allow the specific traffic due
to the established `anbox0` bridge network interface.
2021-06-23 21:18:28 +02:00
Clayton Craft
a772f7a5d4
postmarketos-config-nftables: add package for configuring nftables fw (MR 2060)
Installs nftables config useful for pmOS::

1) drop all connections to wwan* (wildcard matching supported, are there
   any other wwan iface names that wouldn't match this?)

2) allow ssh, drop from wwan (kinda redundant w/ the first rule, but
   doesn't hurt..), allow DHCP on usb*

3) allow all incoming connections on usb* (with the -openusb subpackage)

4) enable logging all nftable events (with the -log subpackage), very
   useful for debugging

fixes #1024
2021-06-14 13:29:34 -07:00