Merge c932842220 into 979dd354fa
This commit is contained in:
Maciej Krüger
GitHub
commit
087105d439
2
.github/labeler.yml
vendored
2
.github/labeler.yml
vendored
@ -28,7 +28,7 @@
|
||||
- package/gluon-mesh-vpn-fastd/**
|
||||
"3. topic: firewall":
|
||||
- package/**/*-firewall
|
||||
- package/gluon-ebtables-*/**
|
||||
- package/gluon-nftables-*/**
|
||||
"3. topic: hardware":
|
||||
- package/gluon-core/luasrc/lib/gluon/upgrade/010-primary-mac
|
||||
- package/gluon-core/luasrc/usr/lib/lua/gluon/platform.lua
|
||||
|
||||
11
.luacheckrc
11
.luacheckrc
@ -81,10 +81,17 @@ files["package/**/luasrc/lib/gluon/**/controller/*"] = {
|
||||
},
|
||||
}
|
||||
|
||||
files["package/**/luasrc/lib/gluon/ebtables/*"] = {
|
||||
files["package/**/luasrc/lib/gluon/nftables/*"] = {
|
||||
read_globals = {
|
||||
"chain",
|
||||
"path",
|
||||
"include",
|
||||
"rule",
|
||||
|
||||
"bridge_rule",
|
||||
"bridge_chain",
|
||||
"bridge_table",
|
||||
"bridge_include_rule",
|
||||
"bridge_include_table",
|
||||
},
|
||||
max_line_length = false,
|
||||
}
|
||||
|
||||
@ -7,9 +7,6 @@
|
||||
|
||||
GLUON_FEATURES := \
|
||||
autoupdater \
|
||||
ebtables-filter-multicast \
|
||||
ebtables-filter-ra-dhcp \
|
||||
ebtables-limit-arp \
|
||||
mesh-olsrd \
|
||||
mesh-vpn-fastd \
|
||||
respondd \
|
||||
|
||||
@ -29,10 +29,10 @@ the workflow using these scripts:
|
||||
contrib/run_qemu.sh output/images/factory/[...]-x86-64.img
|
||||
|
||||
# apply changes to the desired package
|
||||
vi package/gluon-ebtables/files/etc/init.d/gluon-ebtables
|
||||
vi package/gluon-nftables/files/etc/init.d/gluon-nftables
|
||||
|
||||
# rebuild and push the package to the qemu instance
|
||||
contrib/push_pkg.sh package/gluon-ebtables/
|
||||
contrib/push_pkg.sh package/gluon-nftables/
|
||||
|
||||
# test your changes
|
||||
...
|
||||
@ -41,7 +41,7 @@ the workflow using these scripts:
|
||||
...
|
||||
|
||||
# rebuild and push the package to the qemu instance
|
||||
contrib/push_pkg.sh package/gluon-ebtables/
|
||||
contrib/push_pkg.sh package/gluon-nftables/
|
||||
|
||||
# test your changes
|
||||
...
|
||||
@ -83,7 +83,7 @@ Note that:
|
||||
* If you add new packages, you must run ``make update config GLUON_TARGET=...``.
|
||||
* You can change the gluon target of the target machine via ``make config GLUON_TARGET=...``.
|
||||
* If you want to update the ``site.conf`` of the target machine, use ``push_pkg.sh package/gluon-site/``.
|
||||
* Sometimes when things break, you can heal them by compiling a package with its dependencies: ``cd openwrt; make package/gluon-ebtables/clean; make package/gluon-ebtables/compile; cd ..``.
|
||||
* Sometimes when things break, you can heal them by compiling a package with its dependencies: ``cd openwrt; make package/gluon-nftables/clean; make package/gluon-nftables/compile; cd ..``.
|
||||
* You can exit qemu by pressing ``CTRL + a`` and ``c`` afterwards.
|
||||
|
||||
Gluon package makefiles
|
||||
|
||||
@ -62,10 +62,10 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
|
||||
|
||||
package/gluon-client-bridge
|
||||
package/gluon-config-mode-domain-select
|
||||
package/gluon-ebtables-filter-multicast
|
||||
package/gluon-ebtables-filter-ra-dhcp
|
||||
package/gluon-ebtables-limit-arp
|
||||
package/gluon-ebtables-source-filter
|
||||
package/gluon-nftables-filter-multicast
|
||||
package/gluon-nftables-filter-ra-dhcp
|
||||
package/gluon-nftables-limit-arp
|
||||
package/gluon-nftables-source-filter
|
||||
package/gluon-hoodselector
|
||||
package/gluon-logging
|
||||
package/gluon-mesh-batman-adv
|
||||
|
||||
@ -7,9 +7,9 @@
|
||||
|
||||
GLUON_FEATURES := \
|
||||
autoupdater \
|
||||
ebtables-filter-multicast \
|
||||
ebtables-filter-ra-dhcp \
|
||||
ebtables-limit-arp \
|
||||
nftables-filter-multicast \
|
||||
nftables-filter-ra-dhcp \
|
||||
nftables-limit-arp \
|
||||
mesh-batman-adv-15 \
|
||||
mesh-vpn-fastd \
|
||||
respondd \
|
||||
|
||||
@ -13,7 +13,7 @@ domain and will see each other "as if they were connected to one giant switch".
|
||||
This comes with a set of advantages (like quick and economical client device roaming,
|
||||
layer 3 protocol agnosticism, broadcast/multicast). But also impediments, especially
|
||||
layer 2 multicast overhead - which Gluon tries to mitigate to achieve a certain degree
|
||||
of scalability. See :doc:`gluon-ebtables-filter-multicast` and
|
||||
of scalability. See :doc:`gluon-nftables-filter-multicast` and
|
||||
:ref:`batman-adv-multicast-architecture` for details.
|
||||
|
||||
B.A.T.M.A.N. Advanced project homepage:
|
||||
@ -53,9 +53,9 @@ While generally broadcast capability is a nice feature of a layer 2
|
||||
mesh protocol, it quickly reaches its limit.
|
||||
|
||||
For meshes with about **50 nodes / 100 clients, or more** it is therefore highly
|
||||
recommended to add the :doc:`gluon-ebtables-filter-multicast`
|
||||
recommended to add the :doc:`gluon-nftables-filter-multicast`
|
||||
package. Also, with the *mesh-batman-adv-15* feature,
|
||||
:doc:`gluon-ebtables-limit-arp` is selected by default.
|
||||
:doc:`gluon-nftables-limit-arp` is selected by default.
|
||||
|
||||
Furthermore, by default IGMP and MLD messages are filtered. See
|
||||
:ref:`site.conf mesh section <user-site-mesh>` and
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
gluon-ebtables-filter-multicast
|
||||
gluon-nftables-filter-multicast
|
||||
===============================
|
||||
|
||||
The *gluon-ebtables-filter-multicast* package filters out various kinds of
|
||||
The *gluon-nftables-filter-multicast* package filters out various kinds of
|
||||
non-essential multicast traffic, as this traffic often constitutes a
|
||||
disproportionate burden on the mesh network. Unfortunately, this breaks many useful services
|
||||
(Avahi, Bonjour chat, ...), but this seems unavoidable, as the current Avahi implementation is
|
||||
@ -1,7 +1,7 @@
|
||||
gluon-ebtables-filter-ra-dhcp
|
||||
gluon-nftables-filter-ra-dhcp
|
||||
=============================
|
||||
|
||||
The *gluon-ebtables-filter-ra-dhcp* package tries to prevent common
|
||||
The *gluon-nftables-filter-ra-dhcp* package tries to prevent common
|
||||
misconfigurations (i.e. connecting the client interface of a Gluon
|
||||
node to a private network) from causing issues for either of the
|
||||
networks.
|
||||
@ -1,14 +1,14 @@
|
||||
gluon-ebtables-limit-arp
|
||||
gluon-nftables-limit-arp
|
||||
========================
|
||||
|
||||
The *gluon-ebtables-limit-arp* package adds filters to limit the
|
||||
The *gluon-nftables-limit-arp* package adds filters to limit the
|
||||
amount of ARP requests client devices are allowed to send into the
|
||||
mesh.
|
||||
|
||||
The limits per client device, identified by its MAC address, are
|
||||
6 packets per minute and 1 per second per node in total.
|
||||
A burst of up to 50 ARP requests is allowed until the rate-limiting
|
||||
takes effect (see ``--limit-burst`` in ``ebtables(8)``).
|
||||
takes effect (see ``--limit-burst`` in ``nftables(8)``).
|
||||
|
||||
Furthermore, ARP requests for a target IP already present in the
|
||||
batman-adv DAT cache are excluded from rate-limiting, in regard
|
||||
@ -26,4 +26,4 @@ feature is *mesh-batman-adv-15*.
|
||||
It can be unselected via::
|
||||
|
||||
GLUON_SITE_PACKAGES := \
|
||||
-gluon-ebtables-limit-arp
|
||||
-gluon-nftables-limit-arp
|
||||
@ -1,7 +1,7 @@
|
||||
gluon-ebtables-source-filter
|
||||
gluon-nftables-source-filter
|
||||
============================
|
||||
|
||||
The *gluon-ebtables-source-filter* package adds an additional layer-2 filter
|
||||
The *gluon-nftables-source-filter* package adds an additional layer-2 filter
|
||||
ruleset to prevent unreasonable traffic entering the network via the nodes.
|
||||
Unreasonable means traffic entering the mesh via a node which source IP does
|
||||
not belong to the configured IP space.
|
||||
@ -35,7 +35,7 @@ connected to the client interface via cable or WLAN instead of via the mesh
|
||||
fake TQ of 512, so that they are always preferred.
|
||||
|
||||
Be aware of problems if you plan to use local routers together with the
|
||||
:doc:`gluon-ebtables-filter-ra-dhcp` package. These router advertisements are
|
||||
:doc:`gluon-nftables-filter-ra-dhcp` package. These router advertisements are
|
||||
filtered anyway and reach neither the node nor any other client. Therefore the
|
||||
use of local routers is not possible as long as the package
|
||||
``gluon-radv-filterd`` is used.
|
||||
|
||||
@ -105,7 +105,7 @@ New features
|
||||
The new package *gluon-ebtables-source-filter* can be used to prevent traffic
|
||||
using unexpected IP addresses or packet types from entering the mesh.
|
||||
|
||||
See also: :doc:`../package/gluon-ebtables-source-filter`
|
||||
See also: :doc:`../package/gluon-nftables-source-filter`
|
||||
|
||||
Bugfixes
|
||||
~~~~~~~~
|
||||
|
||||
@ -120,7 +120,7 @@ trying it out, please contact us on our mailing list or in our IRC channel.
|
||||
gluon-ebtables-limit-arp enabled by default
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
The :doc:`../package/gluon-ebtables-limit-arp` package, introduced in Gluon
|
||||
The :doc:`../package/gluon-nftables-limit-arp` package, introduced in Gluon
|
||||
2018.1, is now included by default. In case of issues, it can be removed by
|
||||
adding ``-gluon-ebtables-limit-arp`` to *GLUON_SITE_PACKAGES*.
|
||||
|
||||
|
||||
@ -7,9 +7,9 @@
|
||||
|
||||
GLUON_FEATURES := \
|
||||
autoupdater \
|
||||
ebtables-filter-multicast \
|
||||
ebtables-filter-ra-dhcp \
|
||||
ebtables-limit-arp \
|
||||
nftables-filter-multicast \
|
||||
nftables-filter-ra-dhcp \
|
||||
nftables-limit-arp \
|
||||
mesh-batman-adv-15 \
|
||||
mesh-vpn-fastd \
|
||||
respondd \
|
||||
|
||||
@ -38,7 +38,7 @@ when(_'web-advanced' and _'autoupdater', {
|
||||
|
||||
|
||||
when(_'mesh-batman-adv-15', {
|
||||
'gluon-ebtables-limit-arp',
|
||||
'gluon-nftables-limit-arp',
|
||||
'gluon-radvd',
|
||||
})
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@ define Package/gluon-core
|
||||
TITLE:=Base files of Gluon
|
||||
DEPENDS:= \
|
||||
+gluon-site +libgluonutil +libiwinfo-lua +lua-platform-info +lua-simple-uci +lua-hash +lua-jsonc \
|
||||
+luabitop +luaposix +vxlan +odhcp6c +firewall +pretty-hostname
|
||||
+luabitop +luaposix +vxlan +odhcp6c +firewall4 +pretty-hostname
|
||||
endef
|
||||
|
||||
define Package/gluon-core/description
|
||||
|
||||
@ -1,20 +0,0 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=gluon-ebtables-filter-multicast
|
||||
|
||||
include ../gluon.mk
|
||||
|
||||
define Package/gluon-ebtables-filter-multicast
|
||||
TITLE:=Ebtables filters for multicast packets
|
||||
DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
|
||||
endef
|
||||
|
||||
define Package/gluon-ebtables-filter-multicast/description
|
||||
Gluon community wifi mesh firmware framework: Ebtables filters for multicast packets
|
||||
|
||||
These filters drop non-essential multicast traffic before it enters the mesh.
|
||||
|
||||
Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackageGluon,gluon-ebtables-filter-multicast))
|
||||
@ -1,7 +0,0 @@
|
||||
-- Bridge loop avoidance
|
||||
rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:00:00:00/ff:ff:ff:fc:00:00 -j RETURN'
|
||||
rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:05:00:00/ff:ff:ff:ff:00:00 -j RETURN'
|
||||
|
||||
rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-ip-src 0.0.0.0 -j DROP'
|
||||
rule 'MULTICAST_OUT -p ARP --arp-opcode Request --arp-ip-dst 0.0.0.0 -j DROP'
|
||||
rule 'MULTICAST_OUT -p ARP -j RETURN'
|
||||
@ -1 +0,0 @@
|
||||
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN'
|
||||
@ -1 +0,0 @@
|
||||
rule 'MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN'
|
||||
@ -1 +0,0 @@
|
||||
rule 'MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN'
|
||||
@ -1 +0,0 @@
|
||||
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j RETURN'
|
||||
@ -1,3 +0,0 @@
|
||||
rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j RETURN'
|
||||
rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j RETURN' -- ICMP Node Information Query
|
||||
rule 'MULTICAST_OUT_ICMPV6 -j ACCEPT'
|
||||
@ -1 +0,0 @@
|
||||
rule 'MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN'
|
||||
@ -1,2 +0,0 @@
|
||||
rule 'MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN'
|
||||
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN'
|
||||
@ -1 +0,0 @@
|
||||
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 1001 --ip6-dst ff05::2:1001 -j RETURN'
|
||||
@ -1 +0,0 @@
|
||||
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination ff02::9 --ip6-destination-port 521 -j RETURN'
|
||||
@ -1,3 +0,0 @@
|
||||
rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP')
|
||||
rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN')
|
||||
rule ('MULTICAST_OUT -j DROP')
|
||||
@ -1,19 +0,0 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=gluon-ebtables-filter-ra-dhcp
|
||||
|
||||
include ../gluon.mk
|
||||
|
||||
define Package/gluon-ebtables-filter-ra-dhcp
|
||||
TITLE:=Ebtables filters for Router Advertisement and DHCP packets
|
||||
DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
|
||||
endef
|
||||
|
||||
define Package/gluon-ebtables-filter-ra-dhcp/description
|
||||
Gluon community wifi mesh firmware framework: Ebtables filters for Router Advertisement and DHCP packets
|
||||
|
||||
These filters ensure that RA and DHCP packets are only forwarded from the mesh into the
|
||||
client network, and not vice-versa.
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackageGluon,gluon-ebtables-filter-ra-dhcp))
|
||||
@ -1,11 +0,0 @@
|
||||
local uci = require('simple-uci').cursor()
|
||||
|
||||
local gw_mode = uci:get('network', 'gluon_bat0', 'gw_mode')
|
||||
|
||||
if gw_mode ~= 'server' then
|
||||
rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
|
||||
rule 'OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
|
||||
|
||||
rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'
|
||||
rule 'INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'
|
||||
end
|
||||
@ -1,5 +0,0 @@
|
||||
rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j OUT_ONLY'
|
||||
rule 'OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j OUT_ONLY'
|
||||
|
||||
rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j IN_ONLY'
|
||||
rule 'INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j IN_ONLY'
|
||||
@ -1,5 +0,0 @@
|
||||
rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
|
||||
rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
|
||||
|
||||
rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'
|
||||
rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'
|
||||
@ -1,3 +0,0 @@
|
||||
chain('ARP_LIMIT', 'DROP')
|
||||
chain('ARP_LIMIT_DATCHECK', 'RETURN')
|
||||
chain('ARP_LIMIT_TLCHECK', 'RETURN')
|
||||
@ -1,6 +0,0 @@
|
||||
rule('ARP_LIMIT -j ARP_LIMIT_DATCHECK')
|
||||
rule('ARP_LIMIT --mark 0x2/0x2 -j RETURN')
|
||||
rule('ARP_LIMIT -j ARP_LIMIT_TLCHECK')
|
||||
rule('ARP_LIMIT --limit 1/sec --limit-burst 50 -j RETURN')
|
||||
|
||||
rule('FORWARD -p ARP --logical-out br-client -o bat0 --arp-op Request -j ARP_LIMIT')
|
||||
@ -1,17 +0,0 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=gluon-ebtables-source-filter
|
||||
|
||||
include ../gluon.mk
|
||||
|
||||
define Package/gluon-ebtables-source-filter
|
||||
TITLE:=Ebtables rules to filter unreasonable L2 traffic.
|
||||
DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
|
||||
endef
|
||||
|
||||
define Package/gluon-ebtables-source-filter/description
|
||||
This package adds an additional layer-2 filter-ruleset to prevent unreasonable
|
||||
traffic entering the network via the nodes.
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackageGluon,gluon-ebtables-source-filter))
|
||||
@ -1 +0,0 @@
|
||||
chain('LOCAL_FORWARD', 'DROP')
|
||||
@ -1,6 +0,0 @@
|
||||
local prefix4 = require('gluon.site').prefix4()
|
||||
|
||||
if prefix4 then
|
||||
rule('LOCAL_FORWARD -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
|
||||
rule('LOCAL_FORWARD -p ARP --arp-ip-src 0.0.0.0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
|
||||
end
|
||||
@ -1,6 +0,0 @@
|
||||
local prefix4 = require('gluon.site').prefix4()
|
||||
|
||||
if prefix4 then
|
||||
rule('LOCAL_FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN')
|
||||
rule('LOCAL_FORWARD -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN')
|
||||
end
|
||||
@ -1,9 +0,0 @@
|
||||
local site = require 'gluon.site'
|
||||
|
||||
rule('LOCAL_FORWARD -p IPv6 --ip6-src fe80::/64 -j RETURN')
|
||||
rule('LOCAL_FORWARD -p IPv6 --ip6-src ::/128 --ip6-proto ipv6-icmp -j RETURN')
|
||||
rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. site.prefix6() .. ' -j RETURN')
|
||||
|
||||
for _, prefix in ipairs(site.extra_prefixes6({})) do
|
||||
rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
|
||||
end
|
||||
@ -1 +0,0 @@
|
||||
rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD')
|
||||
@ -1,17 +0,0 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=gluon-ebtables
|
||||
|
||||
include ../gluon.mk
|
||||
|
||||
define Package/gluon-ebtables
|
||||
TITLE:=Ebtables support
|
||||
DEPENDS:=+gluon-core +ebtables-tiny \
|
||||
+kmod-ebtables +kmod-ebtables-ipv4 +kmod-ebtables-ipv6
|
||||
endef
|
||||
|
||||
define Package/gluon-ebtables/description
|
||||
Gluon community wifi mesh firmware framework: ebtables support
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackageGluon,gluon-ebtables))
|
||||
@ -1,80 +0,0 @@
|
||||
#!/bin/sh /etc/rc.common
|
||||
# Copyright (C) 2013 Project Gluon
|
||||
#
|
||||
# Firewall script for inserting and removing ebtables rules.
|
||||
#
|
||||
# Example format, for filtering any IPv4 multicast packets to the SSDP UDP port:
|
||||
# rule FORWARD --logical-out br-client -d Multicast -p IPv4 --ip-protocol udp --ip-destination-port 5355 -j DROP
|
||||
#
|
||||
# Removing all rules:
|
||||
# $ /etc/init.d/gluon-ebtables stop
|
||||
# Inserting all rules:
|
||||
# $ /etc/init.d/gluon-ebtables start
|
||||
# Inserting a specific rule file:
|
||||
# $ /etc/init.d/gluon-ebtables start /lib/gluon/ebtables/100-mcast-chain
|
||||
# Removing a specific rule file:
|
||||
# $ /etc/init.d/gluon-ebtables stop /lib/gluon/ebtables/100-mcast-chain
|
||||
|
||||
|
||||
START=19
|
||||
STOP=91
|
||||
|
||||
|
||||
exec_file() {
|
||||
local file="$1"
|
||||
|
||||
/usr/bin/lua -e "
|
||||
function rule(command, table)
|
||||
table = table or 'filter'
|
||||
os.execute($EBTABLES_RULE)
|
||||
end
|
||||
function chain(name, policy, table)
|
||||
table = table or 'filter'
|
||||
os.execute($EBTABLES_CHAIN)
|
||||
end
|
||||
|
||||
" "$file"
|
||||
}
|
||||
|
||||
exec_all() {
|
||||
local sort_arg="$1"
|
||||
|
||||
local old_ifs="$IFS"
|
||||
IFS='
|
||||
'
|
||||
for file in `find /lib/gluon/ebtables -type f | sort $sort_arg`; do
|
||||
exec_file "$file"
|
||||
done
|
||||
IFS="$old_ifs"
|
||||
}
|
||||
|
||||
|
||||
start() {
|
||||
(
|
||||
export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -A " .. command'
|
||||
export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -N " .. name .. " -P " .. policy'
|
||||
|
||||
# Contains /var/lib/ebtables/lock for '--concurrent'
|
||||
[ ! -d "/var/lib/ebtables" ] && \
|
||||
mkdir -p /var/lib/ebtables
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
exec_all ''
|
||||
else
|
||||
exec_file "$1"
|
||||
fi
|
||||
)
|
||||
}
|
||||
|
||||
stop() {
|
||||
(
|
||||
export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -D " .. command'
|
||||
export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -X " .. name'
|
||||
|
||||
if [ -z "$1" ]; then
|
||||
exec_all '-r'
|
||||
else
|
||||
exec_file "$1"
|
||||
fi
|
||||
)
|
||||
}
|
||||
@ -1,2 +0,0 @@
|
||||
#!/bin/sh
|
||||
/etc/init.d/gluon-ebtables stop
|
||||
@ -1,2 +0,0 @@
|
||||
#!/bin/sh
|
||||
/etc/init.d/gluon-ebtables start
|
||||
@ -1,9 +0,0 @@
|
||||
chain('IN_ONLY', 'RETURN')
|
||||
chain('OUT_ONLY', 'RETURN')
|
||||
|
||||
-- nat chain runs early, so we can drop IGMP/MLD
|
||||
chain('MULTICAST_IN', 'RETURN', 'nat')
|
||||
chain('MULTICAST_IN_ICMPV6', 'RETURN', 'nat')
|
||||
|
||||
chain('MULTICAST_OUT', 'RETURN')
|
||||
chain('MULTICAST_OUT_ICMPV6', 'RETURN')
|
||||
@ -1,7 +0,0 @@
|
||||
rule 'IN_ONLY --logical-in br-client -i bat0 -j RETURN'
|
||||
rule 'IN_ONLY --logical-in br-client -i local-port -j RETURN'
|
||||
rule 'IN_ONLY --logical-in br-client -j DROP'
|
||||
|
||||
rule 'OUT_ONLY --logical-out br-client -o bat0 -j RETURN'
|
||||
rule 'OUT_ONLY --logical-out br-client -o local-port -j RETURN'
|
||||
rule 'OUT_ONLY --logical-out br-client -j DROP'
|
||||
@ -1,20 +0,0 @@
|
||||
local site = require 'gluon.site'
|
||||
|
||||
rule('MULTICAST_IN -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP', 'nat')
|
||||
rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP')
|
||||
|
||||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP') -- MLD Query
|
||||
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD Query
|
||||
|
||||
if site.mesh.filter_membership_reports(true) then
|
||||
rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat')
|
||||
rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp -j DROP')
|
||||
|
||||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP') -- MLDv1 Report
|
||||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done
|
||||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report
|
||||
|
||||
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report
|
||||
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done
|
||||
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report
|
||||
end
|
||||
@ -1,3 +0,0 @@
|
||||
*mangle
|
||||
-A FORWARD -o mesh-vpn+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
COMMIT
|
||||
@ -1,10 +0,0 @@
|
||||
#!/usr/bin/lua
|
||||
|
||||
local uci = require('simple-uci').cursor()
|
||||
uci:section('firewall', 'include', 'vpn_clamp_mss', {
|
||||
family = 'ipv6',
|
||||
type = 'restore',
|
||||
path = '/lib/gluon/mesh-vpn/iptables-mss.rules'
|
||||
})
|
||||
|
||||
uci:save('firewall')
|
||||
@ -9,7 +9,7 @@ include ../gluon.mk
|
||||
|
||||
define Package/gluon-mesh-babel
|
||||
TITLE:=Babel mesh
|
||||
DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop
|
||||
DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall4 +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop
|
||||
PROVIDES:=gluon-mesh-provider
|
||||
endef
|
||||
|
||||
|
||||
@ -12,8 +12,9 @@ define Package/gluon-mesh-batman-adv-15
|
||||
+gluon-core \
|
||||
+libgluonutil \
|
||||
+gluon-client-bridge \
|
||||
+gluon-ebtables \
|
||||
+firewall \
|
||||
+gluon-nftables \
|
||||
+gluon-nftables-multicast \
|
||||
+firewall4 \
|
||||
+libiwinfo \
|
||||
+kmod-dummy \
|
||||
+libnl-tiny \
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
local client_bridge = require 'gluon.client_bridge'
|
||||
local site = require 'gluon.site'
|
||||
local next_node = site.next_node({})
|
||||
|
||||
local macaddr = client_bridge.next_node_macaddr()
|
||||
|
||||
rule('FORWARD --logical-out br-client -i bat0 -o local-port -j DROP')
|
||||
rule('FORWARD --logical-out br-client -i local-port -o bat0 -j DROP')
|
||||
|
||||
rule('PREROUTING --logical-in br-client -i bat0 -s ' .. macaddr .. ' -j DROP', 'nat')
|
||||
rule('PREROUTING --logical-in br-client -i bat0 -d ' .. macaddr .. ' -j DROP', 'nat')
|
||||
|
||||
rule('FORWARD --logical-out br-client -o bat0 -d ' .. macaddr .. ' -j DROP')
|
||||
rule('OUTPUT --logical-out br-client -o bat0 -d ' .. macaddr .. ' -j DROP')
|
||||
rule('FORWARD --logical-out br-client -o bat0 -s ' .. macaddr .. ' -j DROP')
|
||||
rule('OUTPUT --logical-out br-client -o bat0 -s ' .. macaddr .. ' -j DROP')
|
||||
|
||||
if next_node.ip4 then
|
||||
rule('FORWARD --logical-out br-client -o bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP')
|
||||
rule('FORWARD --logical-out br-client -o bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP')
|
||||
rule('FORWARD --logical-out br-client -i bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP')
|
||||
rule('FORWARD --logical-out br-client -i bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP')
|
||||
|
||||
rule('OUTPUT --logical-out br-client -o bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP')
|
||||
rule('OUTPUT --logical-out br-client -o bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP')
|
||||
|
||||
rule('INPUT -i bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP')
|
||||
rule('INPUT -i bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP')
|
||||
|
||||
rule('FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-destination ' .. next_node.ip4 .. ' -j DROP')
|
||||
rule('OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-destination ' .. next_node.ip4 .. ' -j DROP')
|
||||
rule('FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-source ' .. next_node.ip4 .. ' -j DROP')
|
||||
rule('OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-source ' .. next_node.ip4 .. ' -j DROP')
|
||||
end
|
||||
|
||||
if next_node.ip6 then
|
||||
rule('FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination ' .. next_node.ip6 .. ' -j DROP')
|
||||
rule('OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination ' .. next_node.ip6 .. ' -j DROP')
|
||||
rule('FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source ' .. next_node.ip6 .. ' -j DROP')
|
||||
rule('OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source ' .. next_node.ip6 .. ' -j DROP')
|
||||
end
|
||||
@ -1,2 +0,0 @@
|
||||
rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -i bat0 -j DROP'
|
||||
rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -o bat0 -j DROP'
|
||||
@ -0,0 +1,41 @@
|
||||
local client_bridge = require 'gluon.client_bridge'
|
||||
local site = require 'gluon.site'
|
||||
local next_node = site.next_node({})
|
||||
|
||||
local macaddr = client_bridge.next_node_macaddr()
|
||||
|
||||
bridge_rule('FORWARD', 'obrname "br-client" iifname "bat0" oifname "bat0" drop')
|
||||
bridge_rule('FORWARD', 'obrname "br-client" iifname "local-port" oifname "bat0" drop')
|
||||
|
||||
bridge_rule('PREROUTING', 'ibrname "br-client" iifname "bat0" ether saddr ' .. macaddr .. ' drop', 'nat')
|
||||
bridge_rule('PREROUTING', 'ibrname "br-client" iifname "bat0" ether daddr ' .. macaddr .. ' drop', 'nat')
|
||||
|
||||
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ether daddr ' .. macaddr .. ' drop')
|
||||
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ether daddr ' .. macaddr .. ' drop')
|
||||
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ether saddr ' .. macaddr .. ' drop')
|
||||
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ether saddr ' .. macaddr .. ' drop')
|
||||
|
||||
if next_node.ip4 then
|
||||
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop')
|
||||
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop')
|
||||
bridge_rule('FORWARD', 'obrname "br-client" iifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop')
|
||||
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop')
|
||||
|
||||
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop')
|
||||
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop')
|
||||
|
||||
bridge_rule('INPUT', 'iifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop')
|
||||
bridge_rule('INPUT', 'iifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop')
|
||||
|
||||
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip daddr ' .. next_node.ip4 .. ' drop')
|
||||
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip daddr ' .. next_node.ip4 .. ' drop')
|
||||
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip saddr ' .. next_node.ip4 .. ' drop')
|
||||
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip saddr ' .. next_node.ip4 .. ' drop')
|
||||
end
|
||||
|
||||
if next_node.ip6 then
|
||||
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip6 daddr ' .. next_node.ip6 .. ' drop')
|
||||
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip6 daddr ' .. next_node.ip6 .. ' drop')
|
||||
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip6 saddr ' .. next_node.ip6 .. ' drop')
|
||||
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip6 saddr ' .. next_node.ip6 .. ' drop')
|
||||
end
|
||||
@ -0,0 +1,2 @@
|
||||
bridge_rule('INPUT', 'iifname "bat0" icmpv6 type nd-router-solicit drop')
|
||||
bridge_rule('OUTPUT', 'oifname "bat0" icmpv6 type nd-router-advert drop')
|
||||
@ -6,7 +6,7 @@ include ../gluon.mk
|
||||
|
||||
define Package/gluon-mesh-layer3-common
|
||||
TITLE:=Layer3 common files
|
||||
DEPENDS:=+gluon-core +gluon-mmfd +firewall
|
||||
DEPENDS:=+gluon-core +gluon-mmfd +firewall4
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackageGluon,gluon-mesh-layer3-common))
|
||||
|
||||
@ -6,7 +6,7 @@ include ../gluon.mk
|
||||
|
||||
define Package/gluon-mesh-vpn-core
|
||||
TITLE:=Basic support for connecting meshes via VPN tunnels
|
||||
DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables-zz-legacy +iptables-mod-extra +simple-tc
|
||||
DEPENDS:=+gluon-core +gluon-nftables +gluon-wan-dnsmasq +simple-tc
|
||||
USERID:=:gluon-mesh-vpn=800
|
||||
endef
|
||||
|
||||
|
||||
@ -1,3 +0,0 @@
|
||||
*nat
|
||||
-I OUTPUT -m owner --gid-owner gluon-mesh-vpn -o lo -d 127.0.0.1 -p udp --dport 53 -j DNAT --to-destination :54
|
||||
COMMIT
|
||||
@ -0,0 +1 @@
|
||||
meta skgid gluon-mesh-vpn oifname "lo" ip daddr 127.0.0.1 udp dport 53 redirect to 54
|
||||
@ -0,0 +1,4 @@
|
||||
include('mesh_vpn_dns', {
|
||||
position = 'chain-pre',
|
||||
chain = 'dstnat',
|
||||
})
|
||||
@ -25,14 +25,6 @@ uci:save('network')
|
||||
users.remove_user('gluon-fastd')
|
||||
users.remove_group('gluon-fastd')
|
||||
|
||||
uci:section('firewall', 'include', 'mesh_vpn_dns', {
|
||||
type = 'restore',
|
||||
path = '/lib/gluon/mesh-vpn/iptables.rules',
|
||||
family = 'ipv4',
|
||||
})
|
||||
|
||||
uci:save('firewall')
|
||||
|
||||
|
||||
-- VPN migration
|
||||
if not uci:get('gluon', 'mesh_vpn') then
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=gluon-iptables-clamp-mss-to-pmtu
|
||||
PKG_NAME:=gluon-nftables-clamp-mss-to-pmtu
|
||||
|
||||
include ../gluon.mk
|
||||
|
||||
define Package/$(PKG_NAME)
|
||||
TITLE:=This will establish a firewall rule to clamp the mss to pmtu on the mesh-vpn interface when the connection is towards 64:ff9b::/96
|
||||
DEPENDS:= +ip6tables-zz-legacy
|
||||
DEPENDS:=+gluon-nftables
|
||||
endef
|
||||
|
||||
define Package/$(PKG_NAME)/description
|
||||
@ -0,0 +1 @@
|
||||
oifname "mesh-vpn*" tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu
|
||||
@ -0,0 +1,4 @@
|
||||
include('mesh_vpn_clamp_mss_to_pmtu', {
|
||||
position = 'chain-prepend',
|
||||
chain = 'mangle_forward',
|
||||
})
|
||||
20
package/gluon-nftables-filter-multicast/Makefile
Normal file
20
package/gluon-nftables-filter-multicast/Makefile
Normal file
@ -0,0 +1,20 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=gluon-nftables-filter-multicast
|
||||
|
||||
include ../gluon.mk
|
||||
|
||||
define Package/gluon-nftables-filter-multicast
|
||||
TITLE:=nftables filters for multicast packets
|
||||
DEPENDS:=+gluon-core +gluon-nftables +gluon-nftables-multicast +gluon-mesh-batman-adv
|
||||
endef
|
||||
|
||||
define Package/gluon-nftables-filter-multicast/description
|
||||
Gluon community wifi mesh firmware framework: nftables filters for multicast packets
|
||||
|
||||
These filters drop non-essential multicast traffic before it enters the mesh.
|
||||
|
||||
Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackageGluon,gluon-nftables-filter-multicast))
|
||||
@ -0,0 +1,7 @@
|
||||
-- Bridge loop avoidance
|
||||
-- bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip = arp daddr ip arp daddr ether ff:43:05:00:00:00/ff:ff:ff:fc:00:00 return')
|
||||
-- bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip = arp daddr ip arp daddr ether ff:43:05:05:00:00/ff:ff:ff:ff:00:00 return')
|
||||
|
||||
bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip 0.0.0.0 drop')
|
||||
bridge_rule('MULTICAST_OUT', 'arp operation request arp daddr ip 0.0.0.0 drop')
|
||||
bridge_rule('MULTICAST_OUT', 'ether type arp return')
|
||||
@ -0,0 +1 @@
|
||||
bridge_rule('MULTICAST_OUT', 'ip version 6 udp dport 6696 return')
|
||||
@ -0,0 +1 @@
|
||||
bridge_rule('MULTICAST_OUT', 'ip daddr 239.192.152.143 udp dport 6771 return')
|
||||
@ -0,0 +1 @@
|
||||
bridge_rule('MULTICAST_OUT', 'ip version 4 udp dport 67 return')
|
||||
@ -0,0 +1 @@
|
||||
bridge_rule('MULTICAST_OUT', 'ip version 6 udp dport 547 return')
|
||||
@ -0,0 +1,3 @@
|
||||
bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type echo-request return')
|
||||
bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type 139 return')
|
||||
bridge_rule('MULTICAST_OUT_ICMPV6', 'accept')
|
||||
@ -0,0 +1 @@
|
||||
bridge_rule('MULTICAST_OUT', 'ip protocol igmp return')
|
||||
@ -0,0 +1 @@
|
||||
bridge_rule('MULTICAST_OUT', 'ip protocol ospf return')
|
||||
@ -0,0 +1 @@
|
||||
bridge_rule('MULTICAST_OUT', 'ip6 daddr ff05::2:1001 udp dport 1001 return')
|
||||
@ -0,0 +1 @@
|
||||
bridge_rule('MULTICAST_OUT', 'ip6 daddr ff02::9 udp dport 521 return')
|
||||
@ -0,0 +1,3 @@
|
||||
bridge_rule('MULTICAST_OUT', 'ip6 daddr f02::1/128 drop')
|
||||
bridge_rule('MULTICAST_OUT', 'ip6 daddr ff00::/8 mark 0x4 return')
|
||||
bridge_rule('MULTICAST_OUT', 'drop')
|
||||
19
package/gluon-nftables-filter-ra-dhcp/Makefile
Normal file
19
package/gluon-nftables-filter-ra-dhcp/Makefile
Normal file
@ -0,0 +1,19 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=gluon-nftables-filter-ra-dhcp
|
||||
|
||||
include ../gluon.mk
|
||||
|
||||
define Package/gluon-nftables-filter-ra-dhcp
|
||||
TITLE:=nftables filters for Router Advertisement and DHCP packets
|
||||
DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv
|
||||
endef
|
||||
|
||||
define Package/gluon-nftables-filter-ra-dhcp/description
|
||||
Gluon community wifi mesh firmware framework: nftables filters for Router Advertisement and DHCP packets
|
||||
|
||||
These filters ensure that RA and DHCP packets are only forwarded from the mesh into the
|
||||
client network, and not vice-versa.
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackageGluon,gluon-nftables-filter-ra-dhcp))
|
||||
@ -0,0 +1,11 @@
|
||||
local uci = require('simple-uci').cursor()
|
||||
|
||||
local gw_mode = uci:get('network', 'gluon_bat0', 'gw_mode')
|
||||
|
||||
if gw_mode ~= 'server' then
|
||||
bridge_rule('FORWARD', 'ip version 4 udp dport 67 jump out_only')
|
||||
bridge_rule('OUTPUT', 'ip version 4 udp dport 67 jump out_only')
|
||||
|
||||
bridge_rule('FORWARD', 'ip version 4 udp dport 68 jump in_only')
|
||||
bridge_rule('INPUT', 'ip version 4 udp dport 68 jump in_only')
|
||||
end
|
||||
@ -0,0 +1,5 @@
|
||||
bridge_rule('FORWARD', 'ip version 6 udp dport 547 jump out_only')
|
||||
bridge_rule('OUTPUT', 'ip version 6 udp dport 547 jump out_only')
|
||||
|
||||
bridge_rule('FORWARD', 'ip version 6 udp dport 546 jump in_only')
|
||||
bridge_rule('INPUT', 'ip version 6 udp dport 546 jump in_only')
|
||||
@ -0,0 +1,5 @@
|
||||
bridge_rule('FORWARD', 'icmpv6 type nd-router-solicit jump out_only')
|
||||
bridge_rule('OUTPUT', 'icmpv6 type nd-router-solicit jump out_only')
|
||||
|
||||
bridge_rule('FORWARD', 'icmpv6 type nd-router-advert jump in_only')
|
||||
bridge_rule('INPUT', 'icmpv6 type nd-router-advert jump in_only')
|
||||
@ -1,16 +1,16 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=gluon-ebtables-limit-arp
|
||||
PKG_NAME:=gluon-nftables-limit-arp
|
||||
|
||||
include ../gluon.mk
|
||||
|
||||
define Package/gluon-ebtables-limit-arp
|
||||
TITLE:=Ebtables limiter for ARP packets
|
||||
DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
|
||||
define Package/gluon-nftables-limit-arp
|
||||
TITLE:=nftables limiter for ARP packets
|
||||
DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv
|
||||
endef
|
||||
|
||||
define Package/gluon-ebtables-limit-arp/description
|
||||
Gluon community wifi mesh firmware framework: Ebtables rules to
|
||||
define Package/gluon-nftables-limit-arp/description
|
||||
Gluon community wifi mesh firmware framework: nftables rules to
|
||||
rate-limit ARP packets.
|
||||
|
||||
This package adds filters to limit the amount of ARP Requests
|
||||
@ -19,7 +19,7 @@ define Package/gluon-ebtables-limit-arp/description
|
||||
node in total.
|
||||
|
||||
A burst of up to 50 ARP Requests is allowed until the rate-limiting
|
||||
takes effect (see --limit-burst in the ebtables manpage).
|
||||
takes effect (see burst in the nft manpage).
|
||||
|
||||
Furthermore, ARP Requests with a target IP already present in the
|
||||
batman-adv DAT Cache are excluded from the rate-limiting,
|
||||
@ -30,13 +30,15 @@ define Package/gluon-ebtables-limit-arp/description
|
||||
However it should mitigate the problem of curious people or
|
||||
smart devices scanning the whole IP range. Which could create
|
||||
a significant amount of overhead for all participants so far.
|
||||
|
||||
Note that this package currently only supports batman.
|
||||
endef
|
||||
|
||||
define Package/gluon-ebtables-limit-arp/install
|
||||
define Package/gluon-nftables-limit-arp/install
|
||||
$(Gluon/Build/Install)
|
||||
|
||||
$(INSTALL_DIR) $(1)/usr/sbin/
|
||||
$(CP) $(PKG_BUILD_DIR)/gluon-arp-limiter $(1)/usr/sbin/gluon-arp-limiter
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackageGluon,gluon-ebtables-limit-arp))
|
||||
$(eval $(call BuildPackageGluon,gluon-nftables-limit-arp))
|
||||
@ -0,0 +1,61 @@
|
||||
set limitmac {
|
||||
type ether_addr
|
||||
}
|
||||
|
||||
set datips {
|
||||
type ipv4_addr
|
||||
}
|
||||
|
||||
# Rewrite arp packet target hardware address if target protocol address matches a given address.
|
||||
# input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept
|
||||
|
||||
# chain('ARP_LIMIT', 'DROP')
|
||||
chain arplimit {
|
||||
# obrname "br-client" \
|
||||
# oifname "bat0" \
|
||||
# arp operation request \
|
||||
# counter
|
||||
|
||||
# match everything which will land on bridge br-client
|
||||
# protocol type: ipv4
|
||||
# hardware type: ethernet
|
||||
# hardware address length: 6 byte mac
|
||||
# protocol address length: 4 byte ipv4
|
||||
# arp request
|
||||
# source address is mac to be limited
|
||||
# target address is not in DAT
|
||||
# we're over the limit
|
||||
# count
|
||||
# obrname "br-client" \
|
||||
# oifname "bat0" \
|
||||
arp ptype 0x0800 \
|
||||
arp htype 1 \
|
||||
arp hlen 6 \
|
||||
arp plen 4 \
|
||||
arp operation request \
|
||||
arp saddr ether @limitmac \
|
||||
arp daddr ip != @datips \
|
||||
limit rate over 6/minute burst 50 packets \
|
||||
counter \
|
||||
drop
|
||||
|
||||
# obrname "br-client" \
|
||||
# oifname "bat0" \
|
||||
arp ptype 0x0800 \
|
||||
arp htype 1 \
|
||||
arp hlen 6 \
|
||||
arp plen 4 \
|
||||
arp operation request \
|
||||
arp saddr ether != @limitmac \
|
||||
arp daddr ip != @datips \
|
||||
limit rate over 1/second burst 50 packets \
|
||||
counter \
|
||||
drop
|
||||
}
|
||||
|
||||
# chain('ARP_LIMIT_DATCHECK', 'RETURN')
|
||||
# %s ARP_LIMIT_DATCHECK -p ARP --arp-ip-dst %s -j mark --mark-or 0x2 --mark-target RETURN
|
||||
|
||||
# chain('ARP_LIMIT_TLCHECK', 'RETURN')
|
||||
# %s ARP_LIMIT_TLCHECK --source %s --limit 6/min --limit-burst 50 -j RETURN"
|
||||
# %s ARP_LIMIT_TLCHECK (add ? "2" : "") --source %s -j DROP
|
||||
@ -0,0 +1,6 @@
|
||||
-- include('limit_arp', {
|
||||
-- position = 'ruleset-pre'
|
||||
-- })
|
||||
|
||||
bridge_include_table('pre', 'limit_arp_chain')
|
||||
bridge_rule('FORWARD', 'oifname "bat0" obrname "br-client" arp operation request counter jump arplimit')
|
||||
@ -14,7 +14,7 @@
|
||||
|
||||
#define BATCTL_DC "/usr/sbin/batctl dc -H -n"
|
||||
#define BATCTL_TL "/usr/sbin/batctl tl -H -n"
|
||||
#define EBTABLES "/usr/sbin/ebtables-tiny"
|
||||
#define NFTABLES "/usr/sbin/nft"
|
||||
|
||||
#define BUILD_BUG_ON(check) ((void)sizeof(int[1-2*!!(check)]))
|
||||
|
||||
@ -39,13 +39,13 @@ static void ebt_ip_call(char *mod, struct in_addr ip)
|
||||
int ret;
|
||||
|
||||
snprintf(str, sizeof(str),
|
||||
EBTABLES " %s ARP_LIMIT_DATCHECK -p ARP --arp-ip-dst %s -j mark --mark-or 0x2 --mark-target RETURN",
|
||||
NFTABLES " %s element bridge gluon datips { %s }",
|
||||
mod, inet_ntoa(ip));
|
||||
|
||||
ret = system(str);
|
||||
if (ret)
|
||||
fprintf(stderr,
|
||||
"%i: Calling ebtables for DAT failed with status %i\n",
|
||||
"%i: Calling nft for DAT failed with status %i\n",
|
||||
clock, ret);
|
||||
}
|
||||
|
||||
@ -53,7 +53,7 @@ static void ip_node_destructor(struct addr_list *node)
|
||||
{
|
||||
struct in_addr *ip = (struct in_addr *)node->addr;
|
||||
|
||||
ebt_ip_call("-D", *ip);
|
||||
ebt_ip_call("delete", *ip);
|
||||
}
|
||||
|
||||
static void ebt_mac_limit_call(char *mod, struct mac_addr *mac)
|
||||
@ -62,40 +62,22 @@ static void ebt_mac_limit_call(char *mod, struct mac_addr *mac)
|
||||
int ret;
|
||||
|
||||
snprintf(str, sizeof(str),
|
||||
EBTABLES " %s ARP_LIMIT_TLCHECK --source %s --limit 6/min --limit-burst 50 -j RETURN",
|
||||
NFTABLES " %s element bridge gluon limitmac { %s }",
|
||||
mod, mac_ntoa(mac));
|
||||
|
||||
ret = system(str);
|
||||
if (ret)
|
||||
fprintf(stderr,
|
||||
"%i: Calling ebtables for TL failed with status %i\n",
|
||||
clock, ret);
|
||||
}
|
||||
|
||||
static void ebt_mac_ret_call(char *mod, struct mac_addr *mac, int add)
|
||||
{
|
||||
char str[128];
|
||||
int ret;
|
||||
|
||||
snprintf(str, sizeof(str),
|
||||
EBTABLES " %s ARP_LIMIT_TLCHECK %s --source %s -j DROP",
|
||||
mod, add ? "2" : "", mac_ntoa(mac));
|
||||
|
||||
ret = system(str);
|
||||
if (ret)
|
||||
fprintf(stderr,
|
||||
"%i: Calling ebtables for TL failed with status %i\n",
|
||||
"%i: Calling nft for TL failed with status %i\n",
|
||||
clock, ret);
|
||||
}
|
||||
|
||||
static void ebt_mac_call(char *mod, struct mac_addr *mac)
|
||||
{
|
||||
if (!strncmp(mod, "-D", strlen(mod))) {
|
||||
ebt_mac_ret_call(mod, mac, 0);
|
||||
if (!strncmp(mod, "delete", strlen(mod))) {
|
||||
ebt_mac_limit_call(mod, mac);
|
||||
} else {
|
||||
ebt_mac_limit_call(mod, mac);
|
||||
ebt_mac_ret_call(mod, mac, 1);
|
||||
}
|
||||
}
|
||||
|
||||
@ -103,7 +85,7 @@ static void mac_node_destructor(struct addr_list *node)
|
||||
{
|
||||
struct mac_addr *mac = (struct mac_addr *)node->addr;
|
||||
|
||||
ebt_mac_call("-D", mac);
|
||||
ebt_mac_call("delete", mac);
|
||||
}
|
||||
|
||||
static int dat_parse_line(const char *line, struct in_addr *ip)
|
||||
@ -141,7 +123,7 @@ static void ebt_add_ip(struct in_addr ip)
|
||||
if (ret)
|
||||
return;
|
||||
|
||||
ebt_ip_call("-I", ip);
|
||||
ebt_ip_call("add", ip);
|
||||
}
|
||||
|
||||
static void ebt_add_mac(struct mac_addr *mac)
|
||||
@ -152,7 +134,7 @@ static void ebt_add_mac(struct mac_addr *mac)
|
||||
if (ret)
|
||||
return;
|
||||
|
||||
ebt_mac_call("-I", mac);
|
||||
ebt_mac_call("add", mac);
|
||||
}
|
||||
|
||||
static void ebt_dat_update(void)
|
||||
@ -168,7 +150,7 @@ static void ebt_dat_update(void)
|
||||
fprintf(stderr, "%i: Error: Could not call batctl dc\n", clock);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
while (1) {
|
||||
pline = fgets(line, sizeof(line), fp);
|
||||
if (!pline) {
|
||||
@ -257,18 +239,18 @@ static void ebt_tl_update(void)
|
||||
|
||||
static void ebt_dat_flush(void)
|
||||
{
|
||||
int ret = system(EBTABLES " -F ARP_LIMIT_DATCHECK");
|
||||
int ret = system(NFTABLES " flush set bridge gluon datips");
|
||||
|
||||
if (ret)
|
||||
fprintf(stderr, "Error flushing ARP_LIMIT_DATCHECK\n");
|
||||
fprintf(stderr, "Error flushing arplimit datips set\n");
|
||||
}
|
||||
|
||||
static void ebt_tl_flush(void)
|
||||
{
|
||||
int ret = system(EBTABLES " -F ARP_LIMIT_TLCHECK");
|
||||
int ret = system(NFTABLES " flush set bridge gluon limitmac");
|
||||
|
||||
if (ret)
|
||||
fprintf(stderr, "Error flushing ARP_LIMIT_TLCHECK\n");
|
||||
fprintf(stderr, "Error flushing arplimit limitmac\n");
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
16
package/gluon-nftables-multicast/Makefile
Normal file
16
package/gluon-nftables-multicast/Makefile
Normal file
@ -0,0 +1,16 @@
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=gluon-nftables-multicast
|
||||
|
||||
include ../gluon.mk
|
||||
|
||||
define Package/gluon-nftables-multicast
|
||||
TITLE:=nftables multicast filtering
|
||||
DEPENDS:=+gluon-core +gluon-nftables
|
||||
endef
|
||||
|
||||
define Package/gluon-nftables-multicast/description
|
||||
Gluon community wifi mesh firmware framework: nftables multicast filtering
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackageGluon,gluon-nftables-multicast))
|
||||
@ -0,0 +1,9 @@
|
||||
bridge_chain('IN_ONLY')
|
||||
bridge_chain('OUT_ONLY')
|
||||
|
||||
-- nat chain runs early, so we can drop IGMP/MLD
|
||||
bridge_chain('MULTICAST_IN', nil, 'nat')
|
||||
bridge_chain('MULTICAST_IN_ICMPV6', nil, 'nat')
|
||||
|
||||
bridge_chain('MULTICAST_OUT')
|
||||
bridge_chain('MULTICAST_OUT_ICMPV6')
|
||||
@ -0,0 +1,5 @@
|
||||
bridge_rule('IN_ONLY', 'ibrname "br-client" iifname { "bat0", "local-port" } return')
|
||||
bridge_rule('IN_ONLY', 'drop')
|
||||
|
||||
bridge_rule('OUT_ONLY', 'obrname "br-client" oifname { "bat0", "local-port" } return')
|
||||
bridge_rule('OUT_ONLY', 'drop')
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user