diff --git a/.github/labeler.yml b/.github/labeler.yml index b1efaf70..292a4330 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -28,7 +28,7 @@ - package/gluon-mesh-vpn-fastd/** "3. topic: firewall": - package/**/*-firewall - - package/gluon-ebtables-*/** + - package/gluon-nftables-*/** "3. topic: hardware": - package/gluon-core/luasrc/lib/gluon/upgrade/010-primary-mac - package/gluon-core/luasrc/usr/lib/lua/gluon/platform.lua diff --git a/.luacheckrc b/.luacheckrc index 96390972..3cdc71c2 100644 --- a/.luacheckrc +++ b/.luacheckrc @@ -81,10 +81,17 @@ files["package/**/luasrc/lib/gluon/**/controller/*"] = { }, } -files["package/**/luasrc/lib/gluon/ebtables/*"] = { +files["package/**/luasrc/lib/gluon/nftables/*"] = { read_globals = { - "chain", + "path", + "include", "rule", + + "bridge_rule", + "bridge_chain", + "bridge_table", + "bridge_include_rule", + "bridge_include_table", }, max_line_length = false, } diff --git a/contrib/ci/olsr-site/site.mk b/contrib/ci/olsr-site/site.mk index 8b4a5a43..7a1afa80 100644 --- a/contrib/ci/olsr-site/site.mk +++ b/contrib/ci/olsr-site/site.mk @@ -7,9 +7,6 @@ GLUON_FEATURES := \ autoupdater \ - ebtables-filter-multicast \ - ebtables-filter-ra-dhcp \ - ebtables-limit-arp \ mesh-olsrd \ mesh-vpn-fastd \ respondd \ diff --git a/docs/dev/packages.rst b/docs/dev/packages.rst index 7c239675..62abb9ea 100644 --- a/docs/dev/packages.rst +++ b/docs/dev/packages.rst @@ -29,10 +29,10 @@ the workflow using these scripts: contrib/run_qemu.sh output/images/factory/[...]-x86-64.img # apply changes to the desired package - vi package/gluon-ebtables/files/etc/init.d/gluon-ebtables + vi package/gluon-nftables/files/etc/init.d/gluon-nftables # rebuild and push the package to the qemu instance - contrib/push_pkg.sh package/gluon-ebtables/ + contrib/push_pkg.sh package/gluon-nftables/ # test your changes ... @@ -41,7 +41,7 @@ the workflow using these scripts: ... # rebuild and push the package to the qemu instance - contrib/push_pkg.sh package/gluon-ebtables/ + contrib/push_pkg.sh package/gluon-nftables/ # test your changes ... @@ -83,7 +83,7 @@ Note that: * If you add new packages, you must run ``make update config GLUON_TARGET=...``. * You can change the gluon target of the target machine via ``make config GLUON_TARGET=...``. * If you want to update the ``site.conf`` of the target machine, use ``push_pkg.sh package/gluon-site/``. -* Sometimes when things break, you can heal them by compiling a package with its dependencies: ``cd openwrt; make package/gluon-ebtables/clean; make package/gluon-ebtables/compile; cd ..``. +* Sometimes when things break, you can heal them by compiling a package with its dependencies: ``cd openwrt; make package/gluon-nftables/clean; make package/gluon-nftables/compile; cd ..``. * You can exit qemu by pressing ``CTRL + a`` and ``c`` afterwards. Gluon package makefiles diff --git a/docs/index.rst b/docs/index.rst index 99fc8535..d6bbfd7a 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -62,10 +62,10 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre package/gluon-client-bridge package/gluon-config-mode-domain-select - package/gluon-ebtables-filter-multicast - package/gluon-ebtables-filter-ra-dhcp - package/gluon-ebtables-limit-arp - package/gluon-ebtables-source-filter + package/gluon-nftables-filter-multicast + package/gluon-nftables-filter-ra-dhcp + package/gluon-nftables-limit-arp + package/gluon-nftables-source-filter package/gluon-hoodselector package/gluon-logging package/gluon-mesh-batman-adv diff --git a/docs/multidomain-site-example/site.mk b/docs/multidomain-site-example/site.mk index 64ce6fa1..41ae8e56 100644 --- a/docs/multidomain-site-example/site.mk +++ b/docs/multidomain-site-example/site.mk @@ -7,9 +7,9 @@ GLUON_FEATURES := \ autoupdater \ - ebtables-filter-multicast \ - ebtables-filter-ra-dhcp \ - ebtables-limit-arp \ + nftables-filter-multicast \ + nftables-filter-ra-dhcp \ + nftables-limit-arp \ mesh-batman-adv-15 \ mesh-vpn-fastd \ respondd \ diff --git a/docs/package/gluon-mesh-batman-adv.rst b/docs/package/gluon-mesh-batman-adv.rst index cd362ede..5776666c 100644 --- a/docs/package/gluon-mesh-batman-adv.rst +++ b/docs/package/gluon-mesh-batman-adv.rst @@ -13,7 +13,7 @@ domain and will see each other "as if they were connected to one giant switch". This comes with a set of advantages (like quick and economical client device roaming, layer 3 protocol agnosticism, broadcast/multicast). But also impediments, especially layer 2 multicast overhead - which Gluon tries to mitigate to achieve a certain degree -of scalability. See :doc:`gluon-ebtables-filter-multicast` and +of scalability. See :doc:`gluon-nftables-filter-multicast` and :ref:`batman-adv-multicast-architecture` for details. B.A.T.M.A.N. Advanced project homepage: @@ -53,9 +53,9 @@ While generally broadcast capability is a nice feature of a layer 2 mesh protocol, it quickly reaches its limit. For meshes with about **50 nodes / 100 clients, or more** it is therefore highly -recommended to add the :doc:`gluon-ebtables-filter-multicast` +recommended to add the :doc:`gluon-nftables-filter-multicast` package. Also, with the *mesh-batman-adv-15* feature, -:doc:`gluon-ebtables-limit-arp` is selected by default. +:doc:`gluon-nftables-limit-arp` is selected by default. Furthermore, by default IGMP and MLD messages are filtered. See :ref:`site.conf mesh section ` and diff --git a/docs/package/gluon-ebtables-filter-multicast.rst b/docs/package/gluon-nftables-filter-multicast.rst similarity index 91% rename from docs/package/gluon-ebtables-filter-multicast.rst rename to docs/package/gluon-nftables-filter-multicast.rst index eca9c6c7..b8790fc4 100644 --- a/docs/package/gluon-ebtables-filter-multicast.rst +++ b/docs/package/gluon-nftables-filter-multicast.rst @@ -1,7 +1,7 @@ -gluon-ebtables-filter-multicast +gluon-nftables-filter-multicast =============================== -The *gluon-ebtables-filter-multicast* package filters out various kinds of +The *gluon-nftables-filter-multicast* package filters out various kinds of non-essential multicast traffic, as this traffic often constitutes a disproportionate burden on the mesh network. Unfortunately, this breaks many useful services (Avahi, Bonjour chat, ...), but this seems unavoidable, as the current Avahi implementation is diff --git a/docs/package/gluon-ebtables-filter-ra-dhcp.rst b/docs/package/gluon-nftables-filter-ra-dhcp.rst similarity index 82% rename from docs/package/gluon-ebtables-filter-ra-dhcp.rst rename to docs/package/gluon-nftables-filter-ra-dhcp.rst index 539fbc0d..8e365cb0 100644 --- a/docs/package/gluon-ebtables-filter-ra-dhcp.rst +++ b/docs/package/gluon-nftables-filter-ra-dhcp.rst @@ -1,7 +1,7 @@ -gluon-ebtables-filter-ra-dhcp +gluon-nftables-filter-ra-dhcp ============================= -The *gluon-ebtables-filter-ra-dhcp* package tries to prevent common +The *gluon-nftables-filter-ra-dhcp* package tries to prevent common misconfigurations (i.e. connecting the client interface of a Gluon node to a private network) from causing issues for either of the networks. diff --git a/docs/package/gluon-ebtables-limit-arp.rst b/docs/package/gluon-nftables-limit-arp.rst similarity index 84% rename from docs/package/gluon-ebtables-limit-arp.rst rename to docs/package/gluon-nftables-limit-arp.rst index 9431f004..9969012e 100644 --- a/docs/package/gluon-ebtables-limit-arp.rst +++ b/docs/package/gluon-nftables-limit-arp.rst @@ -1,14 +1,14 @@ -gluon-ebtables-limit-arp +gluon-nftables-limit-arp ======================== -The *gluon-ebtables-limit-arp* package adds filters to limit the +The *gluon-nftables-limit-arp* package adds filters to limit the amount of ARP requests client devices are allowed to send into the mesh. The limits per client device, identified by its MAC address, are 6 packets per minute and 1 per second per node in total. A burst of up to 50 ARP requests is allowed until the rate-limiting -takes effect (see ``--limit-burst`` in ``ebtables(8)``). +takes effect (see ``--limit-burst`` in ``nftables(8)``). Furthermore, ARP requests for a target IP already present in the batman-adv DAT cache are excluded from rate-limiting, in regard @@ -26,4 +26,4 @@ feature is *mesh-batman-adv-15*. It can be unselected via:: GLUON_SITE_PACKAGES := \ - -gluon-ebtables-limit-arp + -gluon-nftables-limit-arp diff --git a/docs/package/gluon-ebtables-source-filter.rst b/docs/package/gluon-nftables-source-filter.rst similarity index 89% rename from docs/package/gluon-ebtables-source-filter.rst rename to docs/package/gluon-nftables-source-filter.rst index 1bbb2e07..cfe6f443 100644 --- a/docs/package/gluon-ebtables-source-filter.rst +++ b/docs/package/gluon-nftables-source-filter.rst @@ -1,7 +1,7 @@ -gluon-ebtables-source-filter +gluon-nftables-source-filter ============================ -The *gluon-ebtables-source-filter* package adds an additional layer-2 filter +The *gluon-nftables-source-filter* package adds an additional layer-2 filter ruleset to prevent unreasonable traffic entering the network via the nodes. Unreasonable means traffic entering the mesh via a node which source IP does not belong to the configured IP space. diff --git a/docs/package/gluon-radv-filterd.rst b/docs/package/gluon-radv-filterd.rst index 7b07ff9c..55fa9e50 100644 --- a/docs/package/gluon-radv-filterd.rst +++ b/docs/package/gluon-radv-filterd.rst @@ -35,7 +35,7 @@ connected to the client interface via cable or WLAN instead of via the mesh fake TQ of 512, so that they are always preferred. Be aware of problems if you plan to use local routers together with the -:doc:`gluon-ebtables-filter-ra-dhcp` package. These router advertisements are +:doc:`gluon-nftables-filter-ra-dhcp` package. These router advertisements are filtered anyway and reach neither the node nor any other client. Therefore the use of local routers is not possible as long as the package ``gluon-radv-filterd`` is used. diff --git a/docs/releases/v2017.1.rst b/docs/releases/v2017.1.rst index 5319aae3..eec39220 100644 --- a/docs/releases/v2017.1.rst +++ b/docs/releases/v2017.1.rst @@ -105,7 +105,7 @@ New features The new package *gluon-ebtables-source-filter* can be used to prevent traffic using unexpected IP addresses or packet types from entering the mesh. - See also: :doc:`../package/gluon-ebtables-source-filter` + See also: :doc:`../package/gluon-nftables-source-filter` Bugfixes ~~~~~~~~ diff --git a/docs/releases/v2018.2.rst b/docs/releases/v2018.2.rst index e365c953..b3c22cf9 100644 --- a/docs/releases/v2018.2.rst +++ b/docs/releases/v2018.2.rst @@ -120,7 +120,7 @@ trying it out, please contact us on our mailing list or in our IRC channel. gluon-ebtables-limit-arp enabled by default ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The :doc:`../package/gluon-ebtables-limit-arp` package, introduced in Gluon +The :doc:`../package/gluon-nftables-limit-arp` package, introduced in Gluon 2018.1, is now included by default. In case of issues, it can be removed by adding ``-gluon-ebtables-limit-arp`` to *GLUON_SITE_PACKAGES*. diff --git a/docs/site-example/site.mk b/docs/site-example/site.mk index 30671b18..91624cf4 100644 --- a/docs/site-example/site.mk +++ b/docs/site-example/site.mk @@ -7,9 +7,9 @@ GLUON_FEATURES := \ autoupdater \ - ebtables-filter-multicast \ - ebtables-filter-ra-dhcp \ - ebtables-limit-arp \ + nftables-filter-multicast \ + nftables-filter-ra-dhcp \ + nftables-limit-arp \ mesh-batman-adv-15 \ mesh-vpn-fastd \ respondd \ diff --git a/package/features b/package/features index da68b369..965f7caf 100644 --- a/package/features +++ b/package/features @@ -38,7 +38,7 @@ when(_'web-advanced' and _'autoupdater', { when(_'mesh-batman-adv-15', { - 'gluon-ebtables-limit-arp', + 'gluon-nftables-limit-arp', 'gluon-radvd', }) diff --git a/package/gluon-core/Makefile b/package/gluon-core/Makefile index 93b2d599..2c693298 100644 --- a/package/gluon-core/Makefile +++ b/package/gluon-core/Makefile @@ -11,7 +11,7 @@ define Package/gluon-core TITLE:=Base files of Gluon DEPENDS:= \ +gluon-site +libgluonutil +libiwinfo-lua +lua-platform-info +lua-simple-uci +lua-hash +lua-jsonc \ - +luabitop +luaposix +vxlan +odhcp6c +firewall +pretty-hostname + +luabitop +luaposix +vxlan +odhcp6c +firewall4 +pretty-hostname endef define Package/gluon-core/description diff --git a/package/gluon-ebtables-filter-multicast/Makefile b/package/gluon-ebtables-filter-multicast/Makefile deleted file mode 100644 index 92b2be2a..00000000 --- a/package/gluon-ebtables-filter-multicast/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=gluon-ebtables-filter-multicast - -include ../gluon.mk - -define Package/gluon-ebtables-filter-multicast - TITLE:=Ebtables filters for multicast packets - DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv -endef - -define Package/gluon-ebtables-filter-multicast/description - Gluon community wifi mesh firmware framework: Ebtables filters for multicast packets - - These filters drop non-essential multicast traffic before it enters the mesh. - - Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF -endef - -$(eval $(call BuildPackageGluon,gluon-ebtables-filter-multicast)) diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-arp b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-arp deleted file mode 100644 index 927776a8..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-arp +++ /dev/null @@ -1,7 +0,0 @@ --- Bridge loop avoidance -rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:00:00:00/ff:ff:ff:fc:00:00 -j RETURN' -rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:05:00:00/ff:ff:ff:ff:00:00 -j RETURN' - -rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-ip-src 0.0.0.0 -j DROP' -rule 'MULTICAST_OUT -p ARP --arp-opcode Request --arp-ip-dst 0.0.0.0 -j DROP' -rule 'MULTICAST_OUT -p ARP -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-babel b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-babel deleted file mode 100644 index d5b81771..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-babel +++ /dev/null @@ -1 +0,0 @@ -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-btlpd b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-btlpd deleted file mode 100644 index 20b709f8..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-btlpd +++ /dev/null @@ -1 +0,0 @@ -rule 'MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv4 b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv4 deleted file mode 100644 index 2fca2223..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv4 +++ /dev/null @@ -1 +0,0 @@ -rule 'MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv6 b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv6 deleted file mode 100644 index 6d7f0f55..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv6 +++ /dev/null @@ -1 +0,0 @@ -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-icmpv6 b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-icmpv6 deleted file mode 100644 index 0058ed86..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-icmpv6 +++ /dev/null @@ -1,3 +0,0 @@ -rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j RETURN' -rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j RETURN' -- ICMP Node Information Query -rule 'MULTICAST_OUT_ICMPV6 -j ACCEPT' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-igmp b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-igmp deleted file mode 100644 index 2d3814ae..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-igmp +++ /dev/null @@ -1 +0,0 @@ -rule 'MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ospf b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ospf deleted file mode 100644 index da928d4b..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ospf +++ /dev/null @@ -1,2 +0,0 @@ -rule 'MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN' -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-respondd b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-respondd deleted file mode 100644 index 7df37ec9..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-respondd +++ /dev/null @@ -1 +0,0 @@ -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 1001 --ip6-dst ff05::2:1001 -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ripng b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ripng deleted file mode 100644 index 37d31877..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ripng +++ /dev/null @@ -1 +0,0 @@ -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination ff02::9 --ip6-destination-port 521 -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop deleted file mode 100644 index a47dda7e..00000000 --- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop +++ /dev/null @@ -1,3 +0,0 @@ -rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP') -rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN') -rule ('MULTICAST_OUT -j DROP') diff --git a/package/gluon-ebtables-filter-ra-dhcp/Makefile b/package/gluon-ebtables-filter-ra-dhcp/Makefile deleted file mode 100644 index bc52747a..00000000 --- a/package/gluon-ebtables-filter-ra-dhcp/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=gluon-ebtables-filter-ra-dhcp - -include ../gluon.mk - -define Package/gluon-ebtables-filter-ra-dhcp - TITLE:=Ebtables filters for Router Advertisement and DHCP packets - DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv -endef - -define Package/gluon-ebtables-filter-ra-dhcp/description - Gluon community wifi mesh firmware framework: Ebtables filters for Router Advertisement and DHCP packets - - These filters ensure that RA and DHCP packets are only forwarded from the mesh into the - client network, and not vice-versa. -endef - -$(eval $(call BuildPackageGluon,gluon-ebtables-filter-ra-dhcp)) diff --git a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv4 b/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv4 deleted file mode 100644 index 87b4bd7f..00000000 --- a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv4 +++ /dev/null @@ -1,11 +0,0 @@ -local uci = require('simple-uci').cursor() - -local gw_mode = uci:get('network', 'gluon_bat0', 'gw_mode') - -if gw_mode ~= 'server' then - rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY' - rule 'OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY' - - rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY' - rule 'INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY' -end diff --git a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv6 b/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv6 deleted file mode 100644 index 470a7648..00000000 --- a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv6 +++ /dev/null @@ -1,5 +0,0 @@ -rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j OUT_ONLY' -rule 'OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j OUT_ONLY' - -rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j IN_ONLY' -rule 'INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j IN_ONLY' diff --git a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-radv b/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-radv deleted file mode 100644 index b34d4c76..00000000 --- a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-radv +++ /dev/null @@ -1,5 +0,0 @@ -rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY' -rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY' - -rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY' -rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY' diff --git a/package/gluon-ebtables-limit-arp/luasrc/lib/gluon/ebtables/100-arp-limit-chains b/package/gluon-ebtables-limit-arp/luasrc/lib/gluon/ebtables/100-arp-limit-chains deleted file mode 100644 index b39b35c8..00000000 --- a/package/gluon-ebtables-limit-arp/luasrc/lib/gluon/ebtables/100-arp-limit-chains +++ /dev/null @@ -1,3 +0,0 @@ -chain('ARP_LIMIT', 'DROP') -chain('ARP_LIMIT_DATCHECK', 'RETURN') -chain('ARP_LIMIT_TLCHECK', 'RETURN') diff --git a/package/gluon-ebtables-limit-arp/luasrc/lib/gluon/ebtables/320-arp-limit-rules b/package/gluon-ebtables-limit-arp/luasrc/lib/gluon/ebtables/320-arp-limit-rules deleted file mode 100644 index 416bdd96..00000000 --- a/package/gluon-ebtables-limit-arp/luasrc/lib/gluon/ebtables/320-arp-limit-rules +++ /dev/null @@ -1,6 +0,0 @@ -rule('ARP_LIMIT -j ARP_LIMIT_DATCHECK') -rule('ARP_LIMIT --mark 0x2/0x2 -j RETURN') -rule('ARP_LIMIT -j ARP_LIMIT_TLCHECK') -rule('ARP_LIMIT --limit 1/sec --limit-burst 50 -j RETURN') - -rule('FORWARD -p ARP --logical-out br-client -o bat0 --arp-op Request -j ARP_LIMIT') diff --git a/package/gluon-ebtables-source-filter/Makefile b/package/gluon-ebtables-source-filter/Makefile deleted file mode 100644 index 17377e1f..00000000 --- a/package/gluon-ebtables-source-filter/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=gluon-ebtables-source-filter - -include ../gluon.mk - -define Package/gluon-ebtables-source-filter - TITLE:=Ebtables rules to filter unreasonable L2 traffic. - DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv -endef - -define Package/gluon-ebtables-source-filter/description - This package adds an additional layer-2 filter-ruleset to prevent unreasonable - traffic entering the network via the nodes. -endef - -$(eval $(call BuildPackageGluon,gluon-ebtables-source-filter)) diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/100-local-forward-chain b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/100-local-forward-chain deleted file mode 100644 index b9f4467d..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/100-local-forward-chain +++ /dev/null @@ -1 +0,0 @@ -chain('LOCAL_FORWARD', 'DROP') diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-arp b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-arp deleted file mode 100644 index 06436cf2..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-arp +++ /dev/null @@ -1,6 +0,0 @@ -local prefix4 = require('gluon.site').prefix4() - -if prefix4 then - rule('LOCAL_FORWARD -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN') - rule('LOCAL_FORWARD -p ARP --arp-ip-src 0.0.0.0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN') -end diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv4 b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv4 deleted file mode 100644 index e712c5fb..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv4 +++ /dev/null @@ -1,6 +0,0 @@ -local prefix4 = require('gluon.site').prefix4() - -if prefix4 then - rule('LOCAL_FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN') - rule('LOCAL_FORWARD -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN') -end diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv6 b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv6 deleted file mode 100644 index f6a19747..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv6 +++ /dev/null @@ -1,9 +0,0 @@ -local site = require 'gluon.site' - -rule('LOCAL_FORWARD -p IPv6 --ip6-src fe80::/64 -j RETURN') -rule('LOCAL_FORWARD -p IPv6 --ip6-src ::/128 --ip6-proto ipv6-icmp -j RETURN') -rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. site.prefix6() .. ' -j RETURN') - -for _, prefix in ipairs(site.extra_prefixes6({})) do - rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN') -end diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/300-local-forward-rules b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/300-local-forward-rules deleted file mode 100644 index 6c5a9257..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/300-local-forward-rules +++ /dev/null @@ -1 +0,0 @@ -rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD') diff --git a/package/gluon-ebtables/Makefile b/package/gluon-ebtables/Makefile deleted file mode 100644 index e69a83bf..00000000 --- a/package/gluon-ebtables/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=gluon-ebtables - -include ../gluon.mk - -define Package/gluon-ebtables - TITLE:=Ebtables support - DEPENDS:=+gluon-core +ebtables-tiny \ - +kmod-ebtables +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 -endef - -define Package/gluon-ebtables/description - Gluon community wifi mesh firmware framework: ebtables support -endef - -$(eval $(call BuildPackageGluon,gluon-ebtables)) diff --git a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables deleted file mode 100755 index 60add180..00000000 --- a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables +++ /dev/null @@ -1,80 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2013 Project Gluon -# -# Firewall script for inserting and removing ebtables rules. -# -# Example format, for filtering any IPv4 multicast packets to the SSDP UDP port: -# rule FORWARD --logical-out br-client -d Multicast -p IPv4 --ip-protocol udp --ip-destination-port 5355 -j DROP -# -# Removing all rules: -# $ /etc/init.d/gluon-ebtables stop -# Inserting all rules: -# $ /etc/init.d/gluon-ebtables start -# Inserting a specific rule file: -# $ /etc/init.d/gluon-ebtables start /lib/gluon/ebtables/100-mcast-chain -# Removing a specific rule file: -# $ /etc/init.d/gluon-ebtables stop /lib/gluon/ebtables/100-mcast-chain - - -START=19 -STOP=91 - - -exec_file() { - local file="$1" - - /usr/bin/lua -e " - function rule(command, table) - table = table or 'filter' - os.execute($EBTABLES_RULE) - end - function chain(name, policy, table) - table = table or 'filter' - os.execute($EBTABLES_CHAIN) - end - - " "$file" -} - -exec_all() { - local sort_arg="$1" - - local old_ifs="$IFS" - IFS=' -' - for file in `find /lib/gluon/ebtables -type f | sort $sort_arg`; do - exec_file "$file" - done - IFS="$old_ifs" -} - - -start() { - ( - export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -A " .. command' - export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -N " .. name .. " -P " .. policy' - - # Contains /var/lib/ebtables/lock for '--concurrent' - [ ! -d "/var/lib/ebtables" ] && \ - mkdir -p /var/lib/ebtables - - if [ -z "$1" ]; then - exec_all '' - else - exec_file "$1" - fi - ) -} - -stop() { - ( - export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -D " .. command' - export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -X " .. name' - - if [ -z "$1" ]; then - exec_all '-r' - else - exec_file "$1" - fi - ) -} diff --git a/package/gluon-ebtables/files/lib/gluon/reload.d/381-gluon-ebtables-stop b/package/gluon-ebtables/files/lib/gluon/reload.d/381-gluon-ebtables-stop deleted file mode 100755 index ab714cc2..00000000 --- a/package/gluon-ebtables/files/lib/gluon/reload.d/381-gluon-ebtables-stop +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/etc/init.d/gluon-ebtables stop diff --git a/package/gluon-ebtables/files/lib/gluon/reload.d/719-gluon-ebtables-start b/package/gluon-ebtables/files/lib/gluon/reload.d/719-gluon-ebtables-start deleted file mode 100755 index 579c2e63..00000000 --- a/package/gluon-ebtables/files/lib/gluon/reload.d/719-gluon-ebtables-start +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/etc/init.d/gluon-ebtables start diff --git a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/100-dir-chain b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/100-dir-chain deleted file mode 100644 index 62b92947..00000000 --- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/100-dir-chain +++ /dev/null @@ -1,9 +0,0 @@ -chain('IN_ONLY', 'RETURN') -chain('OUT_ONLY', 'RETURN') - --- nat chain runs early, so we can drop IGMP/MLD -chain('MULTICAST_IN', 'RETURN', 'nat') -chain('MULTICAST_IN_ICMPV6', 'RETURN', 'nat') - -chain('MULTICAST_OUT', 'RETURN') -chain('MULTICAST_OUT_ICMPV6', 'RETURN') diff --git a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/101-dir-rules b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/101-dir-rules deleted file mode 100644 index 74486ae5..00000000 --- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/101-dir-rules +++ /dev/null @@ -1,7 +0,0 @@ -rule 'IN_ONLY --logical-in br-client -i bat0 -j RETURN' -rule 'IN_ONLY --logical-in br-client -i local-port -j RETURN' -rule 'IN_ONLY --logical-in br-client -j DROP' - -rule 'OUT_ONLY --logical-out br-client -o bat0 -j RETURN' -rule 'OUT_ONLY --logical-out br-client -o local-port -j RETURN' -rule 'OUT_ONLY --logical-out br-client -j DROP' diff --git a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld deleted file mode 100644 index 3b1ecab3..00000000 --- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld +++ /dev/null @@ -1,20 +0,0 @@ -local site = require 'gluon.site' - -rule('MULTICAST_IN -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP', 'nat') -rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP') - -rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP') -- MLD Query -rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD Query - -if site.mesh.filter_membership_reports(true) then - rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat') - rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp -j DROP') - - rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP') -- MLDv1 Report - rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done - rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report - - rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report - rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done - rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report -end diff --git a/package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/iptables-mss.rules b/package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/iptables-mss.rules deleted file mode 100644 index a61a900d..00000000 --- a/package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/iptables-mss.rules +++ /dev/null @@ -1,3 +0,0 @@ -*mangle --A FORWARD -o mesh-vpn+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu -COMMIT diff --git a/package/gluon-iptables-clamp-mss-to-pmtu/luasrc/lib/gluon/upgrade/800-iptables-mesh-vpn-clamp-mss-to-pmtu b/package/gluon-iptables-clamp-mss-to-pmtu/luasrc/lib/gluon/upgrade/800-iptables-mesh-vpn-clamp-mss-to-pmtu deleted file mode 100755 index 961a063e..00000000 --- a/package/gluon-iptables-clamp-mss-to-pmtu/luasrc/lib/gluon/upgrade/800-iptables-mesh-vpn-clamp-mss-to-pmtu +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/lua - -local uci = require('simple-uci').cursor() -uci:section('firewall', 'include', 'vpn_clamp_mss', { - family = 'ipv6', - type = 'restore', - path = '/lib/gluon/mesh-vpn/iptables-mss.rules' -}) - -uci:save('firewall') diff --git a/package/gluon-mesh-babel/Makefile b/package/gluon-mesh-babel/Makefile index 239d7132..c3d83196 100644 --- a/package/gluon-mesh-babel/Makefile +++ b/package/gluon-mesh-babel/Makefile @@ -9,7 +9,7 @@ include ../gluon.mk define Package/gluon-mesh-babel TITLE:=Babel mesh - DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop + DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall4 +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop PROVIDES:=gluon-mesh-provider endef diff --git a/package/gluon-mesh-batman-adv/Makefile b/package/gluon-mesh-batman-adv/Makefile index aac41f1b..6c6cb226 100644 --- a/package/gluon-mesh-batman-adv/Makefile +++ b/package/gluon-mesh-batman-adv/Makefile @@ -12,8 +12,9 @@ define Package/gluon-mesh-batman-adv-15 +gluon-core \ +libgluonutil \ +gluon-client-bridge \ - +gluon-ebtables \ - +firewall \ + +gluon-nftables \ + +gluon-nftables-multicast \ + +firewall4 \ +libiwinfo \ +kmod-dummy \ +libnl-tiny \ diff --git a/package/gluon-mesh-batman-adv/luasrc/lib/gluon/ebtables/250-next-node b/package/gluon-mesh-batman-adv/luasrc/lib/gluon/ebtables/250-next-node deleted file mode 100644 index c239f81e..00000000 --- a/package/gluon-mesh-batman-adv/luasrc/lib/gluon/ebtables/250-next-node +++ /dev/null @@ -1,41 +0,0 @@ -local client_bridge = require 'gluon.client_bridge' -local site = require 'gluon.site' -local next_node = site.next_node({}) - -local macaddr = client_bridge.next_node_macaddr() - -rule('FORWARD --logical-out br-client -i bat0 -o local-port -j DROP') -rule('FORWARD --logical-out br-client -i local-port -o bat0 -j DROP') - -rule('PREROUTING --logical-in br-client -i bat0 -s ' .. macaddr .. ' -j DROP', 'nat') -rule('PREROUTING --logical-in br-client -i bat0 -d ' .. macaddr .. ' -j DROP', 'nat') - -rule('FORWARD --logical-out br-client -o bat0 -d ' .. macaddr .. ' -j DROP') -rule('OUTPUT --logical-out br-client -o bat0 -d ' .. macaddr .. ' -j DROP') -rule('FORWARD --logical-out br-client -o bat0 -s ' .. macaddr .. ' -j DROP') -rule('OUTPUT --logical-out br-client -o bat0 -s ' .. macaddr .. ' -j DROP') - -if next_node.ip4 then - rule('FORWARD --logical-out br-client -o bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP') - rule('FORWARD --logical-out br-client -o bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP') - rule('FORWARD --logical-out br-client -i bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP') - rule('FORWARD --logical-out br-client -i bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP') - - rule('OUTPUT --logical-out br-client -o bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP') - rule('OUTPUT --logical-out br-client -o bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP') - - rule('INPUT -i bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP') - rule('INPUT -i bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP') - - rule('FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-destination ' .. next_node.ip4 .. ' -j DROP') - rule('OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-destination ' .. next_node.ip4 .. ' -j DROP') - rule('FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-source ' .. next_node.ip4 .. ' -j DROP') - rule('OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-source ' .. next_node.ip4 .. ' -j DROP') -end - -if next_node.ip6 then - rule('FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination ' .. next_node.ip6 .. ' -j DROP') - rule('OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination ' .. next_node.ip6 .. ' -j DROP') - rule('FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source ' .. next_node.ip6 .. ' -j DROP') - rule('OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source ' .. next_node.ip6 .. ' -j DROP') -end diff --git a/package/gluon-mesh-batman-adv/luasrc/lib/gluon/ebtables/300-radv-input-output b/package/gluon-mesh-batman-adv/luasrc/lib/gluon/ebtables/300-radv-input-output deleted file mode 100644 index 377d11cd..00000000 --- a/package/gluon-mesh-batman-adv/luasrc/lib/gluon/ebtables/300-radv-input-output +++ /dev/null @@ -1,2 +0,0 @@ -rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -i bat0 -j DROP' -rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -o bat0 -j DROP' diff --git a/package/gluon-mesh-batman-adv/luasrc/lib/gluon/nftables/250-next-node.lua b/package/gluon-mesh-batman-adv/luasrc/lib/gluon/nftables/250-next-node.lua new file mode 100644 index 00000000..85939109 --- /dev/null +++ b/package/gluon-mesh-batman-adv/luasrc/lib/gluon/nftables/250-next-node.lua @@ -0,0 +1,41 @@ +local client_bridge = require 'gluon.client_bridge' +local site = require 'gluon.site' +local next_node = site.next_node({}) + +local macaddr = client_bridge.next_node_macaddr() + +bridge_rule('FORWARD', 'obrname "br-client" iifname "bat0" oifname "bat0" drop') +bridge_rule('FORWARD', 'obrname "br-client" iifname "local-port" oifname "bat0" drop') + +bridge_rule('PREROUTING', 'ibrname "br-client" iifname "bat0" ether saddr ' .. macaddr .. ' drop', 'nat') +bridge_rule('PREROUTING', 'ibrname "br-client" iifname "bat0" ether daddr ' .. macaddr .. ' drop', 'nat') + +bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ether daddr ' .. macaddr .. ' drop') +bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ether daddr ' .. macaddr .. ' drop') +bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ether saddr ' .. macaddr .. ' drop') +bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ether saddr ' .. macaddr .. ' drop') + +if next_node.ip4 then + bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop') + bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop') + bridge_rule('FORWARD', 'obrname "br-client" iifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop') + bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop') + + bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop') + bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop') + + bridge_rule('INPUT', 'iifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop') + bridge_rule('INPUT', 'iifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop') + + bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip daddr ' .. next_node.ip4 .. ' drop') + bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip daddr ' .. next_node.ip4 .. ' drop') + bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip saddr ' .. next_node.ip4 .. ' drop') + bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip saddr ' .. next_node.ip4 .. ' drop') +end + +if next_node.ip6 then + bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip6 daddr ' .. next_node.ip6 .. ' drop') + bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip6 daddr ' .. next_node.ip6 .. ' drop') + bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip6 saddr ' .. next_node.ip6 .. ' drop') + bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip6 saddr ' .. next_node.ip6 .. ' drop') +end diff --git a/package/gluon-mesh-batman-adv/luasrc/lib/gluon/nftables/300-radv-input-output.lua b/package/gluon-mesh-batman-adv/luasrc/lib/gluon/nftables/300-radv-input-output.lua new file mode 100644 index 00000000..681659f0 --- /dev/null +++ b/package/gluon-mesh-batman-adv/luasrc/lib/gluon/nftables/300-radv-input-output.lua @@ -0,0 +1,2 @@ +bridge_rule('INPUT', 'iifname "bat0" icmpv6 type nd-router-solicit drop') +bridge_rule('OUTPUT', 'oifname "bat0" icmpv6 type nd-router-advert drop') diff --git a/package/gluon-mesh-layer3-common/Makefile b/package/gluon-mesh-layer3-common/Makefile index 45ad2f57..a41bf84f 100644 --- a/package/gluon-mesh-layer3-common/Makefile +++ b/package/gluon-mesh-layer3-common/Makefile @@ -6,7 +6,7 @@ include ../gluon.mk define Package/gluon-mesh-layer3-common TITLE:=Layer3 common files - DEPENDS:=+gluon-core +gluon-mmfd +firewall + DEPENDS:=+gluon-core +gluon-mmfd +firewall4 endef $(eval $(call BuildPackageGluon,gluon-mesh-layer3-common)) diff --git a/package/gluon-mesh-vpn-core/Makefile b/package/gluon-mesh-vpn-core/Makefile index 2111c7ce..c183c542 100644 --- a/package/gluon-mesh-vpn-core/Makefile +++ b/package/gluon-mesh-vpn-core/Makefile @@ -6,7 +6,7 @@ include ../gluon.mk define Package/gluon-mesh-vpn-core TITLE:=Basic support for connecting meshes via VPN tunnels - DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables-zz-legacy +iptables-mod-extra +simple-tc + DEPENDS:=+gluon-core +gluon-nftables +gluon-wan-dnsmasq +simple-tc USERID:=:gluon-mesh-vpn=800 endef diff --git a/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/iptables.rules b/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/iptables.rules deleted file mode 100644 index 771fb40c..00000000 --- a/package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/iptables.rules +++ /dev/null @@ -1,3 +0,0 @@ -*nat --I OUTPUT -m owner --gid-owner gluon-mesh-vpn -o lo -d 127.0.0.1 -p udp --dport 53 -j DNAT --to-destination :54 -COMMIT diff --git a/package/gluon-mesh-vpn-core/files/lib/gluon/nftables/mesh_vpn_dns.nft b/package/gluon-mesh-vpn-core/files/lib/gluon/nftables/mesh_vpn_dns.nft new file mode 100644 index 00000000..cd26ec31 --- /dev/null +++ b/package/gluon-mesh-vpn-core/files/lib/gluon/nftables/mesh_vpn_dns.nft @@ -0,0 +1 @@ +meta skgid gluon-mesh-vpn oifname "lo" ip daddr 127.0.0.1 udp dport 53 redirect to 54 diff --git a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/nftables/mesh_vpn.lua b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/nftables/mesh_vpn.lua new file mode 100644 index 00000000..337ca5dd --- /dev/null +++ b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/nftables/mesh_vpn.lua @@ -0,0 +1,4 @@ +include('mesh_vpn_dns', { + position = 'chain-pre', + chain = 'dstnat', +}) diff --git a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn index b1495255..61f88217 100755 --- a/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn +++ b/package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn @@ -25,14 +25,6 @@ uci:save('network') users.remove_user('gluon-fastd') users.remove_group('gluon-fastd') -uci:section('firewall', 'include', 'mesh_vpn_dns', { - type = 'restore', - path = '/lib/gluon/mesh-vpn/iptables.rules', - family = 'ipv4', -}) - -uci:save('firewall') - -- VPN migration if not uci:get('gluon', 'mesh_vpn') then diff --git a/package/gluon-iptables-clamp-mss-to-pmtu/Makefile b/package/gluon-nftables-clamp-mss-to-pmtu/Makefile similarity index 86% rename from package/gluon-iptables-clamp-mss-to-pmtu/Makefile rename to package/gluon-nftables-clamp-mss-to-pmtu/Makefile index d5d91443..f502dff8 100644 --- a/package/gluon-iptables-clamp-mss-to-pmtu/Makefile +++ b/package/gluon-nftables-clamp-mss-to-pmtu/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk -PKG_NAME:=gluon-iptables-clamp-mss-to-pmtu +PKG_NAME:=gluon-nftables-clamp-mss-to-pmtu include ../gluon.mk define Package/$(PKG_NAME) TITLE:=This will establish a firewall rule to clamp the mss to pmtu on the mesh-vpn interface when the connection is towards 64:ff9b::/96 - DEPENDS:= +ip6tables-zz-legacy + DEPENDS:=+gluon-nftables endef define Package/$(PKG_NAME)/description diff --git a/package/gluon-nftables-clamp-mss-to-pmtu/files/lib/gluon/nftables/mesh_vpn_clamp_mss_to_pmtu.nft b/package/gluon-nftables-clamp-mss-to-pmtu/files/lib/gluon/nftables/mesh_vpn_clamp_mss_to_pmtu.nft new file mode 100644 index 00000000..bbc6d21a --- /dev/null +++ b/package/gluon-nftables-clamp-mss-to-pmtu/files/lib/gluon/nftables/mesh_vpn_clamp_mss_to_pmtu.nft @@ -0,0 +1 @@ +oifname "mesh-vpn*" tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu diff --git a/package/gluon-nftables-clamp-mss-to-pmtu/luasrc/lib/gluon/nftables/mesh_vpn_clamp_mss_to_pmtu.lua b/package/gluon-nftables-clamp-mss-to-pmtu/luasrc/lib/gluon/nftables/mesh_vpn_clamp_mss_to_pmtu.lua new file mode 100755 index 00000000..5d784158 --- /dev/null +++ b/package/gluon-nftables-clamp-mss-to-pmtu/luasrc/lib/gluon/nftables/mesh_vpn_clamp_mss_to_pmtu.lua @@ -0,0 +1,4 @@ +include('mesh_vpn_clamp_mss_to_pmtu', { + position = 'chain-prepend', + chain = 'mangle_forward', +}) diff --git a/package/gluon-nftables-filter-multicast/Makefile b/package/gluon-nftables-filter-multicast/Makefile new file mode 100644 index 00000000..c2c1e969 --- /dev/null +++ b/package/gluon-nftables-filter-multicast/Makefile @@ -0,0 +1,20 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-nftables-filter-multicast + +include ../gluon.mk + +define Package/gluon-nftables-filter-multicast + TITLE:=nftables filters for multicast packets + DEPENDS:=+gluon-core +gluon-nftables +gluon-nftables-multicast +gluon-mesh-batman-adv +endef + +define Package/gluon-nftables-filter-multicast/description + Gluon community wifi mesh firmware framework: nftables filters for multicast packets + + These filters drop non-essential multicast traffic before it enters the mesh. + + Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF +endef + +$(eval $(call BuildPackageGluon,gluon-nftables-filter-multicast)) diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-arp.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-arp.lua new file mode 100644 index 00000000..82952003 --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-arp.lua @@ -0,0 +1,7 @@ +-- Bridge loop avoidance +-- bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip = arp daddr ip arp daddr ether ff:43:05:00:00:00/ff:ff:ff:fc:00:00 return') +-- bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip = arp daddr ip arp daddr ether ff:43:05:05:00:00/ff:ff:ff:ff:00:00 return') + +bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip 0.0.0.0 drop') +bridge_rule('MULTICAST_OUT', 'arp operation request arp daddr ip 0.0.0.0 drop') +bridge_rule('MULTICAST_OUT', 'ether type arp return') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-babel.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-babel.lua new file mode 100644 index 00000000..82685869 --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-babel.lua @@ -0,0 +1 @@ +bridge_rule('MULTICAST_OUT', 'ip version 6 udp dport 6696 return') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-btlpd.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-btlpd.lua new file mode 100644 index 00000000..a6f8598e --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-btlpd.lua @@ -0,0 +1 @@ +bridge_rule('MULTICAST_OUT', 'ip daddr 239.192.152.143 udp dport 6771 return') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv4.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv4.lua new file mode 100644 index 00000000..7ae0c57d --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv4.lua @@ -0,0 +1 @@ +bridge_rule('MULTICAST_OUT', 'ip version 4 udp dport 67 return') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv6.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv6.lua new file mode 100644 index 00000000..22ef48a4 --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv6.lua @@ -0,0 +1 @@ +bridge_rule('MULTICAST_OUT', 'ip version 6 udp dport 547 return') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-icmpv6.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-icmpv6.lua new file mode 100644 index 00000000..86636065 --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-icmpv6.lua @@ -0,0 +1,3 @@ +bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type echo-request return') +bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type 139 return') +bridge_rule('MULTICAST_OUT_ICMPV6', 'accept') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-igmp.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-igmp.lua new file mode 100644 index 00000000..e6c73d36 --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-igmp.lua @@ -0,0 +1 @@ +bridge_rule('MULTICAST_OUT', 'ip protocol igmp return') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ospf.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ospf.lua new file mode 100644 index 00000000..a5b575f0 --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ospf.lua @@ -0,0 +1 @@ +bridge_rule('MULTICAST_OUT', 'ip protocol ospf return') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-respondd.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-respondd.lua new file mode 100644 index 00000000..309e191b --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-respondd.lua @@ -0,0 +1 @@ +bridge_rule('MULTICAST_OUT', 'ip6 daddr ff05::2:1001 udp dport 1001 return') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ripng.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ripng.lua new file mode 100644 index 00000000..5162dacb --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ripng.lua @@ -0,0 +1 @@ +bridge_rule('MULTICAST_OUT', 'ip6 daddr ff02::9 udp dport 521 return') diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/355-mcast-drop.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/355-mcast-drop.lua new file mode 100644 index 00000000..95554c70 --- /dev/null +++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/355-mcast-drop.lua @@ -0,0 +1,3 @@ +bridge_rule('MULTICAST_OUT', 'ip6 daddr f02::1/128 drop') +bridge_rule('MULTICAST_OUT', 'ip6 daddr ff00::/8 mark 0x4 return') +bridge_rule('MULTICAST_OUT', 'drop') diff --git a/package/gluon-nftables-filter-ra-dhcp/Makefile b/package/gluon-nftables-filter-ra-dhcp/Makefile new file mode 100644 index 00000000..ad714a1b --- /dev/null +++ b/package/gluon-nftables-filter-ra-dhcp/Makefile @@ -0,0 +1,19 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-nftables-filter-ra-dhcp + +include ../gluon.mk + +define Package/gluon-nftables-filter-ra-dhcp + TITLE:=nftables filters for Router Advertisement and DHCP packets + DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv +endef + +define Package/gluon-nftables-filter-ra-dhcp/description + Gluon community wifi mesh firmware framework: nftables filters for Router Advertisement and DHCP packets + + These filters ensure that RA and DHCP packets are only forwarded from the mesh into the + client network, and not vice-versa. +endef + +$(eval $(call BuildPackageGluon,gluon-nftables-filter-ra-dhcp)) diff --git a/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv4.lua b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv4.lua new file mode 100644 index 00000000..d77f8711 --- /dev/null +++ b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv4.lua @@ -0,0 +1,11 @@ +local uci = require('simple-uci').cursor() + +local gw_mode = uci:get('network', 'gluon_bat0', 'gw_mode') + +if gw_mode ~= 'server' then + bridge_rule('FORWARD', 'ip version 4 udp dport 67 jump out_only') + bridge_rule('OUTPUT', 'ip version 4 udp dport 67 jump out_only') + + bridge_rule('FORWARD', 'ip version 4 udp dport 68 jump in_only') + bridge_rule('INPUT', 'ip version 4 udp dport 68 jump in_only') +end diff --git a/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv6.lua b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv6.lua new file mode 100644 index 00000000..1dd953e2 --- /dev/null +++ b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv6.lua @@ -0,0 +1,5 @@ +bridge_rule('FORWARD', 'ip version 6 udp dport 547 jump out_only') +bridge_rule('OUTPUT', 'ip version 6 udp dport 547 jump out_only') + +bridge_rule('FORWARD', 'ip version 6 udp dport 546 jump in_only') +bridge_rule('INPUT', 'ip version 6 udp dport 546 jump in_only') diff --git a/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-radv.lua b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-radv.lua new file mode 100644 index 00000000..8a54b1e4 --- /dev/null +++ b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-radv.lua @@ -0,0 +1,5 @@ +bridge_rule('FORWARD', 'icmpv6 type nd-router-solicit jump out_only') +bridge_rule('OUTPUT', 'icmpv6 type nd-router-solicit jump out_only') + +bridge_rule('FORWARD', 'icmpv6 type nd-router-advert jump in_only') +bridge_rule('INPUT', 'icmpv6 type nd-router-advert jump in_only') diff --git a/package/gluon-ebtables-limit-arp/Makefile b/package/gluon-nftables-limit-arp/Makefile similarity index 66% rename from package/gluon-ebtables-limit-arp/Makefile rename to package/gluon-nftables-limit-arp/Makefile index 5f71b1c8..a842cfca 100644 --- a/package/gluon-ebtables-limit-arp/Makefile +++ b/package/gluon-nftables-limit-arp/Makefile @@ -1,16 +1,16 @@ include $(TOPDIR)/rules.mk -PKG_NAME:=gluon-ebtables-limit-arp +PKG_NAME:=gluon-nftables-limit-arp include ../gluon.mk -define Package/gluon-ebtables-limit-arp - TITLE:=Ebtables limiter for ARP packets - DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv +define Package/gluon-nftables-limit-arp + TITLE:=nftables limiter for ARP packets + DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv endef -define Package/gluon-ebtables-limit-arp/description - Gluon community wifi mesh firmware framework: Ebtables rules to +define Package/gluon-nftables-limit-arp/description + Gluon community wifi mesh firmware framework: nftables rules to rate-limit ARP packets. This package adds filters to limit the amount of ARP Requests @@ -19,7 +19,7 @@ define Package/gluon-ebtables-limit-arp/description node in total. A burst of up to 50 ARP Requests is allowed until the rate-limiting - takes effect (see --limit-burst in the ebtables manpage). + takes effect (see burst in the nft manpage). Furthermore, ARP Requests with a target IP already present in the batman-adv DAT Cache are excluded from the rate-limiting, @@ -30,13 +30,15 @@ define Package/gluon-ebtables-limit-arp/description However it should mitigate the problem of curious people or smart devices scanning the whole IP range. Which could create a significant amount of overhead for all participants so far. + + Note that this package currently only supports batman. endef -define Package/gluon-ebtables-limit-arp/install +define Package/gluon-nftables-limit-arp/install $(Gluon/Build/Install) $(INSTALL_DIR) $(1)/usr/sbin/ $(CP) $(PKG_BUILD_DIR)/gluon-arp-limiter $(1)/usr/sbin/gluon-arp-limiter endef -$(eval $(call BuildPackageGluon,gluon-ebtables-limit-arp)) +$(eval $(call BuildPackageGluon,gluon-nftables-limit-arp)) diff --git a/package/gluon-ebtables-limit-arp/files/etc/init.d/gluon-arp-limiter b/package/gluon-nftables-limit-arp/files/etc/init.d/gluon-arp-limiter similarity index 100% rename from package/gluon-ebtables-limit-arp/files/etc/init.d/gluon-arp-limiter rename to package/gluon-nftables-limit-arp/files/etc/init.d/gluon-arp-limiter diff --git a/package/gluon-nftables-limit-arp/files/lib/gluon/nftables/limit_arp_chain.nft b/package/gluon-nftables-limit-arp/files/lib/gluon/nftables/limit_arp_chain.nft new file mode 100644 index 00000000..b048d251 --- /dev/null +++ b/package/gluon-nftables-limit-arp/files/lib/gluon/nftables/limit_arp_chain.nft @@ -0,0 +1,61 @@ +set limitmac { + type ether_addr +} + +set datips { + type ipv4_addr +} + +# Rewrite arp packet target hardware address if target protocol address matches a given address. +# input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept + +# chain('ARP_LIMIT', 'DROP') +chain arplimit { + # obrname "br-client" \ + # oifname "bat0" \ + # arp operation request \ + # counter + + # match everything which will land on bridge br-client + # protocol type: ipv4 + # hardware type: ethernet + # hardware address length: 6 byte mac + # protocol address length: 4 byte ipv4 + # arp request + # source address is mac to be limited + # target address is not in DAT + # we're over the limit + # count + # obrname "br-client" \ + # oifname "bat0" \ + arp ptype 0x0800 \ + arp htype 1 \ + arp hlen 6 \ + arp plen 4 \ + arp operation request \ + arp saddr ether @limitmac \ + arp daddr ip != @datips \ + limit rate over 6/minute burst 50 packets \ + counter \ + drop + + # obrname "br-client" \ + # oifname "bat0" \ + arp ptype 0x0800 \ + arp htype 1 \ + arp hlen 6 \ + arp plen 4 \ + arp operation request \ + arp saddr ether != @limitmac \ + arp daddr ip != @datips \ + limit rate over 1/second burst 50 packets \ + counter \ + drop +} + +# chain('ARP_LIMIT_DATCHECK', 'RETURN') +# %s ARP_LIMIT_DATCHECK -p ARP --arp-ip-dst %s -j mark --mark-or 0x2 --mark-target RETURN + +# chain('ARP_LIMIT_TLCHECK', 'RETURN') +# %s ARP_LIMIT_TLCHECK --source %s --limit 6/min --limit-burst 50 -j RETURN" +# %s ARP_LIMIT_TLCHECK (add ? "2" : "") --source %s -j DROP diff --git a/package/gluon-ebtables-limit-arp/files/lib/gluon/reload.d/380-gluon-arp-limiter-stop b/package/gluon-nftables-limit-arp/files/lib/gluon/reload.d/380-gluon-arp-limiter-stop similarity index 100% rename from package/gluon-ebtables-limit-arp/files/lib/gluon/reload.d/380-gluon-arp-limiter-stop rename to package/gluon-nftables-limit-arp/files/lib/gluon/reload.d/380-gluon-arp-limiter-stop diff --git a/package/gluon-ebtables-limit-arp/files/lib/gluon/reload.d/720-gluon-arp-limiter-start b/package/gluon-nftables-limit-arp/files/lib/gluon/reload.d/720-gluon-arp-limiter-start similarity index 100% rename from package/gluon-ebtables-limit-arp/files/lib/gluon/reload.d/720-gluon-arp-limiter-start rename to package/gluon-nftables-limit-arp/files/lib/gluon/reload.d/720-gluon-arp-limiter-start diff --git a/package/gluon-nftables-limit-arp/luasrc/lib/gluon/nftables/limit_arp.lua b/package/gluon-nftables-limit-arp/luasrc/lib/gluon/nftables/limit_arp.lua new file mode 100644 index 00000000..caa142af --- /dev/null +++ b/package/gluon-nftables-limit-arp/luasrc/lib/gluon/nftables/limit_arp.lua @@ -0,0 +1,6 @@ +-- include('limit_arp', { +-- position = 'ruleset-pre' +-- }) + +bridge_include_table('pre', 'limit_arp_chain') +bridge_rule('FORWARD', 'oifname "bat0" obrname "br-client" arp operation request counter jump arplimit') diff --git a/package/gluon-ebtables-limit-arp/src/Makefile b/package/gluon-nftables-limit-arp/src/Makefile similarity index 100% rename from package/gluon-ebtables-limit-arp/src/Makefile rename to package/gluon-nftables-limit-arp/src/Makefile diff --git a/package/gluon-ebtables-limit-arp/src/addr_store.c b/package/gluon-nftables-limit-arp/src/addr_store.c similarity index 100% rename from package/gluon-ebtables-limit-arp/src/addr_store.c rename to package/gluon-nftables-limit-arp/src/addr_store.c diff --git a/package/gluon-ebtables-limit-arp/src/addr_store.h b/package/gluon-nftables-limit-arp/src/addr_store.h similarity index 100% rename from package/gluon-ebtables-limit-arp/src/addr_store.h rename to package/gluon-nftables-limit-arp/src/addr_store.h diff --git a/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c b/package/gluon-nftables-limit-arp/src/gluon-arp-limiter.c similarity index 80% rename from package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c rename to package/gluon-nftables-limit-arp/src/gluon-arp-limiter.c index 93940a3c..99d16e5c 100644 --- a/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c +++ b/package/gluon-nftables-limit-arp/src/gluon-arp-limiter.c @@ -14,7 +14,7 @@ #define BATCTL_DC "/usr/sbin/batctl dc -H -n" #define BATCTL_TL "/usr/sbin/batctl tl -H -n" -#define EBTABLES "/usr/sbin/ebtables-tiny" +#define NFTABLES "/usr/sbin/nft" #define BUILD_BUG_ON(check) ((void)sizeof(int[1-2*!!(check)])) @@ -39,13 +39,13 @@ static void ebt_ip_call(char *mod, struct in_addr ip) int ret; snprintf(str, sizeof(str), - EBTABLES " %s ARP_LIMIT_DATCHECK -p ARP --arp-ip-dst %s -j mark --mark-or 0x2 --mark-target RETURN", + NFTABLES " %s element bridge gluon datips { %s }", mod, inet_ntoa(ip)); ret = system(str); if (ret) fprintf(stderr, - "%i: Calling ebtables for DAT failed with status %i\n", + "%i: Calling nft for DAT failed with status %i\n", clock, ret); } @@ -53,7 +53,7 @@ static void ip_node_destructor(struct addr_list *node) { struct in_addr *ip = (struct in_addr *)node->addr; - ebt_ip_call("-D", *ip); + ebt_ip_call("delete", *ip); } static void ebt_mac_limit_call(char *mod, struct mac_addr *mac) @@ -62,40 +62,22 @@ static void ebt_mac_limit_call(char *mod, struct mac_addr *mac) int ret; snprintf(str, sizeof(str), - EBTABLES " %s ARP_LIMIT_TLCHECK --source %s --limit 6/min --limit-burst 50 -j RETURN", + NFTABLES " %s element bridge gluon limitmac { %s }", mod, mac_ntoa(mac)); ret = system(str); if (ret) fprintf(stderr, - "%i: Calling ebtables for TL failed with status %i\n", - clock, ret); -} - -static void ebt_mac_ret_call(char *mod, struct mac_addr *mac, int add) -{ - char str[128]; - int ret; - - snprintf(str, sizeof(str), - EBTABLES " %s ARP_LIMIT_TLCHECK %s --source %s -j DROP", - mod, add ? "2" : "", mac_ntoa(mac)); - - ret = system(str); - if (ret) - fprintf(stderr, - "%i: Calling ebtables for TL failed with status %i\n", + "%i: Calling nft for TL failed with status %i\n", clock, ret); } static void ebt_mac_call(char *mod, struct mac_addr *mac) { - if (!strncmp(mod, "-D", strlen(mod))) { - ebt_mac_ret_call(mod, mac, 0); + if (!strncmp(mod, "delete", strlen(mod))) { ebt_mac_limit_call(mod, mac); } else { ebt_mac_limit_call(mod, mac); - ebt_mac_ret_call(mod, mac, 1); } } @@ -103,7 +85,7 @@ static void mac_node_destructor(struct addr_list *node) { struct mac_addr *mac = (struct mac_addr *)node->addr; - ebt_mac_call("-D", mac); + ebt_mac_call("delete", mac); } static int dat_parse_line(const char *line, struct in_addr *ip) @@ -141,7 +123,7 @@ static void ebt_add_ip(struct in_addr ip) if (ret) return; - ebt_ip_call("-I", ip); + ebt_ip_call("add", ip); } static void ebt_add_mac(struct mac_addr *mac) @@ -152,7 +134,7 @@ static void ebt_add_mac(struct mac_addr *mac) if (ret) return; - ebt_mac_call("-I", mac); + ebt_mac_call("add", mac); } static void ebt_dat_update(void) @@ -168,7 +150,7 @@ static void ebt_dat_update(void) fprintf(stderr, "%i: Error: Could not call batctl dc\n", clock); return; } - + while (1) { pline = fgets(line, sizeof(line), fp); if (!pline) { @@ -257,18 +239,18 @@ static void ebt_tl_update(void) static void ebt_dat_flush(void) { - int ret = system(EBTABLES " -F ARP_LIMIT_DATCHECK"); + int ret = system(NFTABLES " flush set bridge gluon datips"); if (ret) - fprintf(stderr, "Error flushing ARP_LIMIT_DATCHECK\n"); + fprintf(stderr, "Error flushing arplimit datips set\n"); } static void ebt_tl_flush(void) { - int ret = system(EBTABLES " -F ARP_LIMIT_TLCHECK"); + int ret = system(NFTABLES " flush set bridge gluon limitmac"); if (ret) - fprintf(stderr, "Error flushing ARP_LIMIT_TLCHECK\n"); + fprintf(stderr, "Error flushing arplimit limitmac\n"); } int main(int argc, char *argv[]) diff --git a/package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.h b/package/gluon-nftables-limit-arp/src/gluon-arp-limiter.h similarity index 100% rename from package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.h rename to package/gluon-nftables-limit-arp/src/gluon-arp-limiter.h diff --git a/package/gluon-ebtables-limit-arp/src/lookup3.c b/package/gluon-nftables-limit-arp/src/lookup3.c similarity index 100% rename from package/gluon-ebtables-limit-arp/src/lookup3.c rename to package/gluon-nftables-limit-arp/src/lookup3.c diff --git a/package/gluon-ebtables-limit-arp/src/lookup3.h b/package/gluon-nftables-limit-arp/src/lookup3.h similarity index 100% rename from package/gluon-ebtables-limit-arp/src/lookup3.h rename to package/gluon-nftables-limit-arp/src/lookup3.h diff --git a/package/gluon-ebtables-limit-arp/src/mac.c b/package/gluon-nftables-limit-arp/src/mac.c similarity index 100% rename from package/gluon-ebtables-limit-arp/src/mac.c rename to package/gluon-nftables-limit-arp/src/mac.c diff --git a/package/gluon-ebtables-limit-arp/src/mac.h b/package/gluon-nftables-limit-arp/src/mac.h similarity index 100% rename from package/gluon-ebtables-limit-arp/src/mac.h rename to package/gluon-nftables-limit-arp/src/mac.h diff --git a/package/gluon-nftables-multicast/Makefile b/package/gluon-nftables-multicast/Makefile new file mode 100644 index 00000000..5002aa9f --- /dev/null +++ b/package/gluon-nftables-multicast/Makefile @@ -0,0 +1,16 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-nftables-multicast + +include ../gluon.mk + +define Package/gluon-nftables-multicast + TITLE:=nftables multicast filtering + DEPENDS:=+gluon-core +gluon-nftables +endef + +define Package/gluon-nftables-multicast/description + Gluon community wifi mesh firmware framework: nftables multicast filtering +endef + +$(eval $(call BuildPackageGluon,gluon-nftables-multicast)) diff --git a/package/gluon-ebtables/check_site.lua b/package/gluon-nftables-multicast/check_site.lua similarity index 100% rename from package/gluon-ebtables/check_site.lua rename to package/gluon-nftables-multicast/check_site.lua diff --git a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/100-dir-chain.lua b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/100-dir-chain.lua new file mode 100644 index 00000000..76ea7491 --- /dev/null +++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/100-dir-chain.lua @@ -0,0 +1,9 @@ +bridge_chain('IN_ONLY') +bridge_chain('OUT_ONLY') + +-- nat chain runs early, so we can drop IGMP/MLD +bridge_chain('MULTICAST_IN', nil, 'nat') +bridge_chain('MULTICAST_IN_ICMPV6', nil, 'nat') + +bridge_chain('MULTICAST_OUT') +bridge_chain('MULTICAST_OUT_ICMPV6') diff --git a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/101-dir-rules.lua b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/101-dir-rules.lua new file mode 100644 index 00000000..cb74ee17 --- /dev/null +++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/101-dir-rules.lua @@ -0,0 +1,5 @@ +bridge_rule('IN_ONLY', 'ibrname "br-client" iifname { "bat0", "local-port" } return') +bridge_rule('IN_ONLY', 'drop') + +bridge_rule('OUT_ONLY', 'obrname "br-client" oifname { "bat0", "local-port" } return') +bridge_rule('OUT_ONLY', 'drop') diff --git a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/105-mcast-drop-igmp-mld.lua b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/105-mcast-drop-igmp-mld.lua new file mode 100644 index 00000000..0ea389d7 --- /dev/null +++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/105-mcast-drop-igmp-mld.lua @@ -0,0 +1,15 @@ +local site = require 'gluon.site' + +bridge_rule('MULTICAST_IN', 'igmp type membership-query drop') +bridge_rule('MULTICAST_OUT', 'igmp type membership-query drop') + +bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type 130 drop comment "MLD Query"') +bridge_rule('MULTICAST_IN_ICMPV6', 'icmpv6 type 130 drop comment "MLD Query"') + +if site.mesh.filter_membership_reports(true) then + bridge_rule('MULTICAST_OUT', 'ip protocol igmp drop') + bridge_rule('MULTICAST_IN', 'ip protocol igmp drop', 'nat') + + bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type { 131, 132, 143 } drop comment "MLDv1 Report, MLDv1 Done, MLDv2 Report"') + bridge_rule('MULTICAST_IN_ICMPV6', 'icmpv6 type { 131, 132, 143 } drop comment "MLDv1 Report, MLDv1 Done, MLDv2 Report"', 'nat') +end diff --git a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/350-mcast-dir-rules b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/350-mcast-dir-rules similarity index 100% rename from package/gluon-ebtables/luasrc/lib/gluon/ebtables/350-mcast-dir-rules rename to package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/350-mcast-dir-rules diff --git a/package/gluon-nftables-source-filter/Makefile b/package/gluon-nftables-source-filter/Makefile new file mode 100644 index 00000000..9f7ab884 --- /dev/null +++ b/package/gluon-nftables-source-filter/Makefile @@ -0,0 +1,17 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-nftables-source-filter + +include ../gluon.mk + +define Package/gluon-nftables-source-filter + TITLE:=nftables rules to filter unreasonable L2 traffic. + DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv +endef + +define Package/gluon-nftables-source-filter/description + This package adds an additional layer-2 filter-ruleset to prevent unreasonable + traffic entering the network via the nodes. +endef + +$(eval $(call BuildPackageGluon,gluon-nftables-source-filter)) diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/100-local-forward-chain.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/100-local-forward-chain.lua new file mode 100644 index 00000000..51437cb8 --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/100-local-forward-chain.lua @@ -0,0 +1 @@ +bridge_chain('LOCAL_FORWARD') diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-arp.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-arp.lua new file mode 100644 index 00000000..028f9319 --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-arp.lua @@ -0,0 +1,6 @@ +local prefix4 = require('gluon.site').prefix4() + +if prefix4 then + bridge_rule('LOCAL_FORWARD', 'arp saddr ip ' .. prefix4 .. ' arp daddr ip ' .. prefix4 .. ' return') + bridge_rule('LOCAL_FORWARD', 'arp saddr ip 0.0.0.0 arp daddr ip ' .. prefix4 .. ' return') +end diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv4.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv4.lua new file mode 100644 index 00000000..38fe99d3 --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv4.lua @@ -0,0 +1,6 @@ +local prefix4 = require('gluon.site').prefix4() + +if prefix4 then + bridge_rule('LOCAL_FORWARD', 'ip version 4 udp dport 67 return') + bridge_rule('LOCAL_FORWARD', 'ip saddr ' .. prefix4 .. ' return') +end diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv6.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv6.lua new file mode 100644 index 00000000..9da7a8be --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv6.lua @@ -0,0 +1,9 @@ +local site = require 'gluon.site' + +bridge_rule('LOCAL_FORWARD', 'ip6 saddr fe80::/64 return') +bridge_rule('LOCAL_FORWARD', 'ip6 saddr ::/128 ip6 nexthdr icmpv6') +bridge_rule('LOCAL_FORWARD', 'ip6 saddr ' .. site.prefix6() .. ' return') + +for _, prefix in ipairs(site.extra_prefixes6({})) do + bridge_rule('LOCAL_FORWARD', 'ip6 saddr ' .. prefix .. ' return') +end diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/300-local-forward-rules.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/300-local-forward-rules.lua new file mode 100644 index 00000000..6fb3228c --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/300-local-forward-rules.lua @@ -0,0 +1 @@ +bridge_rule('FORWARD', 'ibrname "br-client" iifname != "bat0" jump local_forward') diff --git a/package/gluon-nftables/Makefile b/package/gluon-nftables/Makefile new file mode 100644 index 00000000..3e2639a0 --- /dev/null +++ b/package/gluon-nftables/Makefile @@ -0,0 +1,16 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-nftables + +include ../gluon.mk + +define Package/gluon-nftables + TITLE:=Nftables support + DEPENDS:=+nftables-json +endef + +define Package/gluon-nftables/description + Gluon community wifi mesh firmware framework: Nftables support +endef + +$(eval $(call BuildPackageGluon,gluon-nftables)) diff --git a/package/gluon-nftables/files/lib/gluon/nftables/bridge.nft b/package/gluon-nftables/files/lib/gluon/nftables/bridge.nft new file mode 100644 index 00000000..e69de29b diff --git a/package/gluon-nftables/luasrc/lib/gluon/upgrade/300-nftables b/package/gluon-nftables/luasrc/lib/gluon/upgrade/300-nftables new file mode 100755 index 00000000..63322506 --- /dev/null +++ b/package/gluon-nftables/luasrc/lib/gluon/upgrade/300-nftables @@ -0,0 +1,188 @@ +#!/usr/bin/lua + +local uci = require('simple-uci').cursor() +local glob = require 'posix.glob' + +-- Library + +function string.starts(string, start) + return string.sub(string, 1, string.len(start)) == start +end + +function basepath(str) + return str:match("([^./\\]+).lua") +end + +function write_all_lines(table, file, close) + for _, line in ipairs(table) do + file:write(line .. '\n') + end + + if close then + file:write('}\n') + end +end + +function read_include(file) + local f = assert(io.open(path(file), "rb")) + local content = f:read("*all") + f:close() + return content +end + +-- Functions + +function path(name) + return '/lib/gluon/nftables/' .. name .. '.nft' +end + +function include(name, parameters) + local boilerplate = { + type = 'nftables', + path = path(name), + } + + for k, v in pairs(parameters) do + boilerplate[k] = v + end + + uci:section('firewall', 'include', 'gluon_nftables_' .. name, boilerplate) +end + +function rule(name, chain, content) + local file = io.open(path(name), 'w') + file:write(content + '\n') + file:close() + + include(name, { + position = 'chain-post', + chain = chain, + }) +end + +local bridge = { + chain = { + INPUT = { + 'chain input {', + 'type filter hook input priority filter; policy accept;', + }, + FORWARD = { + 'chain forward {', + 'type filter hook forward priority filter; policy accept;', + }, + OUTPUT = { + 'chain output {', + 'type filter hook output priority filter; policy accept;', + }, + PREROUTING = { + 'chain prerouting {', + 'type filter hook prerouting priority dstnat; policy accept;', + }, + }, + table = { + pre = { + 'table bridge gluon', + 'flush table bridge gluon', + 'table bridge gluon {', + }, + post = { + + }, + } +} + +function bridge_rule(chain, content) + if bridge.chain[chain] == nil then + error('No bridge chain ' .. chain) + end + + table.insert(bridge.chain[chain], content) +end + +function bridge_table(position, content) + if bridge.table[position] == nil then + error('No bridge position ' .. position) + end + + table.insert(bridge.table[position], content) +end + +function bridge_chain(name) + if bridge.chain[name] ~= nil then + error('Chain already exists ' .. name) + end + + bridge.chain[name] = { + 'chain ' .. name:lower() .. ' {' + } +end + +function bridge_include_rule(chain, file) + if bridge.chain[chain] == nil then + error('No bridge chain ' .. chain) + end + + table.insert(bridge.chain[chain], read_include(file)) +end + +function bridge_include_table(position, file) + if bridge.table[position] == nil then + error('No bridge position ' .. position) + end + + table.insert(bridge.table[position], read_include(file)) +end + +-- Loader + +function load_file(path) + local nft = assert(loadfile(path)) + + local fncs = setmetatable({ + path = path, + include = include, + rule = rule, + + bridge_rule = bridge_rule, + bridge_chain = bridge_chain, + bridge_table = bridge_table, + bridge_include_rule = bridge_include_rule, + bridge_include_table = bridge_include_table, + }, { __index = _G }) + + local env = setmetatable({}, { __index = fncs }) + setfenv(nft, env) + + nft() +end + +-- Clean old rules + +uci:foreach('firewall', 'include', function(i) + if string.starts(i['.name'], 'gluon_nftables_') then + uci:delete('firewall', i['.name']) + end +end) + +-- Load new rules + +for _, path in ipairs(glob.glob("/lib/gluon/nftables/*.lua", 0) or {}) do + print(' - NFTables: ' .. basepath(path)) + load_file(path) +end + +local b = io.open(path('bridge'), 'w') + +include('bridge', { + position = 'ruleset-pre', +}) + +write_all_lines(bridge.table.pre, b) + +for _, lines in pairs(bridge.chain) do + write_all_lines(lines, b, true) +end + +write_all_lines(bridge.table.post, b, true) + +uci:save('firewall') diff --git a/package/gluon-radv-filterd/Makefile b/package/gluon-radv-filterd/Makefile index 4cab8960..0015d5ee 100644 --- a/package/gluon-radv-filterd/Makefile +++ b/package/gluon-radv-filterd/Makefile @@ -6,7 +6,7 @@ include ../gluon.mk define Package/gluon-radv-filterd TITLE:=Filter IPv6 router advertisements - DEPENDS:=+gluon-ebtables +libgluonutil +libbatadv +libnl-tiny + DEPENDS:=+gluon-nftables +libgluonutil +libbatadv +libnl-tiny endef MAKE_VARS += \ diff --git a/package/gluon-radv-filterd/luasrc/lib/gluon/ebtables/400-radv-filterd b/package/gluon-radv-filterd/luasrc/lib/gluon/ebtables/400-radv-filterd deleted file mode 100644 index 178084d4..00000000 --- a/package/gluon-radv-filterd/luasrc/lib/gluon/ebtables/400-radv-filterd +++ /dev/null @@ -1,3 +0,0 @@ -chain('RADV_FILTER', 'DROP') -rule 'FORWARD -p IPv6 -i bat0 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j RADV_FILTER' -rule 'RADV_FILTER -j ACCEPT' diff --git a/package/gluon-radv-filterd/luasrc/lib/gluon/nftables/400-radv-filterd.lua b/package/gluon-radv-filterd/luasrc/lib/gluon/nftables/400-radv-filterd.lua new file mode 100644 index 00000000..0e516b36 --- /dev/null +++ b/package/gluon-radv-filterd/luasrc/lib/gluon/nftables/400-radv-filterd.lua @@ -0,0 +1,15 @@ +bridge_table('pre', [[set radv_allow { + type ether_addr +} + +set radv_filter { + type ether_addr +} +]]) + +-- This rule starts filtering once the address is in radv_filter + +-- Daemon adds 00:00:../ff:ff:.. to radv_filter (todo) so everything gets picked up, +-- effectivly turning radv_filter into a bool + +bridge_rule('FORWARD', 'ether saddr @radv_filter iifname "bat0" icmpv6 type nd-router-advert ether saddr != @radv_allow drop') diff --git a/package/gluon-radv-filterd/src/gluon-radv-filterd.c b/package/gluon-radv-filterd/src/gluon-radv-filterd.c index f9f8fb87..fd77fcea 100644 --- a/package/gluon-radv-filterd/src/gluon-radv-filterd.c +++ b/package/gluon-radv-filterd/src/gluon-radv-filterd.c @@ -149,12 +149,12 @@ static void cleanup(void) { if (G.chain) { /* Reset chain to accept everything again */ - if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[]) - { "ebtables-tiny", "-F", G.chain, NULL })) + if (fork_execvp_timeout(&timeout, "ebtables", (const char *[]) + { "ebtables", "-F", G.chain, NULL })) DEBUG_MSG("warning: flushing ebtables chain %s failed, not adding a new rule", G.chain); - if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[]) - { "ebtables-tiny", "-A", G.chain, "-j", "ACCEPT", NULL })) + if (fork_execvp_timeout(&timeout, "ebtables", (const char *[]) + { "ebtables", "-A", G.chain, "-j", "ACCEPT", NULL })) DEBUG_MSG("warning: adding new rule to ebtables chain %s failed", G.chain); } } @@ -700,11 +700,11 @@ static void update_ebtables(void) { G.max_tq); G.best_router = router; - if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[]) - { "ebtables-tiny", "-F", G.chain, NULL })) + if (fork_execvp_timeout(&timeout, "ebtables", (const char *[]) + { "ebtables", "-F", G.chain, NULL })) error_message(0, 0, "warning: flushing ebtables chain %s failed, not adding a new rule", G.chain); - else if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[]) - { "ebtables-tiny", "-A", G.chain, "-s", mac, "-j", "ACCEPT", NULL })) + else if (fork_execvp_timeout(&timeout, "ebtables", (const char *[]) + { "ebtables", "-A", G.chain, "-s", mac, "-j", "ACCEPT", NULL })) error_message(0, 0, "warning: adding new rule to ebtables chain %s failed", G.chain); } diff --git a/package/gluon-radv-filterd/src/respondd.c b/package/gluon-radv-filterd/src/respondd.c index 8c2c7eb4..d81c5ca5 100644 --- a/package/gluon-radv-filterd/src/respondd.c +++ b/package/gluon-radv-filterd/src/respondd.c @@ -8,7 +8,7 @@ #include "mac.h" static struct json_object * get_radv_filter() { - FILE *f = popen("exec ebtables-tiny -L RADV_FILTER", "r"); + FILE *f = popen("exec ebtables -L RADV_FILTER", "r"); char *line = NULL; size_t len = 0; struct ether_addr mac = {}; diff --git a/targets/generic b/targets/generic index 20111220..324a8394 100644 --- a/targets/generic +++ b/targets/generic @@ -97,14 +97,19 @@ packages { '-kmod-nft-offload', '-libustream-wolfssl', '-libwolfssl', - '-nftables', '-odhcpd-ipv6only', '-ppp', '-ppp-mod-pppoe', '-wpad-mini', '-wpad-basic', '-wpad-basic-wolfssl', - '-firewall4', 'gluon-core', - 'ip6tables-zz-legacy', + '-iptables', + '-ip6tables', + '-nftables', + 'nftables-json', + '-xtables-legacy', + '-ip6tables-nft', + '-iptables-nft', + '-kmod-ipt-core', }