nils/gluon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gluon-ebtables: use Lua instead of sh for the rule DSL to increase flexibility

Browse Source
This commit is contained in:
Matthias Schiffer 2014-05-14 15:02:57 +02:00
parent ee829e8c90
commit 0953c9befb
19 changed files with 55 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain
View File

@ -1 +1 @@
chain MULTICAST_OUT DROP
chain('MULTICAST_OUT', 'DROP')

2
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp
View File

@ -1 +1 @@
rule MULTICAST_OUT -p ARP -j RETURN
rule 'MULTICAST_OUT -p ARP -j RETURN'

2
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel
View File

@ -1 +1 @@
rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN'

2
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd
View File

@ -1 +1 @@
rule MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN
rule 'MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN'

2
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4
View File

@ -1 +1 @@
rule MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN
rule 'MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN'

2
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6
View File

@ -1 +1 @@
rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j RETURN
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j RETURN'

2
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp
View File

@ -1 +1 @@
rule MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN
rule 'MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN'

2
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6
View File

@ -1 +1 @@
rule MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN'

2
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp
View File

@ -1 +1 @@
rule MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN
rule 'MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN'

4
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf
View File

@ -1,2 +1,2 @@
rule MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN
rule MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN
rule 'MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN'
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN'

4
package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast
View File

@ -1,2 +1,2 @@
rule FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT
rule OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT
rule 'FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'
rule 'OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'

8
package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4
View File

@ -1,5 +1,5 @@
rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
rule OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
rule 'OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY
rule INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY
rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'
rule 'INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'

8
package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6
View File

@ -1,5 +1,5 @@
rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
rule OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY'
rule 'OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY'
rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY
rule INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY
rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY'
rule 'INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY'

8
package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv
View File

@ -1,5 +1,5 @@
rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
rule OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
rule INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'
rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'

25
package/gluon-ebtables/files/etc/init.d/gluon-ebtables
View File

@ -23,15 +23,14 @@ STOP=91
exec_file() {
local file="$1"
sh -c "
eval 'rule() {
$EBTABLES_RULE
}'
eval 'chain() {
$EBTABLES_CHAIN
}'
source \"$1\"
" - "$file"
/usr/bin/lua -e "
function rule(command)
os.execute($EBTABLES_RULE)
end
function chain(name, policy)
os.execute($EBTABLES_CHAIN)
end
" "$file"
}
exec_all() {
@ -49,8 +48,8 @@ exec_all() {
start() {
(
export EBTABLES_RULE='ebtables -A "$@"'
export EBTABLES_CHAIN='ebtables -N "$1" -P "$2"'
export EBTABLES_RULE='"ebtables -A " .. command'
export EBTABLES_CHAIN='"ebtables -N " .. name .. " -P " .. policy'
if [ -z "$1" ]; then
exec_all ''
@ -62,8 +61,8 @@ start() {
stop() {
(
export EBTABLES_RULE='ebtables -D "$@"'
export EBTABLES_CHAIN='ebtables -X "$1"'
export EBTABLES_RULE='"ebtables -D " .. command'
export EBTABLES_CHAIN='"ebtables -X " .. name'
if [ -z "$1" ]; then
exec_all '-r'

4
package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain
View File

@ -1,2 +1,2 @@
chain IN_ONLY RETURN
chain OUT_ONLY RETURN
chain('IN_ONLY', 'RETURN')
chain('OUT_ONLY', 'RETURN')

4
package/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules
View File

@ -1,2 +1,2 @@
rule IN_ONLY --logical-in br-client -i ! bat0 -j DROP
rule OUT_ONLY --logical-out br-client -o ! bat0 -j DROP
rule 'IN_ONLY --logical-in br-client -i ! bat0 -j DROP'
rule 'OUT_ONLY --logical-out br-client -o ! bat0 -j DROP'

24
package/gluon-next-node/generate/lib/gluon/ebtables/250-next-node
View File

@ -1,14 +1,14 @@
rule FORWARD --logical-out br-client -o bat0 -d @next_node.mac@ -j DROP
rule OUTPUT --logical-out br-client -o bat0 -d @next_node.mac@ -j DROP
rule FORWARD --logical-out br-client -o bat0 -s @next_node.mac@ -j DROP
rule OUTPUT --logical-out br-client -o bat0 -s @next_node.mac@ -j DROP
rule 'FORWARD --logical-out br-client -o bat0 -d @next_node.mac@ -j DROP'
rule 'OUTPUT --logical-out br-client -o bat0 -d @next_node.mac@ -j DROP'
rule 'FORWARD --logical-out br-client -o bat0 -s @next_node.mac@ -j DROP'
rule 'OUTPUT --logical-out br-client -o bat0 -s @next_node.mac@ -j DROP'
rule FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-destination @next_node.ip4@ -j DROP
rule OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-destination @next_node.ip4@ -j DROP
rule FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-source @next_node.ip4@ -j DROP
rule OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-source @next_node.ip4@ -j DROP
rule 'FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-destination @next_node.ip4@ -j DROP'
rule 'OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-destination @next_node.ip4@ -j DROP'
rule 'FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-source @next_node.ip4@ -j DROP'
rule 'OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-source @next_node.ip4@ -j DROP'
rule FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination @next_node.ip6@ -j DROP
rule OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination @next_node.ip6@ -j DROP
rule FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source @next_node.ip6@ -j DROP
rule OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source @next_node.ip6@ -j DROP
rule 'FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination @next_node.ip6@ -j DROP'
rule 'OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination @next_node.ip6@ -j DROP'
rule 'FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source @next_node.ip6@ -j DROP'
rule 'OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source @next_node.ip6@ -j DROP'

4
package/gluon-radvd/files/lib/gluon/ebtables/300-radv-input-output
View File

@ -1,2 +1,2 @@
rule INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -i bat0 -j DROP
rule OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -o bat0 -j DROP
rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -i bat0 -j DROP'
rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -o bat0 -j DROP'