gluon-ebtables -> gluon-nftables-multicast: split out multicast rules, delete rest

2023-05-01 18:27:16 +02:00 · 2023-05-01 18:27:16 +02:00 · 09eec29c7d
commit 09eec29c7d
parent 40b1f1b1e2
13 changed files with 45 additions and 136 deletions
--- a/package/gluon-ebtables/Makefile
+++ b/package/gluon-ebtables/Makefile
@ -1,16 +0,0 @@
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=gluon-ebtables
-
-include ../gluon.mk
-
-define Package/gluon-ebtables
-  TITLE:=Ebtables support
-  DEPENDS:=+gluon-core +ebtables-nft
-endef
-
-define Package/gluon-ebtables/description
-	Gluon community wifi mesh firmware framework: ebtables support
-endef
-
-$(eval $(call BuildPackageGluon,gluon-ebtables))
--- a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
+++ b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
@ -1,80 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2013 Project Gluon
-#
-# Firewall script for inserting and removing ebtables rules.
-#
-# Example format, for filtering any IPv4 multicast packets to the SSDP UDP port:
-# rule FORWARD --logical-out br-client -d Multicast -p IPv4 --ip-protocol udp --ip-destination-port 5355 -j DROP
-#
-# Removing all rules:
-# $ /etc/init.d/gluon-ebtables stop
-# Inserting all rules:
-# $ /etc/init.d/gluon-ebtables start
-# Inserting a specific rule file:
-# $ /etc/init.d/gluon-ebtables start /lib/gluon/ebtables/100-mcast-chain
-# Removing a specific rule file:
-# $ /etc/init.d/gluon-ebtables stop /lib/gluon/ebtables/100-mcast-chain
-
-
-START=19
-STOP=91
-
-
-exec_file() {
-	local file="$1"
-
-	/usr/bin/lua -e "
-		function rule(command, table)
-			table = table or 'filter'
-			os.execute($EBTABLES_RULE)
-		end
-		function chain(name, policy, table)
-			table = table or 'filter'
-			os.execute($EBTABLES_CHAIN)
-		end
-
-	" "$file"
-}
-
-exec_all() {
-	local sort_arg="$1"
-
-	local old_ifs="$IFS"
-	IFS='
-'
-	for file in `find /lib/gluon/ebtables -type f | sort $sort_arg`; do
-		exec_file "$file"
-	done
-	IFS="$old_ifs"
-}
-
-
-start() {
-	(
-		export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
-		export EBTABLES_CHAIN='"ebtables -t " .. table .. "  -N " .. name .. " -P " .. policy'
-
-		# Contains /var/lib/ebtables/lock for '--concurrent'
-		[ ! -d "/var/lib/ebtables" ] && \
-			mkdir -p /var/lib/ebtables
-
-		if [ -z "$1" ]; then
-			exec_all ''
-		else
-			exec_file "$1"
-		fi
-	)
-}
-
-stop() {
-	(
-		export EBTABLES_RULE='"ebtables -t " ..	table .. " -D " .. command'
-		export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
-
-		if [ -z "$1" ]; then
-			exec_all '-r'
-		else
-			exec_file "$1"
-		fi
-	)
-}
--- a/package/gluon-ebtables/files/lib/gluon/reload.d/381-gluon-ebtables-stop
+++ b/package/gluon-ebtables/files/lib/gluon/reload.d/381-gluon-ebtables-stop
@ -1,2 +0,0 @@
-#!/bin/sh
-/etc/init.d/gluon-ebtables stop
--- a/package/gluon-ebtables/files/lib/gluon/reload.d/719-gluon-ebtables-start
+++ b/package/gluon-ebtables/files/lib/gluon/reload.d/719-gluon-ebtables-start
@ -1,2 +0,0 @@
-#!/bin/sh
-/etc/init.d/gluon-ebtables start
--- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/100-dir-chain
+++ b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/100-dir-chain
@ -1,9 +0,0 @@
-chain('IN_ONLY', 'RETURN')
-chain('OUT_ONLY', 'RETURN')
-
-- nat chain runs early, so we can drop IGMP/MLD
-chain('MULTICAST_IN', 'RETURN', 'nat')
-chain('MULTICAST_IN_ICMPV6', 'RETURN', 'nat')
-
-chain('MULTICAST_OUT', 'RETURN')
-chain('MULTICAST_OUT_ICMPV6', 'RETURN')
--- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/101-dir-rules
+++ b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/101-dir-rules
@ -1,7 +0,0 @@
-rule 'IN_ONLY --logical-in br-client -i bat0 -j RETURN'
-rule 'IN_ONLY --logical-in br-client -i local-port -j RETURN'
-rule 'IN_ONLY --logical-in br-client -j DROP'
-
-rule 'OUT_ONLY --logical-out br-client -o bat0 -j RETURN'
-rule 'OUT_ONLY --logical-out br-client -o local-port -j RETURN'
-rule 'OUT_ONLY --logical-out br-client -j DROP'
--- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld
+++ b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld
@ -1,20 +0,0 @@
-local site = require 'gluon.site'
-
-rule('MULTICAST_IN -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP', 'nat')
-rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP')
-
-rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP') -- MLD Query
-rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD Query
-
-if site.mesh.filter_membership_reports(true) then
-	rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat')
-	rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp -j DROP')
-
-	rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP') -- MLDv1 Report
-	rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done
-	rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report
-
-	rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report
-	rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done
-	rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report
-end
--- a/package/gluon-nftables-multicast/Makefile
+++ b/package/gluon-nftables-multicast/Makefile
@ -0,0 +1,16 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-nftables-multicast
+
+include ../gluon.mk
+
+define Package/gluon-nftables-multicast
+  TITLE:=nftables multicast filtering
+  DEPENDS:=+gluon-core +gluon-nftables
+endef
+
+define Package/gluon-nftables-multicast/description
+	Gluon community wifi mesh firmware framework: nftables multicast filtering
+endef
+
+$(eval $(call BuildPackageGluon,gluon-nftables-multicast))
--- a/package/gluon-nftables-multicast/check_site.lua
+++ b/package/gluon-nftables-multicast/check_site.lua
--- a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/100-dir-chain.lua
+++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/100-dir-chain.lua
@ -0,0 +1,9 @@
+bridge_chain('IN_ONLY')
+bridge_chain('OUT_ONLY')
+
+-- nat chain runs early, so we can drop IGMP/MLD
+bridge_chain('MULTICAST_IN', nil, 'nat')
+bridge_chain('MULTICAST_IN_ICMPV6', nil, 'nat')
+
+bridge_chain('MULTICAST_OUT')
+bridge_chain('MULTICAST_OUT_ICMPV6')
--- a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/101-dir-rules.lua
+++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/101-dir-rules.lua
@ -0,0 +1,5 @@
+bridge_rule('IN_ONLY', 'ibrname "br-client" iifname { "bat0", "local-port" } return')
+bridge_rule('IN_ONLY', 'drop')
+
+bridge_rule('OUT_ONLY', 'obrname "br-client" oifname { "bat0", "local-port" } return')
+bridge_rule('OUT_ONLY', 'drop')
--- a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/105-mcast-drop-igmp-mld.lua
+++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/105-mcast-drop-igmp-mld.lua
@ -0,0 +1,15 @@
+local site = require 'gluon.site'
+
+bridge_rule('MULTICAST_IN', 'igmp type membership-query drop')
+bridge_rule('MULTICAST_OUT', 'igmp type membership-query drop')
+
+bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type 130 drop comment "MLD Query"')
+bridge_rule('MULTICAST_IN_ICMPV6', 'icmpv6 type 130 drop comment "MLD Query"')
+
+if site.mesh.filter_membership_reports(true) then
+	bridge_rule('MULTICAST_OUT', 'ip protocol igmp drop')
+	bridge_rule('MULTICAST_IN', 'ip protocol igmp drop', 'nat')
+
+	bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type { 131, 132, 143 } drop comment "MLDv1 Report, MLDv1 Done, MLDv2 Report"')
+	bridge_rule('MULTICAST_IN_ICMPV6', 'icmpv6 type { 131, 132, 143 } drop comment "MLDv1 Report, MLDv1 Done, MLDv2 Report"', 'nat')
+end
--- a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/350-mcast-dir-rules
+++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/350-mcast-dir-rules