From 09eec29c7d47e3d0e3d6f69ce225a6374effe8ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Mon, 1 May 2023 18:27:16 +0200
Subject: [PATCH] gluon-ebtables -> gluon-nftables-multicast: split out
 multicast rules, delete rest

---
 package/gluon-ebtables/Makefile               | 16 ----
 .../files/etc/init.d/gluon-ebtables           | 80 -------------------
 .../gluon/reload.d/381-gluon-ebtables-stop    |  2 -
 .../gluon/reload.d/719-gluon-ebtables-start   |  2 -
 .../luasrc/lib/gluon/ebtables/100-dir-chain   |  9 ---
 .../luasrc/lib/gluon/ebtables/101-dir-rules   |  7 --
 .../gluon/ebtables/105-mcast-drop-igmp-mld    | 20 -----
 package/gluon-nftables-multicast/Makefile     | 16 ++++
 .../check_site.lua                            |  0
 .../lib/gluon/nftables/100-dir-chain.lua      |  9 +++
 .../lib/gluon/nftables/101-dir-rules.lua      |  5 ++
 .../nftables/105-mcast-drop-igmp-mld.lua      | 15 ++++
 .../lib/gluon/nftables}/350-mcast-dir-rules   |  0
 13 files changed, 45 insertions(+), 136 deletions(-)
 delete mode 100644 package/gluon-ebtables/Makefile
 delete mode 100755 package/gluon-ebtables/files/etc/init.d/gluon-ebtables
 delete mode 100755 package/gluon-ebtables/files/lib/gluon/reload.d/381-gluon-ebtables-stop
 delete mode 100755 package/gluon-ebtables/files/lib/gluon/reload.d/719-gluon-ebtables-start
 delete mode 100644 package/gluon-ebtables/luasrc/lib/gluon/ebtables/100-dir-chain
 delete mode 100644 package/gluon-ebtables/luasrc/lib/gluon/ebtables/101-dir-rules
 delete mode 100644 package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld
 create mode 100644 package/gluon-nftables-multicast/Makefile
 rename package/{gluon-ebtables => gluon-nftables-multicast}/check_site.lua (100%)
 create mode 100644 package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/100-dir-chain.lua
 create mode 100644 package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/101-dir-rules.lua
 create mode 100644 package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/105-mcast-drop-igmp-mld.lua
 rename package/{gluon-ebtables/luasrc/lib/gluon/ebtables => gluon-nftables-multicast/luasrc/lib/gluon/nftables}/350-mcast-dir-rules (100%)

diff --git a/package/gluon-ebtables/Makefile b/package/gluon-ebtables/Makefile
deleted file mode 100644
index 145b1b26..00000000
--- a/package/gluon-ebtables/Makefile
+++ /dev/null
@@ -1,16 +0,0 @@
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=gluon-ebtables
-
-include ../gluon.mk
-
-define Package/gluon-ebtables
-  TITLE:=Ebtables support
-  DEPENDS:=+gluon-core +ebtables-nft
-endef
-
-define Package/gluon-ebtables/description
-	Gluon community wifi mesh firmware framework: ebtables support
-endef
-
-$(eval $(call BuildPackageGluon,gluon-ebtables))
diff --git a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
deleted file mode 100755
index 243b8cb5..00000000
--- a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2013 Project Gluon
-#
-# Firewall script for inserting and removing ebtables rules.
-#
-# Example format, for filtering any IPv4 multicast packets to the SSDP UDP port:
-# rule FORWARD --logical-out br-client -d Multicast -p IPv4 --ip-protocol udp --ip-destination-port 5355 -j DROP
-#
-# Removing all rules:
-# $ /etc/init.d/gluon-ebtables stop
-# Inserting all rules:
-# $ /etc/init.d/gluon-ebtables start
-# Inserting a specific rule file:
-# $ /etc/init.d/gluon-ebtables start /lib/gluon/ebtables/100-mcast-chain
-# Removing a specific rule file:
-# $ /etc/init.d/gluon-ebtables stop /lib/gluon/ebtables/100-mcast-chain
-
-
-START=19
-STOP=91
-
-
-exec_file() {
-	local file="$1"
-
-	/usr/bin/lua -e "
-		function rule(command, table)
-			table = table or 'filter'
-			os.execute($EBTABLES_RULE)
-		end
-		function chain(name, policy, table)
-			table = table or 'filter'
-			os.execute($EBTABLES_CHAIN)
-		end
-
-	" "$file"
-}
-
-exec_all() {
-	local sort_arg="$1"
-
-	local old_ifs="$IFS"
-	IFS='
-'
-	for file in `find /lib/gluon/ebtables -type f | sort $sort_arg`; do
-		exec_file "$file"
-	done
-	IFS="$old_ifs"
-}
-
-
-start() {
-	(
-		export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
-		export EBTABLES_CHAIN='"ebtables -t " .. table .. "  -N " .. name .. " -P " .. policy'
-
-		# Contains /var/lib/ebtables/lock for '--concurrent'
-		[ ! -d "/var/lib/ebtables" ] && \
-			mkdir -p /var/lib/ebtables
-
-		if [ -z "$1" ]; then
-			exec_all ''
-		else
-			exec_file "$1"
-		fi
-	)
-}
-
-stop() {
-	(
-		export EBTABLES_RULE='"ebtables -t " ..	table .. " -D " .. command'
-		export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
-
-		if [ -z "$1" ]; then
-			exec_all '-r'
-		else
-			exec_file "$1"
-		fi
-	)
-}
diff --git a/package/gluon-ebtables/files/lib/gluon/reload.d/381-gluon-ebtables-stop b/package/gluon-ebtables/files/lib/gluon/reload.d/381-gluon-ebtables-stop
deleted file mode 100755
index ab714cc2..00000000
--- a/package/gluon-ebtables/files/lib/gluon/reload.d/381-gluon-ebtables-stop
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-/etc/init.d/gluon-ebtables stop
diff --git a/package/gluon-ebtables/files/lib/gluon/reload.d/719-gluon-ebtables-start b/package/gluon-ebtables/files/lib/gluon/reload.d/719-gluon-ebtables-start
deleted file mode 100755
index 579c2e63..00000000
--- a/package/gluon-ebtables/files/lib/gluon/reload.d/719-gluon-ebtables-start
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-/etc/init.d/gluon-ebtables start
diff --git a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/100-dir-chain b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/100-dir-chain
deleted file mode 100644
index 62b92947..00000000
--- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/100-dir-chain
+++ /dev/null
@@ -1,9 +0,0 @@
-chain('IN_ONLY', 'RETURN')
-chain('OUT_ONLY', 'RETURN')
-
--- nat chain runs early, so we can drop IGMP/MLD
-chain('MULTICAST_IN', 'RETURN', 'nat')
-chain('MULTICAST_IN_ICMPV6', 'RETURN', 'nat')
-
-chain('MULTICAST_OUT', 'RETURN')
-chain('MULTICAST_OUT_ICMPV6', 'RETURN')
diff --git a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/101-dir-rules b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/101-dir-rules
deleted file mode 100644
index 74486ae5..00000000
--- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/101-dir-rules
+++ /dev/null
@@ -1,7 +0,0 @@
-rule 'IN_ONLY --logical-in br-client -i bat0 -j RETURN'
-rule 'IN_ONLY --logical-in br-client -i local-port -j RETURN'
-rule 'IN_ONLY --logical-in br-client -j DROP'
-
-rule 'OUT_ONLY --logical-out br-client -o bat0 -j RETURN'
-rule 'OUT_ONLY --logical-out br-client -o local-port -j RETURN'
-rule 'OUT_ONLY --logical-out br-client -j DROP'
diff --git a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld b/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld
deleted file mode 100644
index 3b1ecab3..00000000
--- a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/105-mcast-drop-igmp-mld
+++ /dev/null
@@ -1,20 +0,0 @@
-local site = require 'gluon.site'
-
-rule('MULTICAST_IN -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP', 'nat')
-rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP')
-
-rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP') -- MLD Query
-rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD Query
-
-if site.mesh.filter_membership_reports(true) then
-	rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat')
-	rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp -j DROP')
-
-	rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP') -- MLDv1 Report
-	rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done
-	rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report
-
-	rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report
-	rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done
-	rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report
-end
diff --git a/package/gluon-nftables-multicast/Makefile b/package/gluon-nftables-multicast/Makefile
new file mode 100644
index 00000000..5002aa9f
--- /dev/null
+++ b/package/gluon-nftables-multicast/Makefile
@@ -0,0 +1,16 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-nftables-multicast
+
+include ../gluon.mk
+
+define Package/gluon-nftables-multicast
+  TITLE:=nftables multicast filtering
+  DEPENDS:=+gluon-core +gluon-nftables
+endef
+
+define Package/gluon-nftables-multicast/description
+	Gluon community wifi mesh firmware framework: nftables multicast filtering
+endef
+
+$(eval $(call BuildPackageGluon,gluon-nftables-multicast))
diff --git a/package/gluon-ebtables/check_site.lua b/package/gluon-nftables-multicast/check_site.lua
similarity index 100%
rename from package/gluon-ebtables/check_site.lua
rename to package/gluon-nftables-multicast/check_site.lua
diff --git a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/100-dir-chain.lua b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/100-dir-chain.lua
new file mode 100644
index 00000000..76ea7491
--- /dev/null
+++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/100-dir-chain.lua
@@ -0,0 +1,9 @@
+bridge_chain('IN_ONLY')
+bridge_chain('OUT_ONLY')
+
+-- nat chain runs early, so we can drop IGMP/MLD
+bridge_chain('MULTICAST_IN', nil, 'nat')
+bridge_chain('MULTICAST_IN_ICMPV6', nil, 'nat')
+
+bridge_chain('MULTICAST_OUT')
+bridge_chain('MULTICAST_OUT_ICMPV6')
diff --git a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/101-dir-rules.lua b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/101-dir-rules.lua
new file mode 100644
index 00000000..cb74ee17
--- /dev/null
+++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/101-dir-rules.lua
@@ -0,0 +1,5 @@
+bridge_rule('IN_ONLY', 'ibrname "br-client" iifname { "bat0", "local-port" } return')
+bridge_rule('IN_ONLY', 'drop')
+
+bridge_rule('OUT_ONLY', 'obrname "br-client" oifname { "bat0", "local-port" } return')
+bridge_rule('OUT_ONLY', 'drop')
diff --git a/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/105-mcast-drop-igmp-mld.lua b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/105-mcast-drop-igmp-mld.lua
new file mode 100644
index 00000000..0ea389d7
--- /dev/null
+++ b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/105-mcast-drop-igmp-mld.lua
@@ -0,0 +1,15 @@
+local site = require 'gluon.site'
+
+bridge_rule('MULTICAST_IN', 'igmp type membership-query drop')
+bridge_rule('MULTICAST_OUT', 'igmp type membership-query drop')
+
+bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type 130 drop comment "MLD Query"')
+bridge_rule('MULTICAST_IN_ICMPV6', 'icmpv6 type 130 drop comment "MLD Query"')
+
+if site.mesh.filter_membership_reports(true) then
+	bridge_rule('MULTICAST_OUT', 'ip protocol igmp drop')
+	bridge_rule('MULTICAST_IN', 'ip protocol igmp drop', 'nat')
+
+	bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type { 131, 132, 143 } drop comment "MLDv1 Report, MLDv1 Done, MLDv2 Report"')
+	bridge_rule('MULTICAST_IN_ICMPV6', 'icmpv6 type { 131, 132, 143 } drop comment "MLDv1 Report, MLDv1 Done, MLDv2 Report"', 'nat')
+end
diff --git a/package/gluon-ebtables/luasrc/lib/gluon/ebtables/350-mcast-dir-rules b/package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/350-mcast-dir-rules
similarity index 100%
rename from package/gluon-ebtables/luasrc/lib/gluon/ebtables/350-mcast-dir-rules
rename to package/gluon-nftables-multicast/luasrc/lib/gluon/nftables/350-mcast-dir-rules