gluon-ebtables -> gluon-nftables-multicast: split out multicast rules, delete rest
This commit is contained in:
Maciej Krüger
parent
40b1f1b1e2
commit
09eec29c7d
@ -1,16 +0,0 @@
|
|||||||
include $(TOPDIR)/rules.mk
|
|
||||||
|
|
||||||
PKG_NAME:=gluon-ebtables
|
|
||||||
|
|
||||||
include ../gluon.mk
|
|
||||||
|
|
||||||
define Package/gluon-ebtables
|
|
||||||
TITLE:=Ebtables support
|
|
||||||
DEPENDS:=+gluon-core +ebtables-nft
|
|
||||||
endef
|
|
||||||
|
|
||||||
define Package/gluon-ebtables/description
|
|
||||||
Gluon community wifi mesh firmware framework: ebtables support
|
|
||||||
endef
|
|
||||||
|
|
||||||
$(eval $(call BuildPackageGluon,gluon-ebtables))
|
|
||||||
@ -1,80 +0,0 @@
|
|||||||
#!/bin/sh /etc/rc.common
|
|
||||||
# Copyright (C) 2013 Project Gluon
|
|
||||||
#
|
|
||||||
# Firewall script for inserting and removing ebtables rules.
|
|
||||||
#
|
|
||||||
# Example format, for filtering any IPv4 multicast packets to the SSDP UDP port:
|
|
||||||
# rule FORWARD --logical-out br-client -d Multicast -p IPv4 --ip-protocol udp --ip-destination-port 5355 -j DROP
|
|
||||||
#
|
|
||||||
# Removing all rules:
|
|
||||||
# $ /etc/init.d/gluon-ebtables stop
|
|
||||||
# Inserting all rules:
|
|
||||||
# $ /etc/init.d/gluon-ebtables start
|
|
||||||
# Inserting a specific rule file:
|
|
||||||
# $ /etc/init.d/gluon-ebtables start /lib/gluon/ebtables/100-mcast-chain
|
|
||||||
# Removing a specific rule file:
|
|
||||||
# $ /etc/init.d/gluon-ebtables stop /lib/gluon/ebtables/100-mcast-chain
|
|
||||||
|
|
||||||
|
|
||||||
START=19
|
|
||||||
STOP=91
|
|
||||||
|
|
||||||
|
|
||||||
exec_file() {
|
|
||||||
local file="$1"
|
|
||||||
|
|
||||||
/usr/bin/lua -e "
|
|
||||||
function rule(command, table)
|
|
||||||
table = table or 'filter'
|
|
||||||
os.execute($EBTABLES_RULE)
|
|
||||||
end
|
|
||||||
function chain(name, policy, table)
|
|
||||||
table = table or 'filter'
|
|
||||||
os.execute($EBTABLES_CHAIN)
|
|
||||||
end
|
|
||||||
|
|
||||||
" "$file"
|
|
||||||
}
|
|
||||||
|
|
||||||
exec_all() {
|
|
||||||
local sort_arg="$1"
|
|
||||||
|
|
||||||
local old_ifs="$IFS"
|
|
||||||
IFS='
|
|
||||||
'
|
|
||||||
for file in `find /lib/gluon/ebtables -type f | sort $sort_arg`; do
|
|
||||||
exec_file "$file"
|
|
||||||
done
|
|
||||||
IFS="$old_ifs"
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
start() {
|
|
||||||
(
|
|
||||||
export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
|
|
||||||
export EBTABLES_CHAIN='"ebtables -t " .. table .. " -N " .. name .. " -P " .. policy'
|
|
||||||
|
|
||||||
# Contains /var/lib/ebtables/lock for '--concurrent'
|
|
||||||
[ ! -d "/var/lib/ebtables" ] && \
|
|
||||||
mkdir -p /var/lib/ebtables
|
|
||||||
|
|
||||||
if [ -z "$1" ]; then
|
|
||||||
exec_all ''
|
|
||||||
else
|
|
||||||
exec_file "$1"
|
|
||||||
fi
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
stop() {
|
|
||||||
(
|
|
||||||
export EBTABLES_RULE='"ebtables -t " .. table .. " -D " .. command'
|
|
||||||
export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
|
|
||||||
|
|
||||||
if [ -z "$1" ]; then
|
|
||||||
exec_all '-r'
|
|
||||||
else
|
|
||||||
exec_file "$1"
|
|
||||||
fi
|
|
||||||
)
|
|
||||||
}
|
|
||||||
@ -1,2 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
/etc/init.d/gluon-ebtables stop
|
|
||||||
@ -1,2 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
/etc/init.d/gluon-ebtables start
|
|
||||||
@ -1,9 +0,0 @@
|
|||||||
chain('IN_ONLY', 'RETURN')
|
|
||||||
chain('OUT_ONLY', 'RETURN')
|
|
||||||
|
|
||||||
-- nat chain runs early, so we can drop IGMP/MLD
|
|
||||||
chain('MULTICAST_IN', 'RETURN', 'nat')
|
|
||||||
chain('MULTICAST_IN_ICMPV6', 'RETURN', 'nat')
|
|
||||||
|
|
||||||
chain('MULTICAST_OUT', 'RETURN')
|
|
||||||
chain('MULTICAST_OUT_ICMPV6', 'RETURN')
|
|
||||||
@ -1,7 +0,0 @@
|
|||||||
rule 'IN_ONLY --logical-in br-client -i bat0 -j RETURN'
|
|
||||||
rule 'IN_ONLY --logical-in br-client -i local-port -j RETURN'
|
|
||||||
rule 'IN_ONLY --logical-in br-client -j DROP'
|
|
||||||
|
|
||||||
rule 'OUT_ONLY --logical-out br-client -o bat0 -j RETURN'
|
|
||||||
rule 'OUT_ONLY --logical-out br-client -o local-port -j RETURN'
|
|
||||||
rule 'OUT_ONLY --logical-out br-client -j DROP'
|
|
||||||
@ -1,20 +0,0 @@
|
|||||||
local site = require 'gluon.site'
|
|
||||||
|
|
||||||
rule('MULTICAST_IN -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP', 'nat')
|
|
||||||
rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp --ip-igmp-type membership-query -j DROP')
|
|
||||||
|
|
||||||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP') -- MLD Query
|
|
||||||
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD Query
|
|
||||||
|
|
||||||
if site.mesh.filter_membership_reports(true) then
|
|
||||||
rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat')
|
|
||||||
rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp -j DROP')
|
|
||||||
|
|
||||||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP') -- MLDv1 Report
|
|
||||||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done
|
|
||||||
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report
|
|
||||||
|
|
||||||
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report
|
|
||||||
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done
|
|
||||||
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report
|
|
||||||
end
|
|
||||||
16
package/gluon-nftables-multicast/Makefile
Normal file
16
package/gluon-nftables-multicast/Makefile
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PKG_NAME:=gluon-nftables-multicast
|
||||||
|
|
||||||
|
include ../gluon.mk
|
||||||
|
|
||||||
|
define Package/gluon-nftables-multicast
|
||||||
|
TITLE:=nftables multicast filtering
|
||||||
|
DEPENDS:=+gluon-core +gluon-nftables
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/gluon-nftables-multicast/description
|
||||||
|
Gluon community wifi mesh firmware framework: nftables multicast filtering
|
||||||
|
endef
|
||||||
|
|
||||||
|
$(eval $(call BuildPackageGluon,gluon-nftables-multicast))
|
||||||
@ -0,0 +1,9 @@
|
|||||||
|
bridge_chain('IN_ONLY')
|
||||||
|
bridge_chain('OUT_ONLY')
|
||||||
|
|
||||||
|
-- nat chain runs early, so we can drop IGMP/MLD
|
||||||
|
bridge_chain('MULTICAST_IN', nil, 'nat')
|
||||||
|
bridge_chain('MULTICAST_IN_ICMPV6', nil, 'nat')
|
||||||
|
|
||||||
|
bridge_chain('MULTICAST_OUT')
|
||||||
|
bridge_chain('MULTICAST_OUT_ICMPV6')
|
||||||
@ -0,0 +1,5 @@
|
|||||||
|
bridge_rule('IN_ONLY', 'ibrname "br-client" iifname { "bat0", "local-port" } return')
|
||||||
|
bridge_rule('IN_ONLY', 'drop')
|
||||||
|
|
||||||
|
bridge_rule('OUT_ONLY', 'obrname "br-client" oifname { "bat0", "local-port" } return')
|
||||||
|
bridge_rule('OUT_ONLY', 'drop')
|
||||||
@ -0,0 +1,15 @@
|
|||||||
|
local site = require 'gluon.site'
|
||||||
|
|
||||||
|
bridge_rule('MULTICAST_IN', 'igmp type membership-query drop')
|
||||||
|
bridge_rule('MULTICAST_OUT', 'igmp type membership-query drop')
|
||||||
|
|
||||||
|
bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type 130 drop comment "MLD Query"')
|
||||||
|
bridge_rule('MULTICAST_IN_ICMPV6', 'icmpv6 type 130 drop comment "MLD Query"')
|
||||||
|
|
||||||
|
if site.mesh.filter_membership_reports(true) then
|
||||||
|
bridge_rule('MULTICAST_OUT', 'ip protocol igmp drop')
|
||||||
|
bridge_rule('MULTICAST_IN', 'ip protocol igmp drop', 'nat')
|
||||||
|
|
||||||
|
bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type { 131, 132, 143 } drop comment "MLDv1 Report, MLDv1 Done, MLDv2 Report"')
|
||||||
|
bridge_rule('MULTICAST_IN_ICMPV6', 'icmpv6 type { 131, 132, 143 } drop comment "MLDv1 Report, MLDv1 Done, MLDv2 Report"', 'nat')
|
||||||
|
end
|
||||||
Loading…
Reference in New Issue
Block a user