gluon-nftables-source-filter: migrate to nftables

2023-05-01 18:23:51 +02:00 · 2023-05-01 18:23:51 +02:00 · 34c0bc6e36
commit 34c0bc6e36
parent 7b822a72eb
12 changed files with 40 additions and 40 deletions
--- a/package/gluon-ebtables-source-filter/Makefile
+++ b/package/gluon-ebtables-source-filter/Makefile
@ -1,17 +0,0 @@
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=gluon-ebtables-source-filter
-
-include ../gluon.mk
-
-define Package/gluon-ebtables-source-filter
-  TITLE:=Ebtables rules to filter unreasonable L2 traffic.
-  DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
-endef
-
-define Package/gluon-ebtables-source-filter/description
-	This package adds an additional layer-2 filter-ruleset to prevent unreasonable
-	traffic entering the network via the nodes.
-endef
-
-$(eval $(call BuildPackageGluon,gluon-ebtables-source-filter))
--- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/100-local-forward-chain
+++ b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/100-local-forward-chain
@ -1 +0,0 @@
-chain('LOCAL_FORWARD', 'DROP')
--- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-arp
+++ b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-arp
@ -1,6 +0,0 @@
-local prefix4 = require('gluon.site').prefix4()
-
-if prefix4 then
-	rule('LOCAL_FORWARD -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
-	rule('LOCAL_FORWARD -p ARP --arp-ip-src 0.0.0.0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
-end
--- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv4
+++ b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv4
@ -1,6 +0,0 @@
-local prefix4 = require('gluon.site').prefix4()
-
-if prefix4 then
-	rule('LOCAL_FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN')
-	rule('LOCAL_FORWARD -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN')
-end
--- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv6
+++ b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv6
@ -1,9 +0,0 @@
-local site = require 'gluon.site'
-
-rule('LOCAL_FORWARD -p IPv6 --ip6-src fe80::/64 -j RETURN')
-rule('LOCAL_FORWARD -p IPv6 --ip6-src ::/128 --ip6-proto ipv6-icmp -j RETURN')
-rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. site.prefix6() .. ' -j RETURN')
-
-for _, prefix in ipairs(site.extra_prefixes6({})) do
-	rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
-end
--- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/300-local-forward-rules
+++ b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/300-local-forward-rules
@ -1 +0,0 @@
-rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD')
--- a/package/gluon-nftables-source-filter/Makefile
+++ b/package/gluon-nftables-source-filter/Makefile
@ -0,0 +1,17 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-nftables-source-filter
+
+include ../gluon.mk
+
+define Package/gluon-nftables-source-filter
+  TITLE:=nftables rules to filter unreasonable L2 traffic.
+  DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv
+endef
+
+define Package/gluon-nftables-source-filter/description
+	This package adds an additional layer-2 filter-ruleset to prevent unreasonable
+	traffic entering the network via the nodes.
+endef
+
+$(eval $(call BuildPackageGluon,gluon-nftables-source-filter))
--- a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/100-local-forward-chain.lua
+++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/100-local-forward-chain.lua
@ -0,0 +1 @@
+bridge_chain('LOCAL_FORWARD')
--- a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-arp.lua
+++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-arp.lua
@ -0,0 +1,6 @@
+local prefix4 = require('gluon.site').prefix4()
+
+if prefix4 then
+	bridge_rule('LOCAL_FORWARD', 'arp saddr ip ' .. prefix4 .. ' arp daddr ip ' .. prefix4 .. ' return')
+	bridge_rule('LOCAL_FORWARD', 'arp saddr ip 0.0.0.0 arp daddr ip ' .. prefix4 .. ' return')
+end
--- a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv4.lua
+++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv4.lua
@ -0,0 +1,6 @@
+local prefix4 = require('gluon.site').prefix4()
+
+if prefix4 then
+	bridge_rule('LOCAL_FORWARD', 'ip version 4 udp dport 67 return')
+	bridge_rule('LOCAL_FORWARD', 'ip saddr ' .. prefix4 .. ' return')
+end
--- a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv6.lua
+++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv6.lua
@ -0,0 +1,9 @@
+local site = require 'gluon.site'
+
+bridge_rule('LOCAL_FORWARD', 'ip6 saddr fe80::/64 return')
+bridge_rule('LOCAL_FORWARD', 'ip6 saddr ::/128 ip6 nexthdr icmpv6')
+bridge_rule('LOCAL_FORWARD', 'ip6 saddr ' .. site.prefix6() .. ' return')
+
+for _, prefix in ipairs(site.extra_prefixes6({})) do
+	bridge_rule('LOCAL_FORWARD', 'ip6 saddr '  .. prefix .. ' return')
+end
--- a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/300-local-forward-rules.lua
+++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/300-local-forward-rules.lua
@ -0,0 +1 @@
+bridge_rule('FORWARD', 'ibrname "br-client" iifname != "bat0" jump local_forward')
				`@ -1 +0,0 @@`
				`rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD')`
				`@ -0,0 +1 @@`
				`bridge_rule('FORWARD', 'ibrname "br-client" iifname != "bat0" jump local_forward')`