From 34c0bc6e36c64b33c3318e2c4a38668eb918a29d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= Date: Mon, 1 May 2023 18:23:51 +0200 Subject: [PATCH] gluon-nftables-source-filter: migrate to nftables --- package/gluon-ebtables-source-filter/Makefile | 17 ----------------- .../lib/gluon/ebtables/100-local-forward-chain | 1 - .../gluon/ebtables/110-local-forward-allow-arp | 6 ------ .../gluon/ebtables/110-local-forward-allow-ipv4 | 6 ------ .../gluon/ebtables/110-local-forward-allow-ipv6 | 9 --------- .../lib/gluon/ebtables/300-local-forward-rules | 1 - package/gluon-nftables-source-filter/Makefile | 17 +++++++++++++++++ .../gluon/nftables/100-local-forward-chain.lua | 1 + .../nftables/110-local-forward-allow-arp.lua | 6 ++++++ .../nftables/110-local-forward-allow-ipv4.lua | 6 ++++++ .../nftables/110-local-forward-allow-ipv6.lua | 9 +++++++++ .../gluon/nftables/300-local-forward-rules.lua | 1 + 12 files changed, 40 insertions(+), 40 deletions(-) delete mode 100644 package/gluon-ebtables-source-filter/Makefile delete mode 100644 package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/100-local-forward-chain delete mode 100644 package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-arp delete mode 100644 package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv4 delete mode 100644 package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv6 delete mode 100644 package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/300-local-forward-rules create mode 100644 package/gluon-nftables-source-filter/Makefile create mode 100644 package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/100-local-forward-chain.lua create mode 100644 package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-arp.lua create mode 100644 package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv4.lua create mode 100644 package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv6.lua create mode 100644 package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/300-local-forward-rules.lua diff --git a/package/gluon-ebtables-source-filter/Makefile b/package/gluon-ebtables-source-filter/Makefile deleted file mode 100644 index 17377e1f..00000000 --- a/package/gluon-ebtables-source-filter/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -include $(TOPDIR)/rules.mk - -PKG_NAME:=gluon-ebtables-source-filter - -include ../gluon.mk - -define Package/gluon-ebtables-source-filter - TITLE:=Ebtables rules to filter unreasonable L2 traffic. - DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv -endef - -define Package/gluon-ebtables-source-filter/description - This package adds an additional layer-2 filter-ruleset to prevent unreasonable - traffic entering the network via the nodes. -endef - -$(eval $(call BuildPackageGluon,gluon-ebtables-source-filter)) diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/100-local-forward-chain b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/100-local-forward-chain deleted file mode 100644 index b9f4467d..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/100-local-forward-chain +++ /dev/null @@ -1 +0,0 @@ -chain('LOCAL_FORWARD', 'DROP') diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-arp b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-arp deleted file mode 100644 index 06436cf2..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-arp +++ /dev/null @@ -1,6 +0,0 @@ -local prefix4 = require('gluon.site').prefix4() - -if prefix4 then - rule('LOCAL_FORWARD -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN') - rule('LOCAL_FORWARD -p ARP --arp-ip-src 0.0.0.0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN') -end diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv4 b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv4 deleted file mode 100644 index e712c5fb..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv4 +++ /dev/null @@ -1,6 +0,0 @@ -local prefix4 = require('gluon.site').prefix4() - -if prefix4 then - rule('LOCAL_FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN') - rule('LOCAL_FORWARD -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN') -end diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv6 b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv6 deleted file mode 100644 index f6a19747..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/110-local-forward-allow-ipv6 +++ /dev/null @@ -1,9 +0,0 @@ -local site = require 'gluon.site' - -rule('LOCAL_FORWARD -p IPv6 --ip6-src fe80::/64 -j RETURN') -rule('LOCAL_FORWARD -p IPv6 --ip6-src ::/128 --ip6-proto ipv6-icmp -j RETURN') -rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. site.prefix6() .. ' -j RETURN') - -for _, prefix in ipairs(site.extra_prefixes6({})) do - rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN') -end diff --git a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/300-local-forward-rules b/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/300-local-forward-rules deleted file mode 100644 index 6c5a9257..00000000 --- a/package/gluon-ebtables-source-filter/luasrc/lib/gluon/ebtables/300-local-forward-rules +++ /dev/null @@ -1 +0,0 @@ -rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD') diff --git a/package/gluon-nftables-source-filter/Makefile b/package/gluon-nftables-source-filter/Makefile new file mode 100644 index 00000000..9f7ab884 --- /dev/null +++ b/package/gluon-nftables-source-filter/Makefile @@ -0,0 +1,17 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-nftables-source-filter + +include ../gluon.mk + +define Package/gluon-nftables-source-filter + TITLE:=nftables rules to filter unreasonable L2 traffic. + DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv +endef + +define Package/gluon-nftables-source-filter/description + This package adds an additional layer-2 filter-ruleset to prevent unreasonable + traffic entering the network via the nodes. +endef + +$(eval $(call BuildPackageGluon,gluon-nftables-source-filter)) diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/100-local-forward-chain.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/100-local-forward-chain.lua new file mode 100644 index 00000000..51437cb8 --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/100-local-forward-chain.lua @@ -0,0 +1 @@ +bridge_chain('LOCAL_FORWARD') diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-arp.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-arp.lua new file mode 100644 index 00000000..028f9319 --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-arp.lua @@ -0,0 +1,6 @@ +local prefix4 = require('gluon.site').prefix4() + +if prefix4 then + bridge_rule('LOCAL_FORWARD', 'arp saddr ip ' .. prefix4 .. ' arp daddr ip ' .. prefix4 .. ' return') + bridge_rule('LOCAL_FORWARD', 'arp saddr ip 0.0.0.0 arp daddr ip ' .. prefix4 .. ' return') +end diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv4.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv4.lua new file mode 100644 index 00000000..38fe99d3 --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv4.lua @@ -0,0 +1,6 @@ +local prefix4 = require('gluon.site').prefix4() + +if prefix4 then + bridge_rule('LOCAL_FORWARD', 'ip version 4 udp dport 67 return') + bridge_rule('LOCAL_FORWARD', 'ip saddr ' .. prefix4 .. ' return') +end diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv6.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv6.lua new file mode 100644 index 00000000..9da7a8be --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/110-local-forward-allow-ipv6.lua @@ -0,0 +1,9 @@ +local site = require 'gluon.site' + +bridge_rule('LOCAL_FORWARD', 'ip6 saddr fe80::/64 return') +bridge_rule('LOCAL_FORWARD', 'ip6 saddr ::/128 ip6 nexthdr icmpv6') +bridge_rule('LOCAL_FORWARD', 'ip6 saddr ' .. site.prefix6() .. ' return') + +for _, prefix in ipairs(site.extra_prefixes6({})) do + bridge_rule('LOCAL_FORWARD', 'ip6 saddr ' .. prefix .. ' return') +end diff --git a/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/300-local-forward-rules.lua b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/300-local-forward-rules.lua new file mode 100644 index 00000000..6fb3228c --- /dev/null +++ b/package/gluon-nftables-source-filter/luasrc/lib/gluon/nftables/300-local-forward-rules.lua @@ -0,0 +1 @@ +bridge_rule('FORWARD', 'ibrname "br-client" iifname != "bat0" jump local_forward')