gluon-nftables-source-filter: migrate to nftables
This commit is contained in:
parent
7b822a72eb
commit
34c0bc6e36
@ -1,17 +0,0 @@
|
|||||||
include $(TOPDIR)/rules.mk
|
|
||||||
|
|
||||||
PKG_NAME:=gluon-ebtables-source-filter
|
|
||||||
|
|
||||||
include ../gluon.mk
|
|
||||||
|
|
||||||
define Package/gluon-ebtables-source-filter
|
|
||||||
TITLE:=Ebtables rules to filter unreasonable L2 traffic.
|
|
||||||
DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
|
|
||||||
endef
|
|
||||||
|
|
||||||
define Package/gluon-ebtables-source-filter/description
|
|
||||||
This package adds an additional layer-2 filter-ruleset to prevent unreasonable
|
|
||||||
traffic entering the network via the nodes.
|
|
||||||
endef
|
|
||||||
|
|
||||||
$(eval $(call BuildPackageGluon,gluon-ebtables-source-filter))
|
|
@ -1 +0,0 @@
|
|||||||
chain('LOCAL_FORWARD', 'DROP')
|
|
@ -1,6 +0,0 @@
|
|||||||
local prefix4 = require('gluon.site').prefix4()
|
|
||||||
|
|
||||||
if prefix4 then
|
|
||||||
rule('LOCAL_FORWARD -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
|
|
||||||
rule('LOCAL_FORWARD -p ARP --arp-ip-src 0.0.0.0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
|
|
||||||
end
|
|
@ -1,6 +0,0 @@
|
|||||||
local prefix4 = require('gluon.site').prefix4()
|
|
||||||
|
|
||||||
if prefix4 then
|
|
||||||
rule('LOCAL_FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN')
|
|
||||||
rule('LOCAL_FORWARD -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN')
|
|
||||||
end
|
|
@ -1,9 +0,0 @@
|
|||||||
local site = require 'gluon.site'
|
|
||||||
|
|
||||||
rule('LOCAL_FORWARD -p IPv6 --ip6-src fe80::/64 -j RETURN')
|
|
||||||
rule('LOCAL_FORWARD -p IPv6 --ip6-src ::/128 --ip6-proto ipv6-icmp -j RETURN')
|
|
||||||
rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. site.prefix6() .. ' -j RETURN')
|
|
||||||
|
|
||||||
for _, prefix in ipairs(site.extra_prefixes6({})) do
|
|
||||||
rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
|
|
||||||
end
|
|
@ -1 +0,0 @@
|
|||||||
rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD')
|
|
17
package/gluon-nftables-source-filter/Makefile
Normal file
17
package/gluon-nftables-source-filter/Makefile
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PKG_NAME:=gluon-nftables-source-filter
|
||||||
|
|
||||||
|
include ../gluon.mk
|
||||||
|
|
||||||
|
define Package/gluon-nftables-source-filter
|
||||||
|
TITLE:=nftables rules to filter unreasonable L2 traffic.
|
||||||
|
DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/gluon-nftables-source-filter/description
|
||||||
|
This package adds an additional layer-2 filter-ruleset to prevent unreasonable
|
||||||
|
traffic entering the network via the nodes.
|
||||||
|
endef
|
||||||
|
|
||||||
|
$(eval $(call BuildPackageGluon,gluon-nftables-source-filter))
|
@ -0,0 +1 @@
|
|||||||
|
bridge_chain('LOCAL_FORWARD')
|
@ -0,0 +1,6 @@
|
|||||||
|
local prefix4 = require('gluon.site').prefix4()
|
||||||
|
|
||||||
|
if prefix4 then
|
||||||
|
bridge_rule('LOCAL_FORWARD', 'arp saddr ip ' .. prefix4 .. ' arp daddr ip ' .. prefix4 .. ' return')
|
||||||
|
bridge_rule('LOCAL_FORWARD', 'arp saddr ip 0.0.0.0 arp daddr ip ' .. prefix4 .. ' return')
|
||||||
|
end
|
@ -0,0 +1,6 @@
|
|||||||
|
local prefix4 = require('gluon.site').prefix4()
|
||||||
|
|
||||||
|
if prefix4 then
|
||||||
|
bridge_rule('LOCAL_FORWARD', 'ip version 4 udp dport 67 return')
|
||||||
|
bridge_rule('LOCAL_FORWARD', 'ip saddr ' .. prefix4 .. ' return')
|
||||||
|
end
|
@ -0,0 +1,9 @@
|
|||||||
|
local site = require 'gluon.site'
|
||||||
|
|
||||||
|
bridge_rule('LOCAL_FORWARD', 'ip6 saddr fe80::/64 return')
|
||||||
|
bridge_rule('LOCAL_FORWARD', 'ip6 saddr ::/128 ip6 nexthdr icmpv6')
|
||||||
|
bridge_rule('LOCAL_FORWARD', 'ip6 saddr ' .. site.prefix6() .. ' return')
|
||||||
|
|
||||||
|
for _, prefix in ipairs(site.extra_prefixes6({})) do
|
||||||
|
bridge_rule('LOCAL_FORWARD', 'ip6 saddr ' .. prefix .. ' return')
|
||||||
|
end
|
@ -0,0 +1 @@
|
|||||||
|
bridge_rule('FORWARD', 'ibrname "br-client" iifname != "bat0" jump local_forward')
|
Loading…
Reference in New Issue
Block a user