firewall: switch to nftables

package/gluon-core/Makefile

@@ -11,7 +11,7 @@ define Package/gluon-core
   TITLE:=Base files of Gluon
   DEPENDS:= \
 	+gluon-site +libgluonutil +libiwinfo-lua +lua-platform-info +lua-simple-uci +lua-hash +lua-jsonc \
-	+luabitop +luaposix +vxlan +odhcp6c +firewall +pretty-hostname
+	+luabitop +luaposix +vxlan +odhcp6c +firewall4 +pretty-hostname
 endef
 
 define Package/gluon-core/description

package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c

@@ -14,7 +14,7 @@
 
 #define BATCTL_DC "/usr/sbin/batctl dc -H -n"
 #define BATCTL_TL "/usr/sbin/batctl tl -H -n"
-#define EBTABLES "/usr/sbin/ebtables-tiny"
+#define EBTABLES "/usr/sbin/ebtables"
 
 #define BUILD_BUG_ON(check) ((void)sizeof(int[1-2*!!(check)]))
 

package/gluon-ebtables/Makefile

@@ -6,8 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-ebtables
   TITLE:=Ebtables support
-  DEPENDS:=+gluon-core +ebtables-tiny \
-	+kmod-ebtables +kmod-ebtables-ipv4 +kmod-ebtables-ipv6
+  DEPENDS:=+gluon-core +ebtables-nft
 endef
 
 define Package/gluon-ebtables/description

package/gluon-ebtables/files/etc/init.d/gluon-ebtables

@@ -51,8 +51,8 @@ exec_all() {
 
 start() {
 	(
-		export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -A " .. command'
-		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. "  -N " .. name .. " -P " .. policy'
+		export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. "  -N " .. name .. " -P " .. policy'
 
 		# Contains /var/lib/ebtables/lock for '--concurrent'
 		[ ! -d "/var/lib/ebtables" ] && \
@@ -68,8 +68,8 @@ start() {
 
 stop() {
 	(
-		export EBTABLES_RULE='"ebtables-tiny -t " ..	table .. " -D " .. command'
-		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -X " .. name'
+		export EBTABLES_RULE='"ebtables -t " ..	table .. " -D " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
 
 		if [ -z "$1" ]; then
 			exec_all '-r'

package/gluon-iptables-clamp-mss-to-pmtu/Makefile

@@ -6,7 +6,6 @@ include ../gluon.mk
 
 define Package/$(PKG_NAME)
   TITLE:=This will establish a firewall rule to clamp the mss to pmtu on the mesh-vpn interface when the connection is towards 64:ff9b::/96
-  DEPENDS:= +ip6tables-zz-legacy
 endef
 
 define Package/$(PKG_NAME)/description

package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/iptables-mss.rules

@@ -1,3 +0,0 @@
-*mangle
--A FORWARD -o mesh-vpn+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-COMMIT

package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/nftables-mss.rules

@@ -0,0 +1 @@
+oifname "mesh-vpn*" tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu

package/gluon-iptables-clamp-mss-to-pmtu/luasrc/lib/gluon/upgrade/800-iptables-mesh-vpn-clamp-mss-to-pmtu

@@ -2,9 +2,10 @@
 
 local uci = require('simple-uci').cursor()
 uci:section('firewall', 'include', 'vpn_clamp_mss', {
-	family = 'ipv6',
-	type = 'restore',
-	path = '/lib/gluon/mesh-vpn/iptables-mss.rules'
+	type = 'nftables',
+	position = 'chain-prepend',
+	chain = 'mangle_forward',
+	path = '/lib/gluon/mesh-vpn/nftables-mss.rules',
 })
 
 uci:save('firewall')

package/gluon-mesh-babel/Makefile

@@ -9,7 +9,7 @@ include ../gluon.mk
 
 define Package/gluon-mesh-babel
   TITLE:=Babel mesh
-  DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop
+  DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall4 +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop
   PROVIDES:=gluon-mesh-provider
 endef
 

package/gluon-mesh-batman-adv/Makefile

@@ -13,7 +13,7 @@ define Package/gluon-mesh-batman-adv-15
 	+libgluonutil \
 	+gluon-client-bridge \
 	+gluon-ebtables \
-	+firewall \
+	+firewall4 \
 	+libiwinfo \
 	+kmod-dummy \
 	+libnl-tiny \

package/gluon-mesh-layer3-common/Makefile

@@ -6,7 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-mesh-layer3-common
   TITLE:=Layer3 common files
-  DEPENDS:=+gluon-core +gluon-mmfd +firewall
+  DEPENDS:=+gluon-core +gluon-mmfd +firewall4
 endef
 
 $(eval $(call BuildPackageGluon,gluon-mesh-layer3-common))

package/gluon-mesh-vpn-core/Makefile

@@ -6,7 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-mesh-vpn-core
   TITLE:=Basic support for connecting meshes via VPN tunnels
-  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +iptables-zz-legacy +iptables-mod-extra +simple-tc
+  DEPENDS:=+gluon-core +gluon-wan-dnsmasq +simple-tc
   USERID:=:gluon-mesh-vpn=800
 endef
 

package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/iptables.rules

@@ -1,3 +0,0 @@
-*nat
--I OUTPUT -m owner --gid-owner gluon-mesh-vpn -o lo -d 127.0.0.1 -p udp --dport 53 -j DNAT --to-destination :54
-COMMIT

package/gluon-mesh-vpn-core/files/lib/gluon/mesh-vpn/nftables.rules

@@ -0,0 +1 @@
+meta skgid gluon-mesh-vpn oifname "lo" ip daddr 127.0.0.1 udp dport 53 redirect to 54

package/gluon-mesh-vpn-core/luasrc/lib/gluon/upgrade/500-mesh-vpn

@@ -26,9 +26,10 @@ users.remove_user('gluon-fastd')
 users.remove_group('gluon-fastd')
 
 uci:section('firewall', 'include', 'mesh_vpn_dns', {
-	type = 'restore',
-	path = '/lib/gluon/mesh-vpn/iptables.rules',
-	family = 'ipv4',
+	type = 'nftables',
+	path = '/lib/gluon/mesh-vpn/nftables.rules',
+	position = 'chain-prepend',
+	chain = 'dstnat',
 })
 
 uci:save('firewall')

package/gluon-radv-filterd/src/gluon-radv-filterd.c

@@ -149,12 +149,12 @@ static void cleanup(void) {
 
 	if (G.chain) {
 		/* Reset chain to accept everything again */
-		if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[])
-				{ "ebtables-tiny", "-F", G.chain, NULL }))
+		if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
+				{ "ebtables", "-F", G.chain, NULL }))
 			DEBUG_MSG("warning: flushing ebtables chain %s failed, not adding a new rule", G.chain);
 
-		if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[])
-				{ "ebtables-tiny", "-A", G.chain, "-j", "ACCEPT", NULL }))
+		if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
+				{ "ebtables", "-A", G.chain, "-j", "ACCEPT", NULL }))
 			DEBUG_MSG("warning: adding new rule to ebtables chain %s failed", G.chain);
 	}
 }
@@ -700,11 +700,11 @@ static void update_ebtables(void) {
 			G.max_tq);
 	G.best_router = router;
 
-	if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[])
-			{ "ebtables-tiny", "-F", G.chain, NULL }))
+	if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
+			{ "ebtables", "-F", G.chain, NULL }))
 		error_message(0, 0, "warning: flushing ebtables chain %s failed, not adding a new rule", G.chain);
-	else if (fork_execvp_timeout(&timeout, "ebtables-tiny", (const char *[])
-			{ "ebtables-tiny", "-A", G.chain, "-s", mac, "-j", "ACCEPT", NULL }))
+	else if (fork_execvp_timeout(&timeout, "ebtables", (const char *[])
+			{ "ebtables", "-A", G.chain, "-s", mac, "-j", "ACCEPT", NULL }))
 		error_message(0, 0, "warning: adding new rule to ebtables chain %s failed", G.chain);
 }
 

package/gluon-radv-filterd/src/respondd.c

@@ -8,7 +8,7 @@
 #include "mac.h"
 
 static struct json_object * get_radv_filter() {
-	FILE *f = popen("exec ebtables-tiny -L RADV_FILTER", "r");
+	FILE *f = popen("exec ebtables -L RADV_FILTER", "r");
 	char *line = NULL;
 	size_t len = 0;
 	struct ether_addr mac = {};

targets/generic

@@ -97,14 +97,18 @@ packages {
 	'-kmod-nft-offload',
 	'-libustream-wolfssl',
 	'-libwolfssl',
-	'-nftables',
 	'-odhcpd-ipv6only',
 	'-ppp',
 	'-ppp-mod-pppoe',
 	'-wpad-mini',
 	'-wpad-basic',
 	'-wpad-basic-wolfssl',
-	'-firewall4',
 	'gluon-core',
-	'ip6tables-zz-legacy',
+	'-iptables',
+	'-nftables',
+	'nftables-json',
+	'-xtables-legacy',
+	'ip6tables-nft',
+	'iptables-nft',
+	'-kmod-ipt-core',
 }