Matthias Schiffer
GitHub
commit
7565839fc4
16
docs/package/gluon-ebtables-segment-mld.rst
Normal file
16
docs/package/gluon-ebtables-segment-mld.rst
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
gluon-ebtables-segment-mld
|
||||||
|
==========================
|
||||||
|
|
||||||
|
These filters drop IGMP/MLD packets before they enter the mesh and
|
||||||
|
filter any IGMP/MLD packets coming from the mesh.
|
||||||
|
|
||||||
|
IGMP/MLD have the concept of a local, elected Querier. For more
|
||||||
|
decentralization and increased robustness, the idea of this package is
|
||||||
|
to split the IGMP/MLD domain a querier is responsible for, allowing to
|
||||||
|
have a querier per node. The split IGMP/MLD domain will also reduce
|
||||||
|
overhead for this packet type, increasing scalability.
|
||||||
|
|
||||||
|
Beware of the consequences of using this package though: You might need
|
||||||
|
to explicitly, manually mark ports on snooping switches leading towards
|
||||||
|
your mesh node as multicast router ports for now (Multicast Router
|
||||||
|
Discovery, MRD, not implemented yet).
|
||||||
@ -1 +0,0 @@
|
|||||||
chain('MULTICAST_OUT', 'DROP')
|
|
||||||
@ -1,5 +1,3 @@
|
|||||||
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j DROP'
|
rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j RETURN'
|
||||||
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j DROP'
|
rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j RETURN' -- ICMP Node Information Query
|
||||||
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN'
|
rule 'MULTICAST_OUT_ICMPV6 -j ACCEPT'
|
||||||
|
|
||||||
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol 0 -j RETURN' -- hop-by-hop
|
|
||||||
|
|||||||
@ -1,2 +0,0 @@
|
|||||||
rule 'FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'
|
|
||||||
rule 'OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'
|
|
||||||
@ -0,0 +1 @@
|
|||||||
|
rule ('MULTICAST_OUT -j DROP')
|
||||||
51
package/gluon-ebtables-segment-mld/Makefile
Normal file
51
package/gluon-ebtables-segment-mld/Makefile
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PKG_NAME:=gluon-ebtables-segment-mld
|
||||||
|
PKG_VERSION:=1
|
||||||
|
PKG_RELEASE:=1
|
||||||
|
|
||||||
|
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
|
||||||
|
|
||||||
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
define Package/gluon-ebtables-segment-mld
|
||||||
|
SECTION:=gluon
|
||||||
|
CATEGORY:=Gluon
|
||||||
|
TITLE:=Ebtables filters for IGMP/MLD packets
|
||||||
|
DEPENDS:=+gluon-core +gluon-ebtables
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/gluon-ebtables-segment-mld/description
|
||||||
|
Gluon community wifi mesh firmware framework: Ebtables filters for
|
||||||
|
IGMP/MLD packets
|
||||||
|
|
||||||
|
These filters drop IGMP/MLD packets before they enter the mesh and
|
||||||
|
filter any IGMP/MLD packets coming from the mesh.
|
||||||
|
|
||||||
|
IGMP/MLD have the concept of a local, elected Querier. For more
|
||||||
|
decentralization and increased robustness, the idea of this package is
|
||||||
|
to split the IGMP/MLD domain a querier is responsible for, allowing to
|
||||||
|
have a querier per node. The split IGMP/MLD domain will also reduce
|
||||||
|
overhead for this packet type, increasing scalability.
|
||||||
|
|
||||||
|
Beware of the consequences of using this package though: You might need
|
||||||
|
to explicitly, manually mark ports on snooping switches leading towards
|
||||||
|
your mesh node as multicast router ports for now (Multicast Router
|
||||||
|
Discovery, MRD, not implemented yet).
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Prepare
|
||||||
|
mkdir -p $(PKG_BUILD_DIR)
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Configure
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Compile
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/gluon-ebtables-segment-mld/install
|
||||||
|
$(CP) ./files/* $(1)/
|
||||||
|
endef
|
||||||
|
|
||||||
|
$(eval $(call BuildPackage,gluon-ebtables-segment-mld))
|
||||||
@ -0,0 +1,2 @@
|
|||||||
|
chain('MULTICAST_IN', 'RETURN', 'nat')
|
||||||
|
chain('MULTICAST_IN_ICMPV6', 'RETURN', 'nat')
|
||||||
@ -0,0 +1,2 @@
|
|||||||
|
rule ('PREROUTING -d Multicast --logical-in br-client -i bat0 -j MULTICAST_IN', 'nat')
|
||||||
|
rule ('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp -j MULTICAST_IN_ICMPV6', 'nat')
|
||||||
@ -0,0 +1,2 @@
|
|||||||
|
rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp -j DROP')
|
||||||
|
rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat')
|
||||||
@ -0,0 +1,9 @@
|
|||||||
|
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP') -- MLD Query
|
||||||
|
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP') -- MLDv1 Report
|
||||||
|
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done
|
||||||
|
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report
|
||||||
|
|
||||||
|
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD Query
|
||||||
|
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report
|
||||||
|
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done
|
||||||
|
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report
|
||||||
@ -24,12 +24,15 @@ exec_file() {
|
|||||||
local file="$1"
|
local file="$1"
|
||||||
|
|
||||||
/usr/bin/lua -e "
|
/usr/bin/lua -e "
|
||||||
function rule(command)
|
function rule(command, table)
|
||||||
|
table = table or 'filter'
|
||||||
os.execute($EBTABLES_RULE)
|
os.execute($EBTABLES_RULE)
|
||||||
end
|
end
|
||||||
function chain(name, policy)
|
function chain(name, policy, table)
|
||||||
|
table = table or 'filter'
|
||||||
os.execute($EBTABLES_CHAIN)
|
os.execute($EBTABLES_CHAIN)
|
||||||
end
|
end
|
||||||
|
|
||||||
" "$file"
|
" "$file"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -48,8 +51,8 @@ exec_all() {
|
|||||||
|
|
||||||
start() {
|
start() {
|
||||||
(
|
(
|
||||||
export EBTABLES_RULE='"ebtables -A " .. command'
|
export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
|
||||||
export EBTABLES_CHAIN='"ebtables -N " .. name .. " -P " .. policy'
|
export EBTABLES_CHAIN='"ebtables -t " .. table .. " -N " .. name .. " -P " .. policy'
|
||||||
|
|
||||||
if [ -z "$1" ]; then
|
if [ -z "$1" ]; then
|
||||||
exec_all ''
|
exec_all ''
|
||||||
@ -61,8 +64,8 @@ start() {
|
|||||||
|
|
||||||
stop() {
|
stop() {
|
||||||
(
|
(
|
||||||
export EBTABLES_RULE='"ebtables -D " .. command'
|
export EBTABLES_RULE='"ebtables -t " .. table .. " -D " .. command'
|
||||||
export EBTABLES_CHAIN='"ebtables -X " .. name'
|
export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
|
||||||
|
|
||||||
if [ -z "$1" ]; then
|
if [ -z "$1" ]; then
|
||||||
exec_all '-r'
|
exec_all '-r'
|
||||||
|
|||||||
@ -1,2 +1,5 @@
|
|||||||
chain('IN_ONLY', 'RETURN')
|
chain('IN_ONLY', 'RETURN')
|
||||||
chain('OUT_ONLY', 'RETURN')
|
chain('OUT_ONLY', 'RETURN')
|
||||||
|
|
||||||
|
chain('MULTICAST_OUT', 'RETURN')
|
||||||
|
chain('MULTICAST_OUT_ICMPV6', 'RETURN')
|
||||||
|
|||||||
@ -0,0 +1,4 @@
|
|||||||
|
rule 'OUTPUT -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT'
|
||||||
|
rule 'FORWARD -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT'
|
||||||
|
|
||||||
|
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j MULTICAST_OUT_ICMPV6'
|
||||||
Loading…
Reference in New Issue
Block a user