Merge pull request #674 from T-X/filter-igmp-mld

Filter IGMP+MLD
This commit is contained in:
Matthias Schiffer 2016-07-27 17:24:43 +02:00 committed by GitHub
commit 7565839fc4
13 changed files with 102 additions and 14 deletions

View File

@ -0,0 +1,16 @@
gluon-ebtables-segment-mld
==========================
These filters drop IGMP/MLD packets before they enter the mesh and
filter any IGMP/MLD packets coming from the mesh.
IGMP/MLD have the concept of a local, elected Querier. For more
decentralization and increased robustness, the idea of this package is
to split the IGMP/MLD domain a querier is responsible for, allowing to
have a querier per node. The split IGMP/MLD domain will also reduce
overhead for this packet type, increasing scalability.
Beware of the consequences of using this package though: You might need
to explicitly, manually mark ports on snooping switches leading towards
your mesh node as multicast router ports for now (Multicast Router
Discovery, MRD, not implemented yet).

View File

@ -1 +0,0 @@
chain('MULTICAST_OUT', 'DROP')

View File

@ -1,5 +1,3 @@
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j DROP' rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j RETURN'
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j DROP' rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j RETURN' -- ICMP Node Information Query
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN' rule 'MULTICAST_OUT_ICMPV6 -j ACCEPT'
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol 0 -j RETURN' -- hop-by-hop

View File

@ -1,2 +0,0 @@
rule 'FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'
rule 'OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'

View File

@ -0,0 +1 @@
rule ('MULTICAST_OUT -j DROP')

View File

@ -0,0 +1,51 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=gluon-ebtables-segment-mld
PKG_VERSION:=1
PKG_RELEASE:=1
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
include $(INCLUDE_DIR)/package.mk
define Package/gluon-ebtables-segment-mld
SECTION:=gluon
CATEGORY:=Gluon
TITLE:=Ebtables filters for IGMP/MLD packets
DEPENDS:=+gluon-core +gluon-ebtables
endef
define Package/gluon-ebtables-segment-mld/description
Gluon community wifi mesh firmware framework: Ebtables filters for
IGMP/MLD packets
These filters drop IGMP/MLD packets before they enter the mesh and
filter any IGMP/MLD packets coming from the mesh.
IGMP/MLD have the concept of a local, elected Querier. For more
decentralization and increased robustness, the idea of this package is
to split the IGMP/MLD domain a querier is responsible for, allowing to
have a querier per node. The split IGMP/MLD domain will also reduce
overhead for this packet type, increasing scalability.
Beware of the consequences of using this package though: You might need
to explicitly, manually mark ports on snooping switches leading towards
your mesh node as multicast router ports for now (Multicast Router
Discovery, MRD, not implemented yet).
endef
define Build/Prepare
mkdir -p $(PKG_BUILD_DIR)
endef
define Build/Configure
endef
define Build/Compile
endef
define Package/gluon-ebtables-segment-mld/install
$(CP) ./files/* $(1)/
endef
$(eval $(call BuildPackage,gluon-ebtables-segment-mld))

View File

@ -0,0 +1,2 @@
chain('MULTICAST_IN', 'RETURN', 'nat')
chain('MULTICAST_IN_ICMPV6', 'RETURN', 'nat')

View File

@ -0,0 +1,2 @@
rule ('PREROUTING -d Multicast --logical-in br-client -i bat0 -j MULTICAST_IN', 'nat')
rule ('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp -j MULTICAST_IN_ICMPV6', 'nat')

View File

@ -0,0 +1,2 @@
rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp -j DROP')
rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat')

View File

@ -0,0 +1,9 @@
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP') -- MLD Query
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP') -- MLDv1 Report
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done
rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD Query
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done
rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report

View File

@ -24,12 +24,15 @@ exec_file() {
local file="$1" local file="$1"
/usr/bin/lua -e " /usr/bin/lua -e "
function rule(command) function rule(command, table)
table = table or 'filter'
os.execute($EBTABLES_RULE) os.execute($EBTABLES_RULE)
end end
function chain(name, policy) function chain(name, policy, table)
table = table or 'filter'
os.execute($EBTABLES_CHAIN) os.execute($EBTABLES_CHAIN)
end end
" "$file" " "$file"
} }
@ -48,8 +51,8 @@ exec_all() {
start() { start() {
( (
export EBTABLES_RULE='"ebtables -A " .. command' export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
export EBTABLES_CHAIN='"ebtables -N " .. name .. " -P " .. policy' export EBTABLES_CHAIN='"ebtables -t " .. table .. " -N " .. name .. " -P " .. policy'
if [ -z "$1" ]; then if [ -z "$1" ]; then
exec_all '' exec_all ''
@ -61,8 +64,8 @@ start() {
stop() { stop() {
( (
export EBTABLES_RULE='"ebtables -D " .. command' export EBTABLES_RULE='"ebtables -t " .. table .. " -D " .. command'
export EBTABLES_CHAIN='"ebtables -X " .. name' export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
if [ -z "$1" ]; then if [ -z "$1" ]; then
exec_all '-r' exec_all '-r'

View File

@ -1,2 +1,5 @@
chain('IN_ONLY', 'RETURN') chain('IN_ONLY', 'RETURN')
chain('OUT_ONLY', 'RETURN') chain('OUT_ONLY', 'RETURN')
chain('MULTICAST_OUT', 'RETURN')
chain('MULTICAST_OUT_ICMPV6', 'RETURN')

View File

@ -0,0 +1,4 @@
rule 'OUTPUT -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT'
rule 'FORWARD -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT'
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j MULTICAST_OUT_ICMPV6'