From 888af8ba4c7ad5e38b5a190ea27dadbc0e62f71d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Mon, 1 May 2023 18:24:10 +0200
Subject: [PATCH] gluon-nftables-filter-multicast: migrate to nftables

---
 .../gluon-ebtables-filter-multicast/Makefile  | 20 -------------------
 .../lib/gluon/ebtables/110-mcast-allow-arp    |  7 -------
 .../lib/gluon/ebtables/110-mcast-allow-babel  |  1 -
 .../lib/gluon/ebtables/110-mcast-allow-btlpd  |  1 -
 .../lib/gluon/ebtables/110-mcast-allow-dhcpv4 |  1 -
 .../lib/gluon/ebtables/110-mcast-allow-dhcpv6 |  1 -
 .../lib/gluon/ebtables/110-mcast-allow-icmpv6 |  3 ---
 .../lib/gluon/ebtables/110-mcast-allow-igmp   |  1 -
 .../lib/gluon/ebtables/110-mcast-allow-ospf   |  2 --
 .../gluon/ebtables/110-mcast-allow-respondd   |  1 -
 .../lib/gluon/ebtables/110-mcast-allow-ripng  |  1 -
 .../luasrc/lib/gluon/ebtables/355-mcast-drop  |  3 ---
 .../gluon-nftables-filter-multicast/Makefile  | 20 +++++++++++++++++++
 .../gluon/nftables/110-mcast-allow-arp.lua    |  7 +++++++
 .../gluon/nftables/110-mcast-allow-babel.lua  |  1 +
 .../gluon/nftables/110-mcast-allow-btlpd.lua  |  1 +
 .../gluon/nftables/110-mcast-allow-dhcpv4.lua |  1 +
 .../gluon/nftables/110-mcast-allow-dhcpv6.lua |  1 +
 .../gluon/nftables/110-mcast-allow-icmpv6.lua |  3 +++
 .../gluon/nftables/110-mcast-allow-igmp.lua   |  1 +
 .../gluon/nftables/110-mcast-allow-ospf.lua   |  1 +
 .../nftables/110-mcast-allow-respondd.lua     |  1 +
 .../gluon/nftables/110-mcast-allow-ripng.lua  |  1 +
 .../lib/gluon/nftables/355-mcast-drop.lua     |  3 +++
 24 files changed, 41 insertions(+), 42 deletions(-)
 delete mode 100644 package/gluon-ebtables-filter-multicast/Makefile
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-arp
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-babel
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-btlpd
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv4
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv6
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-icmpv6
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-igmp
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ospf
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-respondd
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ripng
 delete mode 100644 package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
 create mode 100644 package/gluon-nftables-filter-multicast/Makefile
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-arp.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-babel.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-btlpd.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv4.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv6.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-icmpv6.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-igmp.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ospf.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-respondd.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ripng.lua
 create mode 100644 package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/355-mcast-drop.lua

diff --git a/package/gluon-ebtables-filter-multicast/Makefile b/package/gluon-ebtables-filter-multicast/Makefile
deleted file mode 100644
index 92b2be2a..00000000
--- a/package/gluon-ebtables-filter-multicast/Makefile
+++ /dev/null
@@ -1,20 +0,0 @@
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=gluon-ebtables-filter-multicast
-
-include ../gluon.mk
-
-define Package/gluon-ebtables-filter-multicast
-  TITLE:=Ebtables filters for multicast packets
-  DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
-endef
-
-define Package/gluon-ebtables-filter-multicast/description
-	Gluon community wifi mesh firmware framework: Ebtables filters for multicast packets
-
-	These filters drop non-essential multicast traffic before it enters the mesh.
-
-	Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF
-endef
-
-$(eval $(call BuildPackageGluon,gluon-ebtables-filter-multicast))
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-arp b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-arp
deleted file mode 100644
index 927776a8..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-arp
+++ /dev/null
@@ -1,7 +0,0 @@
--- Bridge loop avoidance
-rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:00:00:00/ff:ff:ff:fc:00:00 -j RETURN'
-rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:05:00:00/ff:ff:ff:ff:00:00 -j RETURN'
-
-rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-ip-src 0.0.0.0 -j DROP'
-rule 'MULTICAST_OUT -p ARP --arp-opcode Request --arp-ip-dst 0.0.0.0 -j DROP'
-rule 'MULTICAST_OUT -p ARP -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-babel b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-babel
deleted file mode 100644
index d5b81771..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-babel
+++ /dev/null
@@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-btlpd b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-btlpd
deleted file mode 100644
index 20b709f8..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-btlpd
+++ /dev/null
@@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv4 b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv4
deleted file mode 100644
index 2fca2223..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv4
+++ /dev/null
@@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv6 b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv6
deleted file mode 100644
index 6d7f0f55..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv6
+++ /dev/null
@@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-icmpv6 b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-icmpv6
deleted file mode 100644
index 0058ed86..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-icmpv6
+++ /dev/null
@@ -1,3 +0,0 @@
-rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j RETURN'
-rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j RETURN' -- ICMP Node Information Query
-rule 'MULTICAST_OUT_ICMPV6 -j ACCEPT'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-igmp b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-igmp
deleted file mode 100644
index 2d3814ae..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-igmp
+++ /dev/null
@@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ospf b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ospf
deleted file mode 100644
index da928d4b..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ospf
+++ /dev/null
@@ -1,2 +0,0 @@
-rule 'MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN'
-rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-respondd b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-respondd
deleted file mode 100644
index 7df37ec9..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-respondd
+++ /dev/null
@@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 1001 --ip6-dst ff05::2:1001 -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ripng b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ripng
deleted file mode 100644
index 37d31877..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ripng
+++ /dev/null
@@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination ff02::9 --ip6-destination-port 521 -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop b/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
deleted file mode 100644
index a47dda7e..00000000
--- a/package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
+++ /dev/null
@@ -1,3 +0,0 @@
-rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP')
-rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN')
-rule ('MULTICAST_OUT -j DROP')
diff --git a/package/gluon-nftables-filter-multicast/Makefile b/package/gluon-nftables-filter-multicast/Makefile
new file mode 100644
index 00000000..c2c1e969
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/Makefile
@@ -0,0 +1,20 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-nftables-filter-multicast
+
+include ../gluon.mk
+
+define Package/gluon-nftables-filter-multicast
+  TITLE:=nftables filters for multicast packets
+  DEPENDS:=+gluon-core +gluon-nftables +gluon-nftables-multicast +gluon-mesh-batman-adv
+endef
+
+define Package/gluon-nftables-filter-multicast/description
+	Gluon community wifi mesh firmware framework: nftables filters for multicast packets
+
+	These filters drop non-essential multicast traffic before it enters the mesh.
+
+	Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF
+endef
+
+$(eval $(call BuildPackageGluon,gluon-nftables-filter-multicast))
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-arp.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-arp.lua
new file mode 100644
index 00000000..82952003
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-arp.lua
@@ -0,0 +1,7 @@
+-- Bridge loop avoidance
+-- bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip = arp daddr ip arp daddr ether ff:43:05:00:00:00/ff:ff:ff:fc:00:00 return')
+-- bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip = arp daddr ip arp daddr ether ff:43:05:05:00:00/ff:ff:ff:ff:00:00 return')
+
+bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip 0.0.0.0 drop')
+bridge_rule('MULTICAST_OUT', 'arp operation request arp daddr ip 0.0.0.0 drop')
+bridge_rule('MULTICAST_OUT', 'ether type arp return')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-babel.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-babel.lua
new file mode 100644
index 00000000..82685869
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-babel.lua
@@ -0,0 +1 @@
+bridge_rule('MULTICAST_OUT', 'ip version 6 udp dport 6696 return')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-btlpd.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-btlpd.lua
new file mode 100644
index 00000000..a6f8598e
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-btlpd.lua
@@ -0,0 +1 @@
+bridge_rule('MULTICAST_OUT', 'ip daddr 239.192.152.143 udp dport 6771 return')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv4.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv4.lua
new file mode 100644
index 00000000..7ae0c57d
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv4.lua
@@ -0,0 +1 @@
+bridge_rule('MULTICAST_OUT', 'ip version 4 udp dport 67 return')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv6.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv6.lua
new file mode 100644
index 00000000..22ef48a4
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv6.lua
@@ -0,0 +1 @@
+bridge_rule('MULTICAST_OUT', 'ip version 6 udp dport 547 return')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-icmpv6.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-icmpv6.lua
new file mode 100644
index 00000000..86636065
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-icmpv6.lua
@@ -0,0 +1,3 @@
+bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type echo-request return')
+bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type 139 return')
+bridge_rule('MULTICAST_OUT_ICMPV6', 'accept')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-igmp.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-igmp.lua
new file mode 100644
index 00000000..e6c73d36
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-igmp.lua
@@ -0,0 +1 @@
+bridge_rule('MULTICAST_OUT', 'ip protocol igmp return')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ospf.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ospf.lua
new file mode 100644
index 00000000..a5b575f0
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ospf.lua
@@ -0,0 +1 @@
+bridge_rule('MULTICAST_OUT', 'ip protocol ospf return')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-respondd.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-respondd.lua
new file mode 100644
index 00000000..309e191b
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-respondd.lua
@@ -0,0 +1 @@
+bridge_rule('MULTICAST_OUT', 'ip6 daddr ff05::2:1001 udp dport 1001 return')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ripng.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ripng.lua
new file mode 100644
index 00000000..5162dacb
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ripng.lua
@@ -0,0 +1 @@
+bridge_rule('MULTICAST_OUT', 'ip6 daddr ff02::9 udp dport 521 return')
diff --git a/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/355-mcast-drop.lua b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/355-mcast-drop.lua
new file mode 100644
index 00000000..95554c70
--- /dev/null
+++ b/package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/355-mcast-drop.lua
@@ -0,0 +1,3 @@
+bridge_rule('MULTICAST_OUT', 'ip6 daddr f02::1/128 drop')
+bridge_rule('MULTICAST_OUT', 'ip6 daddr ff00::/8 mark 0x4 return')
+bridge_rule('MULTICAST_OUT', 'drop')