nils/gluon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gluon-nftables-filter-multicast: migrate to nftables

Browse Source
This commit is contained in:
Maciej Krüger 2023-05-01 18:24:10 +02:00
parent 34c0bc6e36
commit 888af8ba4c
No known key found for this signature in database
GPG Key ID: 0D948CE19CF49C5F
24 changed files with 41 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
package/gluon-ebtables-filter-multicast/Makefile
View File

@ -1,20 +0,0 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=gluon-ebtables-filter-multicast
include ../gluon.mk
define Package/gluon-ebtables-filter-multicast
TITLE:=Ebtables filters for multicast packets
DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
endef
define Package/gluon-ebtables-filter-multicast/description
Gluon community wifi mesh firmware framework: Ebtables filters for multicast packets
These filters drop non-essential multicast traffic before it enters the mesh.
Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF
endef
$(eval $(call BuildPackageGluon,gluon-ebtables-filter-multicast))

7
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-arp
View File

@ -1,7 +0,0 @@
-- Bridge loop avoidance
rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:00:00:00/ff:ff:ff:fc:00:00 -j RETURN'
rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-gratuitous --arp-mac-dst ff:43:05:05:00:00/ff:ff:ff:ff:00:00 -j RETURN'
rule 'MULTICAST_OUT -p ARP --arp-opcode Reply --arp-ip-src 0.0.0.0 -j DROP'
rule 'MULTICAST_OUT -p ARP --arp-opcode Request --arp-ip-dst 0.0.0.0 -j DROP'
rule 'MULTICAST_OUT -p ARP -j RETURN'

1
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-babel
View File

@ -1 +0,0 @@
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN'

1
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-btlpd
View File

@ -1 +0,0 @@
rule 'MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN'

1
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv4
View File

@ -1 +0,0 @@
rule 'MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN'

1
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-dhcpv6
View File

@ -1 +0,0 @@
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j RETURN'

3
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-icmpv6
View File

@ -1,3 +0,0 @@
rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j RETURN'
rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j RETURN' -- ICMP Node Information Query
rule 'MULTICAST_OUT_ICMPV6 -j ACCEPT'

1
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-igmp
View File

@ -1 +0,0 @@
rule 'MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN'

2
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ospf
View File

@ -1,2 +0,0 @@
rule 'MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN'
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN'

1
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-respondd
View File

@ -1 +0,0 @@
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 1001 --ip6-dst ff05::2:1001 -j RETURN'

1
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/110-mcast-allow-ripng
View File

@ -1 +0,0 @@
rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination ff02::9 --ip6-destination-port 521 -j RETURN'

3
package/gluon-ebtables-filter-multicast/luasrc/lib/gluon/ebtables/355-mcast-drop
View File

@ -1,3 +0,0 @@
rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff02::1/128 -j DROP')
rule ('MULTICAST_OUT -p IPv6 --ip6-dst ff00::/8 -j mark --set-mark 0x4 --mark-target RETURN')
rule ('MULTICAST_OUT -j DROP')

20
package/gluon-nftables-filter-multicast/Makefile Normal file
View File

@ -0,0 +1,20 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=gluon-nftables-filter-multicast
include ../gluon.mk
define Package/gluon-nftables-filter-multicast
TITLE:=nftables filters for multicast packets
DEPENDS:=+gluon-core +gluon-nftables +gluon-nftables-multicast +gluon-mesh-batman-adv
endef
define Package/gluon-nftables-filter-multicast/description
Gluon community wifi mesh firmware framework: nftables filters for multicast packets
These filters drop non-essential multicast traffic before it enters the mesh.
Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF
endef
$(eval $(call BuildPackageGluon,gluon-nftables-filter-multicast))

7
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-arp.lua Normal file
View File

@ -0,0 +1,7 @@
-- Bridge loop avoidance
-- bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip = arp daddr ip arp daddr ether ff:43:05:00:00:00/ff:ff:ff:fc:00:00 return')
-- bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip = arp daddr ip arp daddr ether ff:43:05:05:00:00/ff:ff:ff:ff:00:00 return')
bridge_rule('MULTICAST_OUT', 'arp operation reply arp saddr ip 0.0.0.0 drop')
bridge_rule('MULTICAST_OUT', 'arp operation request arp daddr ip 0.0.0.0 drop')
bridge_rule('MULTICAST_OUT', 'ether type arp return')

1
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-babel.lua Normal file
View File

@ -0,0 +1 @@
bridge_rule('MULTICAST_OUT', 'ip version 6 udp dport 6696 return')

1
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-btlpd.lua Normal file
View File

@ -0,0 +1 @@
bridge_rule('MULTICAST_OUT', 'ip daddr 239.192.152.143 udp dport 6771 return')

1
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv4.lua Normal file
View File

@ -0,0 +1 @@
bridge_rule('MULTICAST_OUT', 'ip version 4 udp dport 67 return')

1
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-dhcpv6.lua Normal file
View File

@ -0,0 +1 @@
bridge_rule('MULTICAST_OUT', 'ip version 6 udp dport 547 return')

3
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-icmpv6.lua Normal file
View File

@ -0,0 +1,3 @@
bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type echo-request return')
bridge_rule('MULTICAST_OUT_ICMPV6', 'icmpv6 type 139 return')
bridge_rule('MULTICAST_OUT_ICMPV6', 'accept')

1
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-igmp.lua Normal file
View File

@ -0,0 +1 @@
bridge_rule('MULTICAST_OUT', 'ip protocol igmp return')

1
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ospf.lua Normal file
View File

@ -0,0 +1 @@
bridge_rule('MULTICAST_OUT', 'ip protocol ospf return')

1
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-respondd.lua Normal file
View File

@ -0,0 +1 @@
bridge_rule('MULTICAST_OUT', 'ip6 daddr ff05::2:1001 udp dport 1001 return')

1
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/110-mcast-allow-ripng.lua Normal file
View File

@ -0,0 +1 @@
bridge_rule('MULTICAST_OUT', 'ip6 daddr ff02::9 udp dport 521 return')

3
package/gluon-nftables-filter-multicast/luasrc/lib/gluon/nftables/355-mcast-drop.lua Normal file
View File

@ -0,0 +1,3 @@
bridge_rule('MULTICAST_OUT', 'ip6 daddr f02::1/128 drop')
bridge_rule('MULTICAST_OUT', 'ip6 daddr ff00::/8 mark 0x4 return')
bridge_rule('MULTICAST_OUT', 'drop')