From df031f8ea4837a1ce647e6dd4d5a3c49840f84d9 Mon Sep 17 00:00:00 2001 From: seth0r <8156874+seth0r@users.noreply.github.com> Date: Tue, 6 Dec 2022 19:04:36 +0100 Subject: [PATCH 1/7] added: ap_isolation option for bat0 --- .../files/lib/netifd/proto/gluon_bat0.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh b/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh index 91ea0d35..efe34fc2 100755 --- a/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh +++ b/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh @@ -10,6 +10,7 @@ proto_gluon_bat0_init_config() { renew_handler=1 proto_config_add_string 'gw_mode' + proto_config_add_boolean 'ap_isolation:bool' } lookup_site() { @@ -40,7 +41,9 @@ proto_gluon_bat0_setup() { local routing_algo="$(lookup_site 'mesh.batman_adv.routing_algo' 'BATMAN_IV')" local gw_mode + local ap_isolation json_get_vars gw_mode + json_get_vars ap_isolation batctl routing_algo "$routing_algo" batctl interface create @@ -48,6 +51,8 @@ proto_gluon_bat0_setup() { batctl orig_interval 5000 batctl hop_penalty "$(lookup_uci 'gluon.mesh_batman_adv.hop_penalty' 15)" batctl noflood_mark 0x4/0x4 + + [ -n "$ap_isolation" ] && batctl ap_isolation "$ap_isolation" case "$gw_mode" in server) From e5edeb8565a44e94561abaa6b7100ad30c838993 Mon Sep 17 00:00:00 2001 From: Seth0r Date: Tue, 7 Mar 2023 18:39:08 +0100 Subject: [PATCH 2/7] added batman isolation mark option for batadv extended isolation --- .../files/lib/netifd/proto/gluon_bat0.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh b/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh index efe34fc2..5357df0f 100755 --- a/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh +++ b/package/gluon-mesh-batman-adv/files/lib/netifd/proto/gluon_bat0.sh @@ -11,6 +11,7 @@ proto_gluon_bat0_init_config() { proto_config_add_string 'gw_mode' proto_config_add_boolean 'ap_isolation:bool' + proto_config_add_string 'isolation_mark' } lookup_site() { @@ -42,8 +43,10 @@ proto_gluon_bat0_setup() { local gw_mode local ap_isolation + local isolation_mark json_get_vars gw_mode json_get_vars ap_isolation + json_get_vars isolation_mark batctl routing_algo "$routing_algo" batctl interface create @@ -53,6 +56,7 @@ proto_gluon_bat0_setup() { batctl noflood_mark 0x4/0x4 [ -n "$ap_isolation" ] && batctl ap_isolation "$ap_isolation" + [ -n "$isolation_mark" ] && batctl isolation_mark "$isolation_mark" case "$gw_mode" in server) From c4d03e9566ff613ed8368fc7d0cea6847bfce593 Mon Sep 17 00:00:00 2001 From: Seth0r Date: Wed, 8 Mar 2023 20:58:25 +0100 Subject: [PATCH 3/7] added client isolation package --- package/gluon-client-isolation/Makefile | 40 +++++++++++++++++++ .../lib/gluon/ebtables/100-isolated-chain | 1 + .../gluon/ebtables/110-mark-isolated-rules | 12 ++++++ .../ebtables/120-drop-marked-isolated-rules | 12 ++++++ .../lib/gluon/ebtables/400-isolated-rules | 1 + .../lib/gluon/upgrade/340-client-isolation | 38 ++++++++++++++++++ 6 files changed, 104 insertions(+) create mode 100644 package/gluon-client-isolation/Makefile create mode 100644 package/gluon-client-isolation/luasrc/lib/gluon/ebtables/100-isolated-chain create mode 100644 package/gluon-client-isolation/luasrc/lib/gluon/ebtables/110-mark-isolated-rules create mode 100644 package/gluon-client-isolation/luasrc/lib/gluon/ebtables/120-drop-marked-isolated-rules create mode 100644 package/gluon-client-isolation/luasrc/lib/gluon/ebtables/400-isolated-rules create mode 100755 package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation diff --git a/package/gluon-client-isolation/Makefile b/package/gluon-client-isolation/Makefile new file mode 100644 index 00000000..e64822ba --- /dev/null +++ b/package/gluon-client-isolation/Makefile @@ -0,0 +1,40 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-client-isolation + +include ../gluon.mk + +define Package/gluon-client-isolation + TITLE:=Support for client isolation over batman-adv + DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv +endef + +define Package/gluon-client-isolation/description + This package provides client isolation in a batman-adv + bridged layer 2 network. + + To use it, mesh.isolate must be set in the site or + domain configuration. + + When it is set to wireless, wireless clients are isolated from + other wireless clients, wireless to wired, wired to wireless + and wire to wired traffic is not affected in this mode. + + When it is set to all, wired traffic is also isolated. + + To isolate the clients connected to the same wireless interface, + it sets the isolate option in the wireless configuration for + the client and owe wifi interfaces. + + To extend the isolation the ap_isolation and isolation_mark + options are set for the gluon_bat0 network interface. + + A new filter chain ISOLATED is added to ebtables, through which + all traffic of br-client is routed. + Depending the value of mesh.isolate, the traffic is marked when + it arrives from the interfaces to isolate and batman-adv + restores the mark for isolated traffic from other nodes. + The marked traffic will not be forwarded to isolated interfaces. +endef + +$(eval $(call BuildPackageGluon,gluon-client-isolation)) diff --git a/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/100-isolated-chain b/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/100-isolated-chain new file mode 100644 index 00000000..37147cd0 --- /dev/null +++ b/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/100-isolated-chain @@ -0,0 +1 @@ +chain('ISOLATED', 'ACCEPT') diff --git a/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/110-mark-isolated-rules b/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/110-mark-isolated-rules new file mode 100644 index 00000000..b77dd9b6 --- /dev/null +++ b/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/110-mark-isolated-rules @@ -0,0 +1,12 @@ +local isolate = require('gluon.site').mesh.isolate("none") + +if isolate == "all" then + for _,dev in ipairs({ 'eth0', 'eth1', 'client0', 'client1', 'owe0', 'owe1' }) do + rule('ISOLATED -i ' .. dev .. ' -j mark --mark-or 0x10 --mark-target CONTINUE') + end +end +if isolate == "wireless" then + for _,dev in ipairs({ 'client0', 'client1', 'owe0', 'owe1' }) do + rule('ISOLATED -i ' .. dev .. ' -j mark --mark-or 0x10 --mark-target CONTINUE') + end +end diff --git a/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/120-drop-marked-isolated-rules b/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/120-drop-marked-isolated-rules new file mode 100644 index 00000000..1e5a65cc --- /dev/null +++ b/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/120-drop-marked-isolated-rules @@ -0,0 +1,12 @@ +local isolate = require('gluon.site').mesh.isolate("none") + +if isolate == "all" then + for _,dev in ipairs({ 'eth0', 'eth1', 'client0', 'client1', 'owe0', 'owe1' }) do + rule('ISOLATED -o ' .. dev .. ' --mark 0x10/0x10 -j DROP') + end +end +if isolate == "wireless" then + for _,dev in ipairs({ 'client0', 'client1', 'owe0', 'owe1' }) do + rule('ISOLATED -o ' .. dev .. ' --mark 0x10/0x10 -j DROP') + end +end diff --git a/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/400-isolated-rules b/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/400-isolated-rules new file mode 100644 index 00000000..1fa1aebb --- /dev/null +++ b/package/gluon-client-isolation/luasrc/lib/gluon/ebtables/400-isolated-rules @@ -0,0 +1 @@ +rule('FORWARD --logical-in br-client -j ISOLATED') diff --git a/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation b/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation new file mode 100755 index 00000000..aecbe700 --- /dev/null +++ b/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation @@ -0,0 +1,38 @@ +#!/usr/bin/lua + +local site = require 'gluon.site' +local wireless = require 'gluon.wireless' + +local isolate = site.mesh.isolate("none") + +local uci = require('simple-uci').cursor() + +wireless.foreach_radio(uci, function(radio) + local radio_name = radio['.name'] + vif = 'client_' .. radio_name + if uci:get('wireless', vif) then + uci:delete('wireless', vif, 'isolate') + if isolate == "all" or isolate == "wireless" then + uci:set('wireless', vif, 'isolate', '1') + end + end + vif = 'owe_' .. radio_name + if uci:get('wireless', vif) then + uci:delete('wireless', vif, 'isolate') + if isolate == "all" or isolate == "wireless" then + uci:set('wireless', vif, 'isolate', '1') + end + end +end) + +uci:save('wireless') + +uci:delete('network', 'gluon_bat0', 'ap_isolation') +uci:delete('network', 'gluon_bat0', 'isolation_mark') + +if isolate == "all" or isolate == "wireless" then + uci:set('network', 'gluon_bat0', 'ap_isolation', '1') + uci:set('network', 'gluon_bat0', 'isolation_mark', '0x10/0x10') +end + +uci:save('network') From 328914ddca94d8ccac2f0608b2aaa564973bd144 Mon Sep 17 00:00:00 2001 From: Seth0r Date: Mon, 3 Apr 2023 16:04:25 +0200 Subject: [PATCH 4/7] addded initial documentation --- docs/features/client-isolation.rst | 58 ++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 docs/features/client-isolation.rst diff --git a/docs/features/client-isolation.rst b/docs/features/client-isolation.rst new file mode 100644 index 00000000..4236aa5a --- /dev/null +++ b/docs/features/client-isolation.rst @@ -0,0 +1,58 @@ +Client Isolation Support +======================== + +Normally every client is a wireless network can communicate +with any other client in the network. +Client Isolation is a security feature which prevents +Client-to-Client communication. + +There are two different modes to isolate traffic, which can be +selected by the ``mesh.isolate`` setting in the site or domain +configuration. + +Full Client Isolation Mode +-------------------------- + +In the full isolation mode all traffic between wireless and +wired clients is prevented. The Clients are only able to access +the Gateway and the Internet. + +This mode may not be very useful in a Freifunk context. + +It can be activated by setting ``mesh.isolate`` to ``all`` in the +site or domain configuration. + +:: + + { + mesh = { + isolate = 'all' + }, + + -- more domain specific config follows below + } + +Wireless Client Isolation Mode +------------------------------ + +In the wireless isolation mode only wireless clients are isolated +from other wireless clients. Communication where a wired client is +involved is not prevented. So every client can access any wired +client and every wired client can access all of the clients, only +wireless clients can not access other wireless clients. + +This mode may be more useful in a Freifunk context, but is still +not as ``frei`` as without any isolation. + +It can be activated by setting ``mesh.isolate`` to ``wireless`` +in the site or domain configuration. + +:: + + { + mesh = { + isolate = 'wireless' + }, + + -- more domain specific config follows below + } From bb57cfef9b93e8d5d45e81bc6f4cacff01d158af Mon Sep 17 00:00:00 2001 From: Seth0r Date: Mon, 3 Apr 2023 16:08:36 +0200 Subject: [PATCH 5/7] fixed warnings --- .../luasrc/lib/gluon/upgrade/340-client-isolation | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation b/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation index aecbe700..3c8fde19 100755 --- a/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation +++ b/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation @@ -9,14 +9,14 @@ local uci = require('simple-uci').cursor() wireless.foreach_radio(uci, function(radio) local radio_name = radio['.name'] - vif = 'client_' .. radio_name + local vif = 'client_' .. radio_name if uci:get('wireless', vif) then uci:delete('wireless', vif, 'isolate') if isolate == "all" or isolate == "wireless" then uci:set('wireless', vif, 'isolate', '1') end end - vif = 'owe_' .. radio_name + local vif = 'owe_' .. radio_name if uci:get('wireless', vif) then uci:delete('wireless', vif, 'isolate') if isolate == "all" or isolate == "wireless" then From 4b4c46291ebcde702c0c1f564e30500a14476c3c Mon Sep 17 00:00:00 2001 From: Seth0r Date: Mon, 3 Apr 2023 18:37:32 +0200 Subject: [PATCH 6/7] added client isolation documentation to index --- docs/index.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/index.rst b/docs/index.rst index 99fc8535..c6c93759 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -31,6 +31,7 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre features/authorized-keys features/roles features/vpn + features/client-isolation .. toctree:: :caption: Developer Documentation From cba11b04cb28abbc0f08db8565924df80f56a840 Mon Sep 17 00:00:00 2001 From: Seth0r Date: Mon, 3 Apr 2023 22:18:14 +0200 Subject: [PATCH 7/7] fixed double definition --- .../luasrc/lib/gluon/upgrade/340-client-isolation | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation b/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation index 3c8fde19..edb83a54 100755 --- a/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation +++ b/package/gluon-client-isolation/luasrc/lib/gluon/upgrade/340-client-isolation @@ -16,7 +16,7 @@ wireless.foreach_radio(uci, function(radio) uci:set('wireless', vif, 'isolate', '1') end end - local vif = 'owe_' .. radio_name + vif = 'owe_' .. radio_name if uci:get('wireless', vif) then uci:delete('wireless', vif, 'isolate') if isolate == "all" or isolate == "wireless" then