gluon-radv-filterd: migrate to nftables

2023-05-01 19:34:51 +02:00 · 2023-05-01 19:34:51 +02:00 · b9f86e1d83
commit b9f86e1d83
parent e6a8cda992
3 changed files with 16 additions and 4 deletions
--- a/package/gluon-radv-filterd/Makefile
+++ b/package/gluon-radv-filterd/Makefile
@ -6,7 +6,7 @@ include ../gluon.mk

 define Package/gluon-radv-filterd
  TITLE:=Filter IPv6 router advertisements
-  DEPENDS:=+gluon-ebtables +libgluonutil +libbatadv +libnl-tiny
+  DEPENDS:=+gluon-nftables +libgluonutil +libbatadv +libnl-tiny
 endef

 MAKE_VARS += \
--- a/package/gluon-radv-filterd/luasrc/lib/gluon/ebtables/400-radv-filterd
+++ b/package/gluon-radv-filterd/luasrc/lib/gluon/ebtables/400-radv-filterd
@ -1,3 +0,0 @@
-chain('RADV_FILTER', 'DROP')
-rule 'FORWARD -p IPv6 -i bat0 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j RADV_FILTER'
-rule 'RADV_FILTER -j ACCEPT'
--- a/package/gluon-radv-filterd/luasrc/lib/gluon/nftables/400-radv-filterd.lua
+++ b/package/gluon-radv-filterd/luasrc/lib/gluon/nftables/400-radv-filterd.lua
@ -0,0 +1,15 @@
+bridge_table('pre', [[set radv_allow {
+	type ether_addr
+}
+
+set radv_filter {
+	type ether_addr
+}
+]])
+
+-- This rule starts filtering once the address is in radv_filter
+
+-- Daemon adds 00:00:../ff:ff:.. to radv_filter (todo) so everything gets picked up,
+-- effectivly turning radv_filter into a bool
+
+bridge_rule('FORWARD', 'ether saddr @radv_filter iifname "bat0" icmpv6 type nd-router-advert ether saddr != @radv_allow drop')