diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain index ec0013a3..ccbd5904 100644 --- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain @@ -1 +1,2 @@ chain('MULTICAST_OUT', 'DROP') +chain('MULTICAST_IN', 'ACCEPT', 'nat') diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 index b670ff45..338a6934 100644 --- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 @@ -1 +1,4 @@ +rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP' -- MLD query +rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP' -- MLDv1 report +rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP' -- MLDv2 report rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp deleted file mode 100644 index 2d3814ae..00000000 --- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp +++ /dev/null @@ -1 +0,0 @@ -rule 'MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN' diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-igmp b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-igmp new file mode 100644 index 00000000..a7d03920 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-igmp @@ -0,0 +1 @@ +rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat') diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-mld b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-mld new file mode 100644 index 00000000..197ec283 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-mld @@ -0,0 +1,3 @@ +rule('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD query +rule('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 report +rule('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 report diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast index c52f122f..53944dc7 100644 --- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast @@ -1,2 +1,4 @@ rule 'FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT' rule 'OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT' + +rule('PREROUTING --logical-in br-client -i bat0 -d Multicast -j MULTICAST_IN', 'nat') diff --git a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables index 5a770452..e6bffe96 100755 --- a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables +++ b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables @@ -24,12 +24,15 @@ exec_file() { local file="$1" /usr/bin/lua -e " - function rule(command) + function rule(command, table) + table = table or 'filter' os.execute($EBTABLES_RULE) end - function chain(name, policy) + function chain(name, policy, table) + table = table or 'filter' os.execute($EBTABLES_CHAIN) end + " "$file" } @@ -48,8 +51,8 @@ exec_all() { start() { ( - export EBTABLES_RULE='"ebtables -A " .. command' - export EBTABLES_CHAIN='"ebtables -N " .. name .. " -P " .. policy' + export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command' + export EBTABLES_CHAIN='"ebtables -t " .. table .. " -N " .. name .. " -P " .. policy' if [ -z "$1" ]; then exec_all '' @@ -61,8 +64,8 @@ start() { stop() { ( - export EBTABLES_RULE='"ebtables -D " .. command' - export EBTABLES_CHAIN='"ebtables -X " .. name' + export EBTABLES_RULE='"ebtables -t " .. table .. " -D " .. command' + export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name' if [ -z "$1" ]; then exec_all '-r'