From c5ce1525e651e42bace386dfb7502c2744169f23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue>
Date: Sat, 5 Sep 2015 04:53:47 +0200
Subject: [PATCH] ebtables-filter-mcast: Segment IGMP/MLD domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Filter IGMP/MLD messges so that we can have an IGMP/MLD querier per
node. Segmenting the IGMP/MLD domain on a per node basis allows us
to *not* rely on a central querier (on a gateway for instance) to
take advantage of multicast snooping.

Even though we receive no more reports from other nodes anymore then,
the "multicast_router" bridge port setting will ensure to always
forward multicast packets towards bat0 (unless filtered by another
ebtables rule).

Note that IGMP/MLD are filtered for multicast traffic coming from
the mesh, too (new MULTICAST_IN), as unfortunately there seem to
be other queriers somewhere in the mesh at least for Freifunk
Lübeck. Such queriers would potentially confuse / silence the
querier on a node.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
---
 .../files/lib/gluon/ebtables/100-mcast-chain      |  1 +
 .../lib/gluon/ebtables/110-mcast-allow-icmpv6     |  3 +++
 .../files/lib/gluon/ebtables/110-mcast-allow-igmp |  1 -
 .../files/lib/gluon/ebtables/110-mcast-drop-igmp  |  1 +
 .../files/lib/gluon/ebtables/110-mcast-drop-mld   |  3 +++
 .../files/lib/gluon/ebtables/300-mcast            |  2 ++
 .../files/etc/init.d/gluon-ebtables               | 15 +++++++++------
 7 files changed, 19 insertions(+), 7 deletions(-)
 delete mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp
 create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-igmp
 create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-mld

diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain
index ec0013a3..ccbd5904 100644
--- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain
+++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain
@@ -1 +1,2 @@
 chain('MULTICAST_OUT', 'DROP')
+chain('MULTICAST_IN', 'ACCEPT', 'nat')
diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6
index b670ff45..338a6934 100644
--- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6
+++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6
@@ -1 +1,4 @@
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP' -- MLD query
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP' -- MLDv1 report
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP' -- MLDv2 report
 rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp
deleted file mode 100644
index 2d3814ae..00000000
--- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp
+++ /dev/null
@@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN'
diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-igmp b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-igmp
new file mode 100644
index 00000000..a7d03920
--- /dev/null
+++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-igmp
@@ -0,0 +1 @@
+rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat')
diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-mld b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-mld
new file mode 100644
index 00000000..197ec283
--- /dev/null
+++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-mld
@@ -0,0 +1,3 @@
+rule('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD query
+rule('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 report
+rule('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 report
diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast
index c52f122f..53944dc7 100644
--- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast
+++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast
@@ -1,2 +1,4 @@
 rule 'FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'
 rule 'OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'
+
+rule('PREROUTING --logical-in br-client -i bat0 -d Multicast -j MULTICAST_IN', 'nat')
diff --git a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
index 5a770452..e6bffe96 100755
--- a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
+++ b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables
@@ -24,12 +24,15 @@ exec_file() {
 	local file="$1"
 
 	/usr/bin/lua -e "
-		function rule(command)
+		function rule(command, table)
+			table = table or 'filter'
 			os.execute($EBTABLES_RULE)
 		end
-		function chain(name, policy)
+		function chain(name, policy, table)
+			table = table or 'filter'
 			os.execute($EBTABLES_CHAIN)
 		end
+
 	" "$file"
 }
 
@@ -48,8 +51,8 @@ exec_all() {
 
 start() {
 	(
-		export EBTABLES_RULE='"ebtables -A " .. command'
-		export EBTABLES_CHAIN='"ebtables -N " .. name .. " -P " .. policy'
+		export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. "  -N " .. name .. " -P " .. policy'
 
 		if [ -z "$1" ]; then
 			exec_all ''
@@ -61,8 +64,8 @@ start() {
 
 stop() {
 	(
-		export EBTABLES_RULE='"ebtables -D " .. command'
-		export EBTABLES_CHAIN='"ebtables -X " .. name'
+		export EBTABLES_RULE='"ebtables -t " ..	table .. " -D " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
 
 		if [ -z "$1" ]; then
 			exec_all '-r'