ebtables-filter-mcast: Segment IGMP/MLD domain

Filter IGMP/MLD messges so that we can have an IGMP/MLD querier per
node. Segmenting the IGMP/MLD domain on a per node basis allows us
to *not* rely on a central querier (on a gateway for instance) to
take advantage of multicast snooping.

Even though we receive no more reports from other nodes anymore then,
the "multicast_router" bridge port setting will ensure to always
forward multicast packets towards bat0 (unless filtered by another
ebtables rule).

Note that IGMP/MLD are filtered for multicast traffic coming from
the mesh, too (new MULTICAST_IN), as unfortunately there seem to
be other queriers somewhere in the mesh at least for Freifunk
Lübeck. Such queriers would potentially confuse / silence the
querier on a node.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain

@@ -1 +1,2 @@
 chain('MULTICAST_OUT', 'DROP')
+chain('MULTICAST_IN', 'ACCEPT', 'nat')

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6

@@ -1 +1,4 @@
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP' -- MLD query
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP' -- MLDv1 report
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP' -- MLDv2 report
 rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp

@@ -1 +0,0 @@
-rule 'MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-igmp

@@ -0,0 +1 @@
+rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat')

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-drop-mld

@@ -0,0 +1,3 @@
+rule('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD query
+rule('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 report
+rule('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 report

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast

@@ -1,2 +1,4 @@
 rule 'FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'
 rule 'OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'
+
+rule('PREROUTING --logical-in br-client -i bat0 -d Multicast -j MULTICAST_IN', 'nat')

package/gluon-ebtables/files/etc/init.d/gluon-ebtables

@@ -24,12 +24,15 @@ exec_file() {
 	local file="$1"
 
 	/usr/bin/lua -e "
-		function rule(command)
+		function rule(command, table)
+			table = table or 'filter'
 			os.execute($EBTABLES_RULE)
 		end
-		function chain(name, policy)
+		function chain(name, policy, table)
+			table = table or 'filter'
 			os.execute($EBTABLES_CHAIN)
 		end
+
 	" "$file"
 }
 
@@ -48,8 +51,8 @@ exec_all() {
 
 start() {
 	(
-		export EBTABLES_RULE='"ebtables -A " .. command'
-		export EBTABLES_CHAIN='"ebtables -N " .. name .. " -P " .. policy'
+		export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. "  -N " .. name .. " -P " .. policy'
 
 		if [ -z "$1" ]; then
 			exec_all ''
@@ -61,8 +64,8 @@ start() {
 
 stop() {
 	(
-		export EBTABLES_RULE='"ebtables -D " .. command'
-		export EBTABLES_CHAIN='"ebtables -X " .. name'
+		export EBTABLES_RULE='"ebtables -t " ..	table .. " -D " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
 
 		if [ -z "$1" ]; then
 			exec_all '-r'