add package gluon-ebtables-source-filter
This commit is contained in:
		
							parent
							
								
									13c61d9394
								
							
						
					
					
						commit
						c7e01557fb
					
				
							
								
								
									
										30
									
								
								docs/package/gluon-ebtables-source-filter.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								docs/package/gluon-ebtables-source-filter.rst
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,30 @@ | |||||||
|  | gluon-ebtables-source-filter | ||||||
|  | ============================ | ||||||
|  | 
 | ||||||
|  | The *gluon-ebtables-source-filter* package adds an additional layer-2 filter | ||||||
|  | ruleset to prevent unreasonable traffic entering the network via the nodes. | ||||||
|  | Unreasonable means traffic entering the mesh via a node which source IP does | ||||||
|  | not belong to the configured IP space. | ||||||
|  | 
 | ||||||
|  | One may first check if there is a certain proportion of unreasonable traffic, | ||||||
|  | before adding this package to the firmware image. Additional one should not | ||||||
|  | use this package if some kind of gateway or upstream network is provided by | ||||||
|  | a device connected to the client port. | ||||||
|  | 
 | ||||||
|  | site.conf | ||||||
|  | --------- | ||||||
|  | 
 | ||||||
|  | prefix4 : optional | ||||||
|  |     - IPv4 subnet | ||||||
|  | 
 | ||||||
|  | prefix6 : | ||||||
|  |     - IPv6 subnet | ||||||
|  | 
 | ||||||
|  | extra_prefixes6 : optional | ||||||
|  |     - list of additional IPv6 subnets | ||||||
|  | 
 | ||||||
|  | Example:: | ||||||
|  | 
 | ||||||
|  |   prefix4 = '198.51.100.0/21', | ||||||
|  |   prefix6 = '2001:db8:8::/64', | ||||||
|  |   extra_prefixes6 = { '2001:db8:9::/64', '2001:db8:100::/60' }, | ||||||
							
								
								
									
										43
									
								
								package/gluon-ebtables-source-filter/Makefile
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										43
									
								
								package/gluon-ebtables-source-filter/Makefile
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,43 @@ | |||||||
|  | include $(TOPDIR)/rules.mk | ||||||
|  | 
 | ||||||
|  | PKG_NAME:=gluon-ebtables-source-filter | ||||||
|  | PKG_VERSION:=1 | ||||||
|  | PKG_RELEASE:=1 | ||||||
|  | 
 | ||||||
|  | PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) | ||||||
|  | 
 | ||||||
|  | include ../gluon.mk | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | define Package/gluon-ebtables-source-filter | ||||||
|  |   SECTION:=gluon | ||||||
|  |   CATEGORY:=Gluon | ||||||
|  |   TITLE:=Ebtables rules to filter unreasonable L2 traffic. | ||||||
|  |   DEPENDS:=+gluon-core +gluon-ebtables | ||||||
|  | endef | ||||||
|  | 
 | ||||||
|  | define Package/gluon-ebtables-source-filter/description | ||||||
|  | 	This package adds an additional layer-2 filter-ruleset to prevent unreasonable | ||||||
|  | 	traffic entering the network via the nodes. | ||||||
|  | endef | ||||||
|  | 
 | ||||||
|  | define Build/Prepare | ||||||
|  | 	mkdir -p $(PKG_BUILD_DIR) | ||||||
|  | endef | ||||||
|  | 
 | ||||||
|  | define Build/Configure | ||||||
|  | endef | ||||||
|  | 
 | ||||||
|  | define Build/Compile | ||||||
|  | endef | ||||||
|  | 
 | ||||||
|  | define Package/gluon-ebtables-source-filter/install | ||||||
|  | 	$(CP) ./files/* $(1)/ | ||||||
|  | endef | ||||||
|  | 
 | ||||||
|  | define Package/gluon-ebtables-source-filter/postinst | ||||||
|  | #!/bin/sh
 | ||||||
|  | $(call GluonCheckSite,check_site.lua) | ||||||
|  | endef | ||||||
|  | 
 | ||||||
|  | $(eval $(call BuildPackage,gluon-ebtables-source-filter)) | ||||||
							
								
								
									
										2
									
								
								package/gluon-ebtables-source-filter/check_site.lua
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								package/gluon-ebtables-source-filter/check_site.lua
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,2 @@ | |||||||
|  | need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$', false) | ||||||
|  | need_string_array_match('extra_prefixes6', '^[%x:]+/%d+$', false) | ||||||
| @ -0,0 +1 @@ | |||||||
|  | chain('LOCAL_FORWARD', 'DROP') | ||||||
| @ -0,0 +1,6 @@ | |||||||
|  | prefix4 = require('gluon.site_config').prefix4 | ||||||
|  | 
 | ||||||
|  | if prefix4 then | ||||||
|  | 	rule('LOCAL_FORWARD -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN') | ||||||
|  | 	rule('LOCAL_FORWARD -p ARP --arp-ip-src 0.0.0.0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN') | ||||||
|  | end | ||||||
| @ -0,0 +1,6 @@ | |||||||
|  | prefix4 = require('gluon.site_config').prefix4 | ||||||
|  | 
 | ||||||
|  | if prefix4 then | ||||||
|  | 	rule('LOCAL_FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN') | ||||||
|  | 	rule('LOCAL_FORWARD -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN') | ||||||
|  | end | ||||||
| @ -0,0 +1,9 @@ | |||||||
|  | site = require('gluon.site_config') | ||||||
|  | 
 | ||||||
|  | rule('LOCAL_FORWARD -p IPv6 --ip6-src fe80::/64 -j RETURN') | ||||||
|  | rule('LOCAL_FORWARD -p IPv6 --ip6-src ::/128 --ip6-proto ipv6-icmp -j RETURN') | ||||||
|  | rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. site.prefix6 .. ' -j RETURN') | ||||||
|  | 
 | ||||||
|  | for _, prefix in ipairs(site.extra_prefixes6 or {}) do | ||||||
|  | 	rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN') | ||||||
|  | end | ||||||
| @ -0,0 +1 @@ | |||||||
|  | rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD') | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user