nils/gluon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gluon-nftables-filter-ra-dhcp: migrate to nftables

Browse Source
This commit is contained in:
Maciej Krüger 2023-05-01 18:25:13 +02:00
parent 888af8ba4c
commit d0aac546e8
No known key found for this signature in database
GPG Key ID: 0D948CE19CF49C5F
8 changed files with 40 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
package/gluon-ebtables-filter-ra-dhcp/Makefile
View File

@ -1,19 +0,0 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=gluon-ebtables-filter-ra-dhcp
include ../gluon.mk
define Package/gluon-ebtables-filter-ra-dhcp
TITLE:=Ebtables filters for Router Advertisement and DHCP packets
DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
endef
define Package/gluon-ebtables-filter-ra-dhcp/description
Gluon community wifi mesh firmware framework: Ebtables filters for Router Advertisement and DHCP packets
These filters ensure that RA and DHCP packets are only forwarded from the mesh into the
client network, and not vice-versa.
endef
$(eval $(call BuildPackageGluon,gluon-ebtables-filter-ra-dhcp))

11
package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv4
View File

@ -1,11 +0,0 @@
local uci = require('simple-uci').cursor()
local gw_mode = uci:get('network', 'gluon_bat0', 'gw_mode')
if gw_mode ~= 'server' then
rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
rule 'OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'
rule 'INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'
end

5
package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv6
View File

@ -1,5 +0,0 @@
rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j OUT_ONLY'
rule 'OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j OUT_ONLY'
rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j IN_ONLY'
rule 'INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j IN_ONLY'

5
package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-radv
View File

@ -1,5 +0,0 @@
rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'
rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'

19
package/gluon-nftables-filter-ra-dhcp/Makefile Normal file
View File

@ -0,0 +1,19 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=gluon-nftables-filter-ra-dhcp
include ../gluon.mk
define Package/gluon-nftables-filter-ra-dhcp
TITLE:=nftables filters for Router Advertisement and DHCP packets
DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv
endef
define Package/gluon-nftables-filter-ra-dhcp/description
Gluon community wifi mesh firmware framework: nftables filters for Router Advertisement and DHCP packets
These filters ensure that RA and DHCP packets are only forwarded from the mesh into the
client network, and not vice-versa.
endef
$(eval $(call BuildPackageGluon,gluon-nftables-filter-ra-dhcp))

11
package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv4.lua Normal file
View File

@ -0,0 +1,11 @@
local uci = require('simple-uci').cursor()
local gw_mode = uci:get('network', 'gluon_bat0', 'gw_mode')
if gw_mode ~= 'server' then
bridge_rule('FORWARD', 'ip version 4 udp dport 67 jump out_only')
bridge_rule('OUTPUT', 'ip version 4 udp dport 67 jump out_only')
bridge_rule('FORWARD', 'ip version 4 udp dport 68 jump in_only')
bridge_rule('INPUT', 'ip version 4 udp dport 68 jump in_only')
end

5
package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv6.lua Normal file
View File

@ -0,0 +1,5 @@
bridge_rule('FORWARD', 'ip version 6 udp dport 547 jump out_only')
bridge_rule('OUTPUT', 'ip version 6 udp dport 547 jump out_only')
bridge_rule('FORWARD', 'ip version 6 udp dport 546 jump in_only')
bridge_rule('INPUT', 'ip version 6 udp dport 546 jump in_only')

5
package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-radv.lua Normal file
View File

@ -0,0 +1,5 @@
bridge_rule('FORWARD', 'icmpv6 type nd-router-solicit jump out_only')
bridge_rule('OUTPUT', 'icmpv6 type nd-router-solicit jump out_only')
bridge_rule('FORWARD', 'icmpv6 type nd-router-advert jump in_only')
bridge_rule('INPUT', 'icmpv6 type nd-router-advert jump in_only')