From d0aac546e8bc909a04fbb77a8f004b2bd48eff3a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Mon, 1 May 2023 18:25:13 +0200
Subject: [PATCH] gluon-nftables-filter-ra-dhcp: migrate to nftables

---
 .../gluon-ebtables-filter-ra-dhcp/Makefile    | 19 -------------------
 .../luasrc/lib/gluon/ebtables/200-dir-dhcpv4  | 11 -----------
 .../luasrc/lib/gluon/ebtables/200-dir-dhcpv6  |  5 -----
 .../luasrc/lib/gluon/ebtables/200-dir-radv    |  5 -----
 .../gluon-nftables-filter-ra-dhcp/Makefile    | 19 +++++++++++++++++++
 .../lib/gluon/nftables/200-dir-dhcpv4.lua     | 11 +++++++++++
 .../lib/gluon/nftables/200-dir-dhcpv6.lua     |  5 +++++
 .../lib/gluon/nftables/200-dir-radv.lua       |  5 +++++
 8 files changed, 40 insertions(+), 40 deletions(-)
 delete mode 100644 package/gluon-ebtables-filter-ra-dhcp/Makefile
 delete mode 100644 package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv4
 delete mode 100644 package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv6
 delete mode 100644 package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-radv
 create mode 100644 package/gluon-nftables-filter-ra-dhcp/Makefile
 create mode 100644 package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv4.lua
 create mode 100644 package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv6.lua
 create mode 100644 package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-radv.lua

diff --git a/package/gluon-ebtables-filter-ra-dhcp/Makefile b/package/gluon-ebtables-filter-ra-dhcp/Makefile
deleted file mode 100644
index bc52747a..00000000
--- a/package/gluon-ebtables-filter-ra-dhcp/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=gluon-ebtables-filter-ra-dhcp
-
-include ../gluon.mk
-
-define Package/gluon-ebtables-filter-ra-dhcp
-  TITLE:=Ebtables filters for Router Advertisement and DHCP packets
-  DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
-endef
-
-define Package/gluon-ebtables-filter-ra-dhcp/description
-	Gluon community wifi mesh firmware framework: Ebtables filters for Router Advertisement and DHCP packets
-
-	These filters ensure that RA and DHCP packets are only forwarded from the mesh into the
-	client network, and not vice-versa.
-endef
-
-$(eval $(call BuildPackageGluon,gluon-ebtables-filter-ra-dhcp))
diff --git a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv4 b/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv4
deleted file mode 100644
index 87b4bd7f..00000000
--- a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv4
+++ /dev/null
@@ -1,11 +0,0 @@
-local uci = require('simple-uci').cursor()
-
-local gw_mode = uci:get('network', 'gluon_bat0', 'gw_mode')
-
-if gw_mode ~= 'server' then
-	rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
-	rule 'OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
-
-	rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'
-	rule 'INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'
-end
diff --git a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv6 b/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv6
deleted file mode 100644
index 470a7648..00000000
--- a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-dhcpv6
+++ /dev/null
@@ -1,5 +0,0 @@
-rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j OUT_ONLY'
-rule 'OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j OUT_ONLY'
-
-rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j IN_ONLY'
-rule 'INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j IN_ONLY'
diff --git a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-radv b/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-radv
deleted file mode 100644
index b34d4c76..00000000
--- a/package/gluon-ebtables-filter-ra-dhcp/luasrc/lib/gluon/ebtables/200-dir-radv
+++ /dev/null
@@ -1,5 +0,0 @@
-rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
-rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
-
-rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'
-rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'
diff --git a/package/gluon-nftables-filter-ra-dhcp/Makefile b/package/gluon-nftables-filter-ra-dhcp/Makefile
new file mode 100644
index 00000000..ad714a1b
--- /dev/null
+++ b/package/gluon-nftables-filter-ra-dhcp/Makefile
@@ -0,0 +1,19 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-nftables-filter-ra-dhcp
+
+include ../gluon.mk
+
+define Package/gluon-nftables-filter-ra-dhcp
+  TITLE:=nftables filters for Router Advertisement and DHCP packets
+  DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv
+endef
+
+define Package/gluon-nftables-filter-ra-dhcp/description
+	Gluon community wifi mesh firmware framework: nftables filters for Router Advertisement and DHCP packets
+
+	These filters ensure that RA and DHCP packets are only forwarded from the mesh into the
+	client network, and not vice-versa.
+endef
+
+$(eval $(call BuildPackageGluon,gluon-nftables-filter-ra-dhcp))
diff --git a/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv4.lua b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv4.lua
new file mode 100644
index 00000000..d77f8711
--- /dev/null
+++ b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv4.lua
@@ -0,0 +1,11 @@
+local uci = require('simple-uci').cursor()
+
+local gw_mode = uci:get('network', 'gluon_bat0', 'gw_mode')
+
+if gw_mode ~= 'server' then
+	bridge_rule('FORWARD', 'ip version 4 udp dport 67 jump out_only')
+	bridge_rule('OUTPUT', 'ip version 4 udp dport 67 jump out_only')
+
+	bridge_rule('FORWARD', 'ip version 4 udp dport 68 jump in_only')
+	bridge_rule('INPUT', 'ip version 4 udp dport 68 jump in_only')
+end
diff --git a/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv6.lua b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv6.lua
new file mode 100644
index 00000000..1dd953e2
--- /dev/null
+++ b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-dhcpv6.lua
@@ -0,0 +1,5 @@
+bridge_rule('FORWARD', 'ip version 6 udp dport 547 jump out_only')
+bridge_rule('OUTPUT', 'ip version 6 udp dport 547 jump out_only')
+
+bridge_rule('FORWARD', 'ip version 6 udp dport 546 jump in_only')
+bridge_rule('INPUT', 'ip version 6 udp dport 546 jump in_only')
diff --git a/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-radv.lua b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-radv.lua
new file mode 100644
index 00000000..8a54b1e4
--- /dev/null
+++ b/package/gluon-nftables-filter-ra-dhcp/luasrc/lib/gluon/nftables/200-dir-radv.lua
@@ -0,0 +1,5 @@
+bridge_rule('FORWARD', 'icmpv6 type nd-router-solicit jump out_only')
+bridge_rule('OUTPUT', 'icmpv6 type nd-router-solicit jump out_only')
+
+bridge_rule('FORWARD', 'icmpv6 type nd-router-advert jump in_only')
+bridge_rule('INPUT', 'icmpv6 type nd-router-advert jump in_only')