nils/gluon
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gluon-mesh-batman-adv: migrate to nftables

Browse Source
This commit is contained in:
Maciej Krüger 2023-05-01 19:34:38 +02:00
parent d0aac546e8
commit e6a8cda992
No known key found for this signature in database
GPG Key ID: 0D948CE19CF49C5F
6 changed files with 46 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/features
View File

@ -38,7 +38,7 @@ when(_'web-advanced' and _'autoupdater', {
when(_'mesh-batman-adv-15', {
'gluon-ebtables-limit-arp',
'gluon-nftables-limit-arp',
'gluon-radvd',
})

3
package/gluon-mesh-batman-adv/Makefile
View File

@ -12,7 +12,8 @@ define Package/gluon-mesh-batman-adv-15
+gluon-core \
+libgluonutil \
+gluon-client-bridge \
+gluon-ebtables \
+gluon-nftables \
+gluon-nftables-multicast \
+firewall4 \
+libiwinfo \
+kmod-dummy \

41
package/gluon-mesh-batman-adv/luasrc/lib/gluon/ebtables/250-next-node
View File

@ -1,41 +0,0 @@
local client_bridge = require 'gluon.client_bridge'
local site = require 'gluon.site'
local next_node = site.next_node({})
local macaddr = client_bridge.next_node_macaddr()
rule('FORWARD --logical-out br-client -i bat0 -o local-port -j DROP')
rule('FORWARD --logical-out br-client -i local-port -o bat0 -j DROP')
rule('PREROUTING --logical-in br-client -i bat0 -s ' .. macaddr .. ' -j DROP', 'nat')
rule('PREROUTING --logical-in br-client -i bat0 -d ' .. macaddr .. ' -j DROP', 'nat')
rule('FORWARD --logical-out br-client -o bat0 -d ' .. macaddr .. ' -j DROP')
rule('OUTPUT --logical-out br-client -o bat0 -d ' .. macaddr .. ' -j DROP')
rule('FORWARD --logical-out br-client -o bat0 -s ' .. macaddr .. ' -j DROP')
rule('OUTPUT --logical-out br-client -o bat0 -s ' .. macaddr .. ' -j DROP')
if next_node.ip4 then
rule('FORWARD --logical-out br-client -o bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP')
rule('FORWARD --logical-out br-client -o bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP')
rule('FORWARD --logical-out br-client -i bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP')
rule('FORWARD --logical-out br-client -i bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP')
rule('OUTPUT --logical-out br-client -o bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP')
rule('OUTPUT --logical-out br-client -o bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP')
rule('INPUT -i bat0 -p ARP --arp-ip-src ' .. next_node.ip4 .. ' -j DROP')
rule('INPUT -i bat0 -p ARP --arp-ip-dst ' .. next_node.ip4 .. ' -j DROP')
rule('FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-destination ' .. next_node.ip4 .. ' -j DROP')
rule('OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-destination ' .. next_node.ip4 .. ' -j DROP')
rule('FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-source ' .. next_node.ip4 .. ' -j DROP')
rule('OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-source ' .. next_node.ip4 .. ' -j DROP')
end
if next_node.ip6 then
rule('FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination ' .. next_node.ip6 .. ' -j DROP')
rule('OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination ' .. next_node.ip6 .. ' -j DROP')
rule('FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source ' .. next_node.ip6 .. ' -j DROP')
rule('OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source ' .. next_node.ip6 .. ' -j DROP')
end

2
package/gluon-mesh-batman-adv/luasrc/lib/gluon/ebtables/300-radv-input-output
View File

@ -1,2 +0,0 @@
rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -i bat0 -j DROP'
rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -o bat0 -j DROP'

41
package/gluon-mesh-batman-adv/luasrc/lib/gluon/nftables/250-next-node.lua Normal file
View File

@ -0,0 +1,41 @@
local client_bridge = require 'gluon.client_bridge'
local site = require 'gluon.site'
local next_node = site.next_node({})
local macaddr = client_bridge.next_node_macaddr()
bridge_rule('FORWARD', 'obrname "br-client" iifname "bat0" oifname "bat0" drop')
bridge_rule('FORWARD', 'obrname "br-client" iifname "local-port" oifname "bat0" drop')
bridge_rule('PREROUTING', 'ibrname "br-client" iifname "bat0" ether saddr ' .. macaddr .. ' drop', 'nat')
bridge_rule('PREROUTING', 'ibrname "br-client" iifname "bat0" ether daddr ' .. macaddr .. ' drop', 'nat')
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ether daddr ' .. macaddr .. ' drop')
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ether daddr ' .. macaddr .. ' drop')
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ether saddr ' .. macaddr .. ' drop')
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ether saddr ' .. macaddr .. ' drop')
if next_node.ip4 then
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop')
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop')
bridge_rule('FORWARD', 'obrname "br-client" iifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop')
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop')
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop')
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop')
bridge_rule('INPUT', 'iifname "bat0" arp saddr ip ' .. next_node.ip4 .. ' drop')
bridge_rule('INPUT', 'iifname "bat0" arp daddr ip ' .. next_node.ip4 .. ' drop')
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip daddr ' .. next_node.ip4 .. ' drop')
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip daddr ' .. next_node.ip4 .. ' drop')
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip saddr ' .. next_node.ip4 .. ' drop')
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip saddr ' .. next_node.ip4 .. ' drop')
end
if next_node.ip6 then
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip6 daddr ' .. next_node.ip6 .. ' drop')
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip6 daddr ' .. next_node.ip6 .. ' drop')
bridge_rule('FORWARD', 'obrname "br-client" oifname "bat0" ip6 saddr ' .. next_node.ip6 .. ' drop')
bridge_rule('OUTPUT', 'obrname "br-client" oifname "bat0" ip6 saddr ' .. next_node.ip6 .. ' drop')
end

2
package/gluon-mesh-batman-adv/luasrc/lib/gluon/nftables/300-radv-input-output.lua Normal file
View File

@ -0,0 +1,2 @@
bridge_rule('INPUT', 'iifname "bat0" icmpv6 type nd-router-solicit drop')
bridge_rule('OUTPUT', 'oifname "bat0" icmpv6 type nd-router-advert drop')