Add package gluon-ebtables-source-filter (#1015)

docs/package/gluon-ebtables-source-filter.rst

@@ -0,0 +1,30 @@
+gluon-ebtables-source-filter
+============================
+
+The *gluon-ebtables-source-filter* package adds an additional layer-2 filter
+ruleset to prevent unreasonable traffic entering the network via the nodes.
+Unreasonable means traffic entering the mesh via a node which source IP does
+not belong to the configured IP space.
+
+One may first check if there is a certain proportion of unreasonable traffic,
+before adding this package to the firmware image. Additional one should not
+use this package if some kind of gateway or upstream network is provided by
+a device connected to the client port.
+
+site.conf
+---------
+
+prefix4 : optional
+    - IPv4 subnet
+
+prefix6 :
+    - IPv6 subnet
+
+extra_prefixes6 : optional
+    - list of additional IPv6 subnets
+
+Example::
+
+  prefix4 = '198.51.100.0/21',
+  prefix6 = '2001:db8:8::/64',
+  extra_prefixes6 = { '2001:db8:9::/64', '2001:db8:100::/60' },

package/gluon-ebtables-source-filter/Makefile

@@ -0,0 +1,43 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-ebtables-source-filter
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include ../gluon.mk
+
+
+define Package/gluon-ebtables-source-filter
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Ebtables rules to filter unreasonable L2 traffic.
+  DEPENDS:=+gluon-core +gluon-ebtables
+endef
+
+define Package/gluon-ebtables-source-filter/description
+	This package adds an additional layer-2 filter-ruleset to prevent unreasonable
+	traffic entering the network via the nodes.
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/gluon-ebtables-source-filter/install
+	$(CP) ./files/* $(1)/
+endef
+
+define Package/gluon-ebtables-source-filter/postinst
+#!/bin/sh
+$(call GluonCheckSite,check_site.lua)
+endef
+
+$(eval $(call BuildPackage,gluon-ebtables-source-filter))

package/gluon-ebtables-source-filter/check_site.lua

@@ -0,0 +1,2 @@
+need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$', false)
+need_string_array_match('extra_prefixes6', '^[%x:]+/%d+$', false)

package/gluon-ebtables-source-filter/files/lib/gluon/ebtables/100-local-forward-chain

@@ -0,0 +1 @@
+chain('LOCAL_FORWARD', 'DROP')

package/gluon-ebtables-source-filter/files/lib/gluon/ebtables/110-local-forward-allow-arp

@@ -0,0 +1,6 @@
+prefix4 = require('gluon.site_config').prefix4
+
+if prefix4 then
+	rule('LOCAL_FORWARD -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
+	rule('LOCAL_FORWARD -p ARP --arp-ip-src 0.0.0.0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
+end

package/gluon-ebtables-source-filter/files/lib/gluon/ebtables/110-local-forward-allow-ipv4

@@ -0,0 +1,6 @@
+prefix4 = require('gluon.site_config').prefix4
+
+if prefix4 then
+	rule('LOCAL_FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN')
+	rule('LOCAL_FORWARD -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN')
+end

package/gluon-ebtables-source-filter/files/lib/gluon/ebtables/110-local-forward-allow-ipv6

@@ -0,0 +1,9 @@
+site = require('gluon.site_config')
+
+rule('LOCAL_FORWARD -p IPv6 --ip6-src fe80::/64 -j RETURN')
+rule('LOCAL_FORWARD -p IPv6 --ip6-src ::/128 --ip6-proto ipv6-icmp -j RETURN')
+rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. site.prefix6 .. ' -j RETURN')
+
+for _, prefix in ipairs(site.extra_prefixes6 or {}) do
+	rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
+end

package/gluon-ebtables-source-filter/files/lib/gluon/ebtables/300-local-forward-rules

@@ -0,0 +1 @@
+rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD')