Add ebtables filters from the legacy firmware
This commit is contained in:
Matthias Schiffer
parent
9015c01c34
commit
f8cdeaefd9
40
package/gluon-ebtables-filter-multicast/Makefile
Normal file
40
package/gluon-ebtables-filter-multicast/Makefile
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PKG_NAME:=gluon-ebtables-filter-multicast
|
||||||
|
PKG_VERSION:=1
|
||||||
|
PKG_RELEASE:=1
|
||||||
|
|
||||||
|
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
|
||||||
|
|
||||||
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
define Package/gluon-ebtables-filter-multicast
|
||||||
|
SECTION:=gluon
|
||||||
|
CATEGORY:=Gluon
|
||||||
|
TITLE:=Ebtables filters for multicast packets
|
||||||
|
DEPENDS:=+gluon-core +gluon-ebtables
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/gluon-ebtables-filter-multicast/description
|
||||||
|
Gluon community wifi mesh firmware framework: Ebtables filters for multicast packets
|
||||||
|
|
||||||
|
These filters drop non-essential multicast traffic before it enters the mesh.
|
||||||
|
|
||||||
|
Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Prepare
|
||||||
|
mkdir -p $(PKG_BUILD_DIR)
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Configure
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Compile
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/gluon-ebtables-filter-multicast/install
|
||||||
|
$(CP) ./files/* $(1)/
|
||||||
|
endef
|
||||||
|
|
||||||
|
$(eval $(call BuildPackage,gluon-ebtables-filter-multicast))
|
||||||
@ -0,0 +1 @@
|
|||||||
|
chain MULTICAST_OUT DROP
|
||||||
@ -0,0 +1 @@
|
|||||||
|
rule MULTICAST_OUT -p ARP -j RETURN
|
||||||
@ -0,0 +1 @@
|
|||||||
|
rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN
|
||||||
@ -0,0 +1 @@
|
|||||||
|
rule MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN
|
||||||
@ -0,0 +1 @@
|
|||||||
|
rule MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN
|
||||||
@ -0,0 +1 @@
|
|||||||
|
rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j RETURN
|
||||||
@ -0,0 +1 @@
|
|||||||
|
rule MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN
|
||||||
@ -0,0 +1 @@
|
|||||||
|
rule MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN
|
||||||
@ -0,0 +1 @@
|
|||||||
|
rule MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN
|
||||||
@ -0,0 +1,2 @@
|
|||||||
|
rule MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN
|
||||||
|
rule MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN
|
||||||
@ -0,0 +1,2 @@
|
|||||||
|
rule FORWARD --logical-out br-freifunk -o bat0 -d Multicast -j MULTICAST_OUT
|
||||||
|
rule OUTPUT --logical-out br-freifunk -o bat0 -d Multicast -j MULTICAST_OUT
|
||||||
39
package/gluon-ebtables-filter-ra-dhcp/Makefile
Normal file
39
package/gluon-ebtables-filter-ra-dhcp/Makefile
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
|
PKG_NAME:=gluon-ebtables-filter-ra-dhcp
|
||||||
|
PKG_VERSION:=1
|
||||||
|
PKG_RELEASE:=1
|
||||||
|
|
||||||
|
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
|
||||||
|
|
||||||
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
define Package/gluon-ebtables-filter-ra-dhcp
|
||||||
|
SECTION:=gluon
|
||||||
|
CATEGORY:=Gluon
|
||||||
|
TITLE:=Ebtables filters for Router Advertisement and DHCP packets
|
||||||
|
DEPENDS:=+gluon-core +gluon-ebtables
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/gluon-ebtables-filter-ra-dhcp/description
|
||||||
|
Gluon community wifi mesh firmware framework: Ebtables filters for Router Advertisement and DHCP packets
|
||||||
|
|
||||||
|
These filters ensure that RA and DHCP packets are only forwarded from the mesh into the
|
||||||
|
client network, and not vice-versa.
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Prepare
|
||||||
|
mkdir -p $(PKG_BUILD_DIR)
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Configure
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Build/Compile
|
||||||
|
endef
|
||||||
|
|
||||||
|
define Package/gluon-ebtables-filter-ra-dhcp/install
|
||||||
|
$(CP) ./files/* $(1)/
|
||||||
|
endef
|
||||||
|
|
||||||
|
$(eval $(call BuildPackage,gluon-ebtables-filter-ra-dhcp))
|
||||||
@ -0,0 +1,5 @@
|
|||||||
|
rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
|
||||||
|
rule OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
|
||||||
|
|
||||||
|
rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY
|
||||||
|
rule INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY
|
||||||
@ -0,0 +1,5 @@
|
|||||||
|
rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
|
||||||
|
rule OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
|
||||||
|
|
||||||
|
rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY
|
||||||
|
rule INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY
|
||||||
@ -0,0 +1,5 @@
|
|||||||
|
rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||||
|
rule OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
|
||||||
|
|
||||||
|
rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||||
|
rule INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
|
||||||
@ -0,0 +1,2 @@
|
|||||||
|
chain IN_ONLY RETURN
|
||||||
|
chain OUT_ONLY RETURN
|
||||||
@ -0,0 +1,2 @@
|
|||||||
|
rule IN_ONLY --logical-in br-client -i ! bat0 -j DROP
|
||||||
|
rule OUT_ONLY --logical-out br-client -o ! bat0 -j DROP
|
||||||
Loading…
Reference in New Issue
Block a user