45 lines
1.5 KiB
Makefile
45 lines
1.5 KiB
Makefile
include $(TOPDIR)/rules.mk
|
|
|
|
PKG_NAME:=gluon-nftables-limit-arp
|
|
|
|
include ../gluon.mk
|
|
|
|
define Package/gluon-nftables-limit-arp
|
|
TITLE:=nftables limiter for ARP packets
|
|
DEPENDS:=+gluon-core +gluon-nftables +gluon-mesh-batman-adv
|
|
endef
|
|
|
|
define Package/gluon-nftables-limit-arp/description
|
|
Gluon community wifi mesh firmware framework: nftables rules to
|
|
rate-limit ARP packets.
|
|
|
|
This package adds filters to limit the amount of ARP Requests
|
|
devices are allowed to send into the mesh. The limits are 6 packets
|
|
per minute per client device, by MAC address, and 1 per second per
|
|
node in total.
|
|
|
|
A burst of up to 50 ARP Requests is allowed until the rate-limiting
|
|
takes effect (see burst in the nft manpage).
|
|
|
|
Furthermore, ARP Requests with a target IP already present in the
|
|
batman-adv DAT Cache are excluded from the rate-limiting,
|
|
both regarding counting and filtering, as batman-adv will respond
|
|
locally with no burden for the mesh. Therefore, this limiter
|
|
should not affect popular target IPs, like gateways.
|
|
|
|
However it should mitigate the problem of curious people or
|
|
smart devices scanning the whole IP range. Which could create
|
|
a significant amount of overhead for all participants so far.
|
|
|
|
Note that this package currently only supports batman.
|
|
endef
|
|
|
|
define Package/gluon-nftables-limit-arp/install
|
|
$(Gluon/Build/Install)
|
|
|
|
$(INSTALL_DIR) $(1)/usr/sbin/
|
|
$(CP) $(PKG_BUILD_DIR)/gluon-arp-limiter $(1)/usr/sbin/gluon-arp-limiter
|
|
endef
|
|
|
|
$(eval $(call BuildPackageGluon,gluon-nftables-limit-arp))
|