From f8cdeaefd9f2277ac8e4f66adf252d6b4034edd0 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer <mschiffer@universe-factory.net> Date: Fri, 10 Jan 2014 21:48:43 +0100 Subject: [PATCH] Add ebtables filters from the legacy firmware --- .../gluon-ebtables-filter-multicast/Makefile | 40 +++++++++++++++++++ .../files/lib/gluon/ebtables/100-mcast-chain | 1 + .../lib/gluon/ebtables/110-mcast-allow-arp | 1 + .../lib/gluon/ebtables/110-mcast-allow-babel | 1 + .../lib/gluon/ebtables/110-mcast-allow-btlpd | 1 + .../lib/gluon/ebtables/110-mcast-allow-dhcpv4 | 1 + .../lib/gluon/ebtables/110-mcast-allow-dhcpv6 | 1 + .../lib/gluon/ebtables/110-mcast-allow-icmp | 1 + .../lib/gluon/ebtables/110-mcast-allow-icmpv6 | 1 + .../lib/gluon/ebtables/110-mcast-allow-igmp | 1 + .../lib/gluon/ebtables/110-mcast-allow-ospf | 2 + .../files/lib/gluon/ebtables/300-mcast | 2 + .../gluon-ebtables-filter-ra-dhcp/Makefile | 39 ++++++++++++++++++ .../files/lib/gluon/ebtables/200-dir-dhcpv4 | 5 +++ .../files/lib/gluon/ebtables/200-dir-dhcpv6 | 5 +++ .../files/lib/gluon/ebtables/200-dir-radv | 5 +++ .../files/lib/gluon/ebtables/.keep | 0 .../files/lib/gluon/ebtables/100-dir-chain | 2 + .../files/lib/gluon/ebtables/101-dir-rules | 2 + 19 files changed, 111 insertions(+) create mode 100644 package/gluon-ebtables-filter-multicast/Makefile create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4 create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6 create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf create mode 100644 package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast create mode 100644 package/gluon-ebtables-filter-ra-dhcp/Makefile create mode 100644 package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4 create mode 100644 package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6 create mode 100644 package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv delete mode 100644 package/gluon-ebtables/files/lib/gluon/ebtables/.keep create mode 100644 package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain create mode 100644 package/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules diff --git a/package/gluon-ebtables-filter-multicast/Makefile b/package/gluon-ebtables-filter-multicast/Makefile new file mode 100644 index 000000000..93b7f9a55 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/Makefile @@ -0,0 +1,40 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-ebtables-filter-multicast +PKG_VERSION:=1 +PKG_RELEASE:=1 + +PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) + +include $(INCLUDE_DIR)/package.mk + +define Package/gluon-ebtables-filter-multicast + SECTION:=gluon + CATEGORY:=Gluon + TITLE:=Ebtables filters for multicast packets + DEPENDS:=+gluon-core +gluon-ebtables +endef + +define Package/gluon-ebtables-filter-multicast/description + Gluon community wifi mesh firmware framework: Ebtables filters for multicast packets + + These filters drop non-essential multicast traffic before it enters the mesh. + + Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF +endef + +define Build/Prepare + mkdir -p $(PKG_BUILD_DIR) +endef + +define Build/Configure +endef + +define Build/Compile +endef + +define Package/gluon-ebtables-filter-multicast/install + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,gluon-ebtables-filter-multicast)) diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain new file mode 100644 index 000000000..93382f309 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain @@ -0,0 +1 @@ +chain MULTICAST_OUT DROP diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp new file mode 100644 index 000000000..fdb20b1f6 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp @@ -0,0 +1 @@ +rule MULTICAST_OUT -p ARP -j RETURN diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel new file mode 100644 index 000000000..096ae50ee --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel @@ -0,0 +1 @@ +rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd new file mode 100644 index 000000000..9776157af --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd @@ -0,0 +1 @@ +rule MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4 b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4 new file mode 100644 index 000000000..440107a97 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4 @@ -0,0 +1 @@ +rule MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6 b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6 new file mode 100644 index 000000000..1b523ec40 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6 @@ -0,0 +1 @@ +rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j RETURN diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp new file mode 100644 index 000000000..e52e5c788 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp @@ -0,0 +1 @@ +rule MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 new file mode 100644 index 000000000..7c50ff5ee --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 @@ -0,0 +1 @@ +rule MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp new file mode 100644 index 000000000..521af5632 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp @@ -0,0 +1 @@ +rule MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf new file mode 100644 index 000000000..6e540751d --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf @@ -0,0 +1,2 @@ +rule MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN +rule MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast new file mode 100644 index 000000000..00ff642c6 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast @@ -0,0 +1,2 @@ +rule FORWARD --logical-out br-freifunk -o bat0 -d Multicast -j MULTICAST_OUT +rule OUTPUT --logical-out br-freifunk -o bat0 -d Multicast -j MULTICAST_OUT diff --git a/package/gluon-ebtables-filter-ra-dhcp/Makefile b/package/gluon-ebtables-filter-ra-dhcp/Makefile new file mode 100644 index 000000000..ea6a737d4 --- /dev/null +++ b/package/gluon-ebtables-filter-ra-dhcp/Makefile @@ -0,0 +1,39 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-ebtables-filter-ra-dhcp +PKG_VERSION:=1 +PKG_RELEASE:=1 + +PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) + +include $(INCLUDE_DIR)/package.mk + +define Package/gluon-ebtables-filter-ra-dhcp + SECTION:=gluon + CATEGORY:=Gluon + TITLE:=Ebtables filters for Router Advertisement and DHCP packets + DEPENDS:=+gluon-core +gluon-ebtables +endef + +define Package/gluon-ebtables-filter-ra-dhcp/description + Gluon community wifi mesh firmware framework: Ebtables filters for Router Advertisement and DHCP packets + + These filters ensure that RA and DHCP packets are only forwarded from the mesh into the + client network, and not vice-versa. +endef + +define Build/Prepare + mkdir -p $(PKG_BUILD_DIR) +endef + +define Build/Configure +endef + +define Build/Compile +endef + +define Package/gluon-ebtables-filter-ra-dhcp/install + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,gluon-ebtables-filter-ra-dhcp)) diff --git a/package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4 b/package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4 new file mode 100644 index 000000000..8771ee157 --- /dev/null +++ b/package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4 @@ -0,0 +1,5 @@ +rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY +rule OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY + +rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY +rule INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY diff --git a/package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6 b/package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6 new file mode 100644 index 000000000..234e54e54 --- /dev/null +++ b/package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6 @@ -0,0 +1,5 @@ +rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY +rule OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY + +rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY +rule INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY diff --git a/package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv b/package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv new file mode 100644 index 000000000..c7257032b --- /dev/null +++ b/package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv @@ -0,0 +1,5 @@ +rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY +rule OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY + +rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY +rule INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY diff --git a/package/gluon-ebtables/files/lib/gluon/ebtables/.keep b/package/gluon-ebtables/files/lib/gluon/ebtables/.keep deleted file mode 100644 index e69de29bb..000000000 diff --git a/package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain b/package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain new file mode 100644 index 000000000..99908dc42 --- /dev/null +++ b/package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain @@ -0,0 +1,2 @@ +chain IN_ONLY RETURN +chain OUT_ONLY RETURN diff --git a/package/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules b/package/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules new file mode 100644 index 000000000..6c8f44cc8 --- /dev/null +++ b/package/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules @@ -0,0 +1,2 @@ +rule IN_ONLY --logical-in br-client -i ! bat0 -j DROP +rule OUT_ONLY --logical-out br-client -o ! bat0 -j DROP -- GitLab