diff --git a/docs/package/gluon-ebtables-segment-mld.rst b/docs/package/gluon-ebtables-segment-mld.rst new file mode 100644 index 00000000..7e197ece --- /dev/null +++ b/docs/package/gluon-ebtables-segment-mld.rst @@ -0,0 +1,16 @@ +gluon-ebtables-segment-mld +========================== + +These filters drop IGMP/MLD packets before they enter the mesh and +filter any IGMP/MLD packets coming from the mesh. + +IGMP/MLD have the concept of a local, elected Querier. For more +decentralization and increased robustness, the idea of this package is +to split the IGMP/MLD domain a querier is responsible for, allowing to +have a querier per node. The split IGMP/MLD domain will also reduce +overhead for this packet type, increasing scalability. + +Beware of the consequences of using this package though: You might need +to explicitly, manually mark ports on snooping switches leading towards +your mesh node as multicast router ports for now (Multicast Router +Discovery, MRD, not implemented yet). diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain deleted file mode 100644 index ec0013a3..00000000 --- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain +++ /dev/null @@ -1 +0,0 @@ -chain('MULTICAST_OUT', 'DROP') diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 index 8d3b7ec2..0058ed86 100644 --- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6 @@ -1,5 +1,3 @@ -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j DROP' -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j DROP' -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN' - -rule 'MULTICAST_OUT -p IPv6 --ip6-protocol 0 -j RETURN' -- hop-by-hop +rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type echo-request -j RETURN' +rule 'MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 139 -j RETURN' -- ICMP Node Information Query +rule 'MULTICAST_OUT_ICMPV6 -j ACCEPT' diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast deleted file mode 100644 index c52f122f..00000000 --- a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast +++ /dev/null @@ -1,2 +0,0 @@ -rule 'FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT' -rule 'OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT' diff --git a/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/355-mcast-drop b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/355-mcast-drop new file mode 100644 index 00000000..46ac01a5 --- /dev/null +++ b/package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/355-mcast-drop @@ -0,0 +1 @@ +rule ('MULTICAST_OUT -j DROP') diff --git a/package/gluon-ebtables-segment-mld/Makefile b/package/gluon-ebtables-segment-mld/Makefile new file mode 100644 index 00000000..e3aacde1 --- /dev/null +++ b/package/gluon-ebtables-segment-mld/Makefile @@ -0,0 +1,51 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=gluon-ebtables-segment-mld +PKG_VERSION:=1 +PKG_RELEASE:=1 + +PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) + +include $(INCLUDE_DIR)/package.mk + +define Package/gluon-ebtables-segment-mld + SECTION:=gluon + CATEGORY:=Gluon + TITLE:=Ebtables filters for IGMP/MLD packets + DEPENDS:=+gluon-core +gluon-ebtables +endef + +define Package/gluon-ebtables-segment-mld/description + Gluon community wifi mesh firmware framework: Ebtables filters for + IGMP/MLD packets + + These filters drop IGMP/MLD packets before they enter the mesh and + filter any IGMP/MLD packets coming from the mesh. + + IGMP/MLD have the concept of a local, elected Querier. For more + decentralization and increased robustness, the idea of this package is + to split the IGMP/MLD domain a querier is responsible for, allowing to + have a querier per node. The split IGMP/MLD domain will also reduce + overhead for this packet type, increasing scalability. + + Beware of the consequences of using this package though: You might need + to explicitly, manually mark ports on snooping switches leading towards + your mesh node as multicast router ports for now (Multicast Router + Discovery, MRD, not implemented yet). +endef + +define Build/Prepare + mkdir -p $(PKG_BUILD_DIR) +endef + +define Build/Configure +endef + +define Build/Compile +endef + +define Package/gluon-ebtables-segment-mld/install + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,gluon-ebtables-segment-mld)) diff --git a/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/100-mcast-in-chain b/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/100-mcast-in-chain new file mode 100644 index 00000000..69d6bf18 --- /dev/null +++ b/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/100-mcast-in-chain @@ -0,0 +1,2 @@ +chain('MULTICAST_IN', 'RETURN', 'nat') +chain('MULTICAST_IN_ICMPV6', 'RETURN', 'nat') diff --git a/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/101-mcast-in-rule b/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/101-mcast-in-rule new file mode 100644 index 00000000..4eef2e7e --- /dev/null +++ b/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/101-mcast-in-rule @@ -0,0 +1,2 @@ +rule ('PREROUTING -d Multicast --logical-in br-client -i bat0 -j MULTICAST_IN', 'nat') +rule ('MULTICAST_IN -p IPv6 --ip6-protocol ipv6-icmp -j MULTICAST_IN_ICMPV6', 'nat') diff --git a/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/105-mcast-drop-igmp b/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/105-mcast-drop-igmp new file mode 100644 index 00000000..08052721 --- /dev/null +++ b/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/105-mcast-drop-igmp @@ -0,0 +1,2 @@ +rule('MULTICAST_OUT -p IPv4 --ip-protocol igmp -j DROP') +rule('MULTICAST_IN -p IPv4 --ip-protocol igmp -j DROP', 'nat') diff --git a/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/105-mcast-drop-mld b/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/105-mcast-drop-mld new file mode 100644 index 00000000..b6090c22 --- /dev/null +++ b/package/gluon-ebtables-segment-mld/files/lib/gluon/ebtables/105-mcast-drop-mld @@ -0,0 +1,9 @@ +rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP') -- MLD Query +rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP') -- MLDv1 Report +rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP') -- MLDv1 Done +rule('MULTICAST_OUT_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP') -- MLDv2 Report + +rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 130 -j DROP', 'nat') -- MLD Query +rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 131 -j DROP', 'nat') -- MLDv1 Report +rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 132 -j DROP', 'nat') -- MLDv1 Done +rule('MULTICAST_IN_ICMPV6 -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type 143 -j DROP', 'nat') -- MLDv2 Report diff --git a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables index 5a770452..e6bffe96 100755 --- a/package/gluon-ebtables/files/etc/init.d/gluon-ebtables +++ b/package/gluon-ebtables/files/etc/init.d/gluon-ebtables @@ -24,12 +24,15 @@ exec_file() { local file="$1" /usr/bin/lua -e " - function rule(command) + function rule(command, table) + table = table or 'filter' os.execute($EBTABLES_RULE) end - function chain(name, policy) + function chain(name, policy, table) + table = table or 'filter' os.execute($EBTABLES_CHAIN) end + " "$file" } @@ -48,8 +51,8 @@ exec_all() { start() { ( - export EBTABLES_RULE='"ebtables -A " .. command' - export EBTABLES_CHAIN='"ebtables -N " .. name .. " -P " .. policy' + export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command' + export EBTABLES_CHAIN='"ebtables -t " .. table .. " -N " .. name .. " -P " .. policy' if [ -z "$1" ]; then exec_all '' @@ -61,8 +64,8 @@ start() { stop() { ( - export EBTABLES_RULE='"ebtables -D " .. command' - export EBTABLES_CHAIN='"ebtables -X " .. name' + export EBTABLES_RULE='"ebtables -t " .. table .. " -D " .. command' + export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name' if [ -z "$1" ]; then exec_all '-r' diff --git a/package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain b/package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain index 31c19c53..e6bf98e3 100644 --- a/package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain +++ b/package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain @@ -1,2 +1,5 @@ chain('IN_ONLY', 'RETURN') chain('OUT_ONLY', 'RETURN') + +chain('MULTICAST_OUT', 'RETURN') +chain('MULTICAST_OUT_ICMPV6', 'RETURN') diff --git a/package/gluon-ebtables/files/lib/gluon/ebtables/350-mcast-dir-rules b/package/gluon-ebtables/files/lib/gluon/ebtables/350-mcast-dir-rules new file mode 100644 index 00000000..01609068 --- /dev/null +++ b/package/gluon-ebtables/files/lib/gluon/ebtables/350-mcast-dir-rules @@ -0,0 +1,4 @@ +rule 'OUTPUT -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT' +rule 'FORWARD -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT' + +rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j MULTICAST_OUT_ICMPV6'