Home Explore Help
Register Sign In
FreifunkHochstift
/
ffho-packages
3
0
Fork 0
Files Issues 0 Pull Requests 0
Browse Source

ffho-ebtables-net-rules: backport gluon-ebtables-source-filter

but keep additional_prefix6
Karsten Böddeker 7 years ago
parent
a723748cac
commit
33f44ef1ca
12 changed files with 58 additions and 36 deletions
Split View Show Diff Stats
  1. 9 9
      ffho/ffho-ebtables-net-rules/Makefile
  2. 20 9
      ffho/ffho-ebtables-net-rules/ReadMe.md
  3. 3 0
      ffho/ffho-ebtables-net-rules/check_site.lua
  4. 0 1
      ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-ffho-net-chain
  5. 1 0
      ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-local-forward-chain
  6. 0 7
      ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv4-space
  7. 0 9
      ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv6-spaces
  8. 6 0
      ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-arp
  9. 6 0
      ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv4
  10. 12 0
      ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv6
  11. 1 0
      ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/300-local-forward-rules
  12. 0 1
      ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/400-add-ffho-net-chain

+ 9 - 9
ffho/ffho-ebtables-net-rules/Makefile
View File 

@@ -11,16 +11,15 @@ include $(INCLUDE_DIR)/package.mk
 
 define Package/ffho-ebtables-net-rules
 
   SECTION:=ffho
 
   CATEGORY:=FFHO
 
-  TITLE:=FFHO net-specific ebtables rules to filter unreasonable L2 traffic.
 
+  TITLE:=Ebtables rules to filter unreasonable L2 traffic.
 
   DEPENDS:=+gluon-core +gluon-ebtables
 
   MAINTAINER:=Freifunk Hochstift <kontakt@hochstift.freifunk.net>
 
   URL:=https://git.c3pb.de/freifunk-pb/ffho-packages
 
 endef
 
 
 define Package/ffho-ebtables-net-rules/description
 
-	This package adds an additional layer-2 filter-ruleset to prevent traffic,
 
-	which is not destined for any Freifunk Paderborn layer-3 specific target,
 
-	from entering the network via the nodes.
 
+	This package adds an additional layer-2 filter-ruleset to prevent unreasonable
 
+	traffic entering the network via the nodes.
 
 endef
 
 
 define Build/Prepare
 
@@ -34,11 +33,12 @@ define Build/Compile
 
 endef
 
 
 define Package/ffho-ebtables-net-rules/install
 
-	$(INSTALL_DIR) $(1)/lib/gluon/ebtables/
 
-	$(CP) ./files/lib/gluon/ebtables/100-ffho-net-chain $(1)/lib/gluon/ebtables/
 
-	$(CP) ./files/lib/gluon/ebtables/110-ffho-net-allow-ipv4-space $(1)/lib/gluon/ebtables/
 
-	$(CP) ./files/lib/gluon/ebtables/110-ffho-net-allow-ipv6-spaces $(1)/lib/gluon/ebtables/
 
-	$(CP) ./files/lib/gluon/ebtables/400-add-ffho-net-chain $(1)/lib/gluon/ebtables/
 
+	$(CP) ./files/* $(1)/
 
+endef
 
+
 
+define Package/ffho-ebtables-net-rules/postinst
 
+#!/bin/sh
 
+$(call GluonCheckSite,check_site.lua)
 
 endef
 
 
 $(eval $(call BuildPackage,ffho-ebtables-net-rules))

+ 20 - 9
ffho/ffho-ebtables-net-rules/ReadMe.md
View File 

@@ -1,26 +1,37 @@
 
 ffho-ebtables-net-rules
 
 =======================
 
 
-Additional ebtables rules for Freifunk-Nodes
 
+The *ffho-ebtables-net-rules* package adds an additional layer-2 filter
 
+ruleset to prevent unreasonable traffic entering the network via the nodes.
 
+Unreasonable means traffic entering the mesh via a node which source IP does
 
+not belong to the configured IP space.
 
+
 
+One may first check if there is a certain proportion of unreasonable traffic,
 
+before adding this package to the firmware image. Additional one should not
 
+use this package if some kind of gateway or upstream network is provided by
 
+a device connected to the client port.
 
 
 site.conf
 
 ---------
 
 
-**prefix4:**
 
-- IPv4 prefix
 
+**prefix4: optional**
 
+- IPv4 subnet
 
 
 **prefix6:**
 
-- IPv6 prefix
 
+- IPv6 subnet
 
+
 
+**extra_prefixes6 : optional**
 
+- list of additional IPv6 subnets
 
 
-**additional_prefix6: optional**
 
-- list of additional IPv6 prefix
 
+**additional_prefix6: outdated**
 
+- list of additional IPv6 subnets
 
 
 ### example
 
 ```lua
 
 {
 
-  prefix4 = '10.132.0.0./18',
 
-  prefix6 = 'fdca:ffee:ff12:132::/64',
 
-  additional_prefix6 = { '2a03:2260:2342:2300::/64' },
 
+  prefix4 = '198.51.100.0/21',
 
+  prefix6 = '2001:db8:8::/64',
 
+  extra_prefixes6 = { '2001:db8:9::/64', '2001:db8:100::/60' },
 
   ...
 
 },
 
 ```

+ 3 - 0
ffho/ffho-ebtables-net-rules/check_site.lua
View File 

@@ -0,0 +1,3 @@
 
+need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$', false)
 
+need_string_array_match('extra_prefixes6', '^[%x:]+/%d+$', false)
 
+need_string_array_match('additional_prefix6', '^[%x:]+/%d+$', false)

+ 0 - 1
ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-ffho-net-chain
View File 

@@ -1 +0,0 @@
 
-chain('FFHO_NET_ONLY', 'DROP')

+ 1 - 0
ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-local-forward-chain
View File 

@@ -0,0 +1 @@
 
+chain('LOCAL_FORWARD', 'DROP')

+ 0 - 7
ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv4-space
View File 

@@ -1,7 +0,0 @@
 
-siteConfig = require("gluon.site_config")
 
-prefix4 = siteConfig.prefix4
 
-
 
-rule ('FFHO_NET_ONLY -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN')
 
-rule ('FFHO_NET_ONLY -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN')
 
-rule ('FFHO_NET_ONLY -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
 
-rule ('FFHO_NET_ONLY -p ARP --arp-ip-src 0.0.0.0/0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN')

+ 0 - 9
ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv6-spaces
View File 

@@ -1,9 +0,0 @@
 
-siteConfig = require("gluon.site_config")
 
-
 
-rule ('FFHO_NET_ONLY -p IPv6 --ip6-src fe80::/10 -j RETURN')
 
-rule ('FFHO_NET_ONLY -p IPv6 --ip6-dst ff00::/8 -j RETURN')
 
-rule ('FFHO_NET_ONLY -p IPv6 --ip6-src ' .. siteConfig.prefix6 .. ' -j RETURN')
 
-
 
-for _, prefix in ipairs(siteConfig.additional_prefix6 or {}) do
 
-	rule ('FFHO_NET_ONLY -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
 
-end

+ 6 - 0
ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-arp
View File 

@@ -0,0 +1,6 @@
 
+prefix4 = require('gluon.site_config').prefix4
 
+
 
+if prefix4 then
 
+	rule('LOCAL_FORWARD -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
 
+	rule('LOCAL_FORWARD -p ARP --arp-ip-src 0.0.0.0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
 
+end

+ 6 - 0
ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv4
View File 

@@ -0,0 +1,6 @@
 
+prefix4 = require('gluon.site_config').prefix4
 
+
 
+if prefix4 then
 
+	rule('LOCAL_FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN')
 
+	rule('LOCAL_FORWARD -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN')
 
+end

+ 12 - 0
ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv6
View File 

@@ -0,0 +1,12 @@
 
+site = require('gluon.site_config')
 
+
 
+rule('LOCAL_FORWARD -p IPv6 --ip6-src fe80::/64 -j RETURN')
 
+rule('LOCAL_FORWARD -p IPv6 --ip6-src ::/128 --ip6-proto ipv6-icmp -j RETURN')
 
+rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. site.prefix6 .. ' -j RETURN')
 
+
 
+for _, prefix in ipairs(site.extra_prefixes6 or {}) do
 
+	rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
 
+end
 
+for _, prefix in ipairs(site.additional_prefix6 or {}) do
 
+	rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
 
+end

+ 1 - 0
ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/300-local-forward-rules
View File 

@@ -0,0 +1 @@
 
+rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD')

+ 0 - 1
ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/400-add-ffho-net-chain
View File 

@@ -1 +0,0 @@
 
-rule 'FORWARD --logical-in br-client -i ! bat0 -j FFHO_NET_ONLY'