From 33f44ef1cae86899f30614f69e10b692c82e4545 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Karsten=20B=C3=B6ddeker?= <freifunk@kb-light.de>
Date: Sun, 9 Apr 2017 20:57:20 +0200
Subject: [PATCH] ffho-ebtables-net-rules: backport
 gluon-ebtables-source-filter

but keep additional_prefix6
---
 ffho/ffho-ebtables-net-rules/Makefile         | 18 ++++++------
 ffho/ffho-ebtables-net-rules/ReadMe.md        | 29 +++++++++++++------
 ffho/ffho-ebtables-net-rules/check_site.lua   |  3 ++
 .../lib/gluon/ebtables/100-ffho-net-chain     |  1 -
 .../gluon/ebtables/100-local-forward-chain    |  1 +
 .../ebtables/110-ffho-net-allow-ipv4-space    |  7 -----
 .../ebtables/110-ffho-net-allow-ipv6-spaces   |  9 ------
 .../ebtables/110-local-forward-allow-arp      |  6 ++++
 .../ebtables/110-local-forward-allow-ipv4     |  6 ++++
 .../ebtables/110-local-forward-allow-ipv6     | 12 ++++++++
 .../gluon/ebtables/300-local-forward-rules    |  1 +
 .../lib/gluon/ebtables/400-add-ffho-net-chain |  1 -
 12 files changed, 58 insertions(+), 36 deletions(-)
 create mode 100644 ffho/ffho-ebtables-net-rules/check_site.lua
 delete mode 100644 ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-ffho-net-chain
 create mode 100644 ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-local-forward-chain
 delete mode 100644 ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv4-space
 delete mode 100644 ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv6-spaces
 create mode 100644 ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-arp
 create mode 100644 ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv4
 create mode 100644 ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv6
 create mode 100644 ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/300-local-forward-rules
 delete mode 100644 ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/400-add-ffho-net-chain

diff --git a/ffho/ffho-ebtables-net-rules/Makefile b/ffho/ffho-ebtables-net-rules/Makefile
index 5a88286..408d29f 100644
--- a/ffho/ffho-ebtables-net-rules/Makefile
+++ b/ffho/ffho-ebtables-net-rules/Makefile
@@ -11,16 +11,15 @@ include $(INCLUDE_DIR)/package.mk
 define Package/ffho-ebtables-net-rules
   SECTION:=ffho
   CATEGORY:=FFHO
-  TITLE:=FFHO net-specific ebtables rules to filter unreasonable L2 traffic.
+  TITLE:=Ebtables rules to filter unreasonable L2 traffic.
   DEPENDS:=+gluon-core +gluon-ebtables
   MAINTAINER:=Freifunk Hochstift <kontakt@hochstift.freifunk.net>
   URL:=https://git.c3pb.de/freifunk-pb/ffho-packages
 endef
 
 define Package/ffho-ebtables-net-rules/description
-	This package adds an additional layer-2 filter-ruleset to prevent traffic,
-	which is not destined for any Freifunk Paderborn layer-3 specific target,
-	from entering the network via the nodes.
+	This package adds an additional layer-2 filter-ruleset to prevent unreasonable
+	traffic entering the network via the nodes.
 endef
 
 define Build/Prepare
@@ -34,11 +33,12 @@ define Build/Compile
 endef
 
 define Package/ffho-ebtables-net-rules/install
-	$(INSTALL_DIR) $(1)/lib/gluon/ebtables/
-	$(CP) ./files/lib/gluon/ebtables/100-ffho-net-chain $(1)/lib/gluon/ebtables/
-	$(CP) ./files/lib/gluon/ebtables/110-ffho-net-allow-ipv4-space $(1)/lib/gluon/ebtables/
-	$(CP) ./files/lib/gluon/ebtables/110-ffho-net-allow-ipv6-spaces $(1)/lib/gluon/ebtables/
-	$(CP) ./files/lib/gluon/ebtables/400-add-ffho-net-chain $(1)/lib/gluon/ebtables/
+	$(CP) ./files/* $(1)/
+endef
+
+define Package/ffho-ebtables-net-rules/postinst
+#!/bin/sh
+$(call GluonCheckSite,check_site.lua)
 endef
 
 $(eval $(call BuildPackage,ffho-ebtables-net-rules))
diff --git a/ffho/ffho-ebtables-net-rules/ReadMe.md b/ffho/ffho-ebtables-net-rules/ReadMe.md
index 4912424..7756d8c 100644
--- a/ffho/ffho-ebtables-net-rules/ReadMe.md
+++ b/ffho/ffho-ebtables-net-rules/ReadMe.md
@@ -1,26 +1,37 @@
 ffho-ebtables-net-rules
 =======================
 
-Additional ebtables rules for Freifunk-Nodes
+The *ffho-ebtables-net-rules* package adds an additional layer-2 filter
+ruleset to prevent unreasonable traffic entering the network via the nodes.
+Unreasonable means traffic entering the mesh via a node which source IP does
+not belong to the configured IP space.
+
+One may first check if there is a certain proportion of unreasonable traffic,
+before adding this package to the firmware image. Additional one should not
+use this package if some kind of gateway or upstream network is provided by
+a device connected to the client port.
 
 site.conf
 ---------
 
-**prefix4:**
-- IPv4 prefix
+**prefix4: optional**
+- IPv4 subnet
 
 **prefix6:**
-- IPv6 prefix
+- IPv6 subnet
+
+**extra_prefixes6 : optional**
+- list of additional IPv6 subnets
 
-**additional_prefix6: optional**
-- list of additional IPv6 prefix
+**additional_prefix6: outdated**
+- list of additional IPv6 subnets
 
 ### example
 ```lua
 {
-  prefix4 = '10.132.0.0./18',
-  prefix6 = 'fdca:ffee:ff12:132::/64',
-  additional_prefix6 = { '2a03:2260:2342:2300::/64' },
+  prefix4 = '198.51.100.0/21',
+  prefix6 = '2001:db8:8::/64',
+  extra_prefixes6 = { '2001:db8:9::/64', '2001:db8:100::/60' },
   ...
 },
 ```
diff --git a/ffho/ffho-ebtables-net-rules/check_site.lua b/ffho/ffho-ebtables-net-rules/check_site.lua
new file mode 100644
index 0000000..9f525ec
--- /dev/null
+++ b/ffho/ffho-ebtables-net-rules/check_site.lua
@@ -0,0 +1,3 @@
+need_string_match('prefix4', '^%d+.%d+.%d+.%d+/%d+$', false)
+need_string_array_match('extra_prefixes6', '^[%x:]+/%d+$', false)
+need_string_array_match('additional_prefix6', '^[%x:]+/%d+$', false)
diff --git a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-ffho-net-chain b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-ffho-net-chain
deleted file mode 100644
index 8f6b65c..0000000
--- a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-ffho-net-chain
+++ /dev/null
@@ -1 +0,0 @@
-chain('FFHO_NET_ONLY', 'DROP')
diff --git a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-local-forward-chain b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-local-forward-chain
new file mode 100644
index 0000000..b9f4467
--- /dev/null
+++ b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/100-local-forward-chain
@@ -0,0 +1 @@
+chain('LOCAL_FORWARD', 'DROP')
diff --git a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv4-space b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv4-space
deleted file mode 100644
index d09e1de..0000000
--- a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv4-space
+++ /dev/null
@@ -1,7 +0,0 @@
-siteConfig = require("gluon.site_config")
-prefix4 = siteConfig.prefix4
-
-rule ('FFHO_NET_ONLY -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN')
-rule ('FFHO_NET_ONLY -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN')
-rule ('FFHO_NET_ONLY -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
-rule ('FFHO_NET_ONLY -p ARP --arp-ip-src 0.0.0.0/0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
diff --git a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv6-spaces b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv6-spaces
deleted file mode 100644
index 946d8ad..0000000
--- a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-ffho-net-allow-ipv6-spaces
+++ /dev/null
@@ -1,9 +0,0 @@
-siteConfig = require("gluon.site_config")
-
-rule ('FFHO_NET_ONLY -p IPv6 --ip6-src fe80::/10 -j RETURN')
-rule ('FFHO_NET_ONLY -p IPv6 --ip6-dst ff00::/8 -j RETURN')
-rule ('FFHO_NET_ONLY -p IPv6 --ip6-src ' .. siteConfig.prefix6 .. ' -j RETURN')
-
-for _, prefix in ipairs(siteConfig.additional_prefix6 or {}) do
-	rule ('FFHO_NET_ONLY -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
-end
\ No newline at end of file
diff --git a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-arp b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-arp
new file mode 100644
index 0000000..e8de312
--- /dev/null
+++ b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-arp
@@ -0,0 +1,6 @@
+prefix4 = require('gluon.site_config').prefix4
+
+if prefix4 then
+	rule('LOCAL_FORWARD -p ARP --arp-ip-src ' .. prefix4 .. ' --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
+	rule('LOCAL_FORWARD -p ARP --arp-ip-src 0.0.0.0 --arp-ip-dst ' .. prefix4 .. ' -j RETURN')
+end
diff --git a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv4 b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv4
new file mode 100644
index 0000000..048e700
--- /dev/null
+++ b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv4
@@ -0,0 +1,6 @@
+prefix4 = require('gluon.site_config').prefix4
+
+if prefix4 then
+	rule('LOCAL_FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN')
+	rule('LOCAL_FORWARD -p IPv4 --ip-src ' .. prefix4 .. ' -j RETURN')
+end
diff --git a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv6 b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv6
new file mode 100644
index 0000000..4ed62e0
--- /dev/null
+++ b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/110-local-forward-allow-ipv6
@@ -0,0 +1,12 @@
+site = require('gluon.site_config')
+
+rule('LOCAL_FORWARD -p IPv6 --ip6-src fe80::/64 -j RETURN')
+rule('LOCAL_FORWARD -p IPv6 --ip6-src ::/128 --ip6-proto ipv6-icmp -j RETURN')
+rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. site.prefix6 .. ' -j RETURN')
+
+for _, prefix in ipairs(site.extra_prefixes6 or {}) do
+	rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
+end
+for _, prefix in ipairs(site.additional_prefix6 or {}) do
+	rule('LOCAL_FORWARD -p IPv6 --ip6-src ' .. prefix .. ' -j RETURN')
+end
diff --git a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/300-local-forward-rules b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/300-local-forward-rules
new file mode 100644
index 0000000..6c5a925
--- /dev/null
+++ b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/300-local-forward-rules
@@ -0,0 +1 @@
+rule('FORWARD --logical-in br-client -i ! bat0 -j LOCAL_FORWARD')
diff --git a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/400-add-ffho-net-chain b/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/400-add-ffho-net-chain
deleted file mode 100644
index 5662f1b..0000000
--- a/ffho/ffho-ebtables-net-rules/files/lib/gluon/ebtables/400-add-ffho-net-chain
+++ /dev/null
@@ -1 +0,0 @@
-rule 'FORWARD --logical-in br-client -i ! bat0 -j FFHO_NET_ONLY'
-- 
GitLab