From 7efaa780f8aaa503f0527bd3d5556e758556ec99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
Date: Mon, 11 Mar 2024 23:16:24 +0100
Subject: [PATCH] fff-node: apply firewall rules to br-client only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When switching from ebtables to nftables, the --logical-in and
--logical-out selectors of some rules were missed. This might have been
caused by kmod-nft-bridge not being installed, which is required for the
ibrname and obrname selectors, so it is possible that the migration
(using ebtables-nft) did not apply these selectors.

Add the ibrname and obrname selectors and add the required kernel
module.

Fixes: #315
Fixes: 157fa4eac5ef ("fff-firewall: Switch from ip/ebtables to nftables")

Reported-by: Robert Langhammer <rlanghammer@web.de>
Signed-off-by: Fabian Bläse <fabian@blaese.de>
---
 src/packages/fff/fff-firewall/Makefile               |  3 ++-
 .../files/usr/lib/firewall.d/05-setup-batman-chains  | 10 +++++-----
 .../fff-node/files/usr/lib/firewall.d/40-local-node  | 12 ++++++------
 3 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile
index 89275474..9bd89ae1 100644
--- a/src/packages/fff/fff-firewall/Makefile
+++ b/src/packages/fff/fff-firewall/Makefile
@@ -10,7 +10,8 @@ define Package/$(PKG_NAME)
 	CATEGORY:=Freifunk
 	TITLE:=Freifunk-Franken firewall
 	URL:=https://www.freifunk-franken.de
-	DEPENDS:=+nftables
+	DEPENDS:=+kmod-nft-bridge \
+	         +nftables
 endef
 
 define Package/$(PKG_NAME)/description
diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains b/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains
index 68867341..d2b983a0 100644
--- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains
+++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/05-setup-batman-chains
@@ -4,7 +4,7 @@ table bridge filter {
 	# vom Gateway (also vom BATMAN) kommen darf.
 	chain IN_ONLY {
 		# -i ! bat0 --logical-in br-client -j DROP
-		iifname != "bat0" counter drop
+		iifname != "bat0" ibrname "br-client" counter drop
 		counter
 	}
 
@@ -12,7 +12,7 @@ table bridge filter {
 	# in Richtung Gateway (also ins BATMAN) gesendet werden darf.
 	chain OUT_ONLY {
 		# --logical-out br-client -o ! bat0 -j DROP
-		oifname != "bat0" counter drop
+		oifname != "bat0" obrname "br-client" counter drop
 		counter
 	}
 
@@ -24,21 +24,21 @@ table bridge filter {
 		type filter hook input priority filter; policy accept;
 
 		# -d Multicast -i ! bat0 --logical-in br-client -j ACCEPT
-		iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 accept
+		iifname != "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 ibrname "br-client" counter packets 0 bytes 0 accept
 	}
 
 	chain FORWARD {
 		type filter hook forward priority filter; policy accept;
 
 		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
-		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
+		oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 jump MULTICAST_OUT
 	}
 
 	chain OUTPUT {
 		type filter hook output priority filter; policy accept;
 
 		# -d Multicast --logical-out br-client -o bat0 -j MULTICAST_OUT
-		oifname "bat0" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
+		oifname "bat0" obrname "br-client" ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter jump MULTICAST_OUT
 	}
 }
 __EOF
diff --git a/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
index b5e733fc..efc42104 100644
--- a/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
+++ b/src/packages/fff/fff-node/files/usr/lib/firewall.d/40-local-node
@@ -4,27 +4,27 @@ table bridge filter {
 		# No input from/to local node ip from batman
 
 		# -p IPv6 -i bat0 --logical-in br-client --ip6-src fdff::1 -j DROP
-		iifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+		iifname "bat0" ibrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop
 		# -p IPv6 -i bat0 --logical-in br-client --ip6-dst fdff::1 -j DROP
-		iifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		iifname "bat0" ibrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop
 	}
 
 	chain FORWARD {
 		# Do not forward local node ip
 
 		# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
-		oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		oifname "bat0" obrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop
 		# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
-		oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+		oifname "bat0" obrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop
 	}
 
 	chain OUTPUT {
 		# Do not output local node ip to batman
 
 		# -p IPv6 --logical-out br-client -o bat0 --ip6-dst fdff::1 -j DROP
-		oifname "bat0" ether type ip6 ip6 daddr fdff::1 counter drop
+		oifname "bat0" obrname "br-client" ether type ip6 ip6 daddr fdff::1 counter drop
 		# -p IPv6 --logical-out br-client -o bat0 --ip6-src fdff::1 -j DROP
-		oifname "bat0" ether type ip6 ip6 saddr fdff::1 counter drop
+		oifname "bat0" obrname "br-client" ether type ip6 ip6 saddr fdff::1 counter drop
 	}
 }
 __EOF