From eaa40f7034c8791380cf5f09efe844c7045c9758 Mon Sep 17 00:00:00 2001
From: Johannes Kimmel <fff@bareminimum.eu>
Date: Tue, 11 Apr 2023 10:32:00 +0200
Subject: [PATCH] layer3: add option to enable stateful firewall on client
 network

Add the following option to the client config section in
`/etc/config/gateway` to enable a basic stateful firewall:

```
config client
    option stateful_firewall '1'
```

The firewall will forward icmp mesages and allow any outbound client
traffic and related inbound traffic.
---
 .../files/etc/layer3.d/30-network-client      |  6 ++
 .../usr/lib/firewall.d/20-stateful-firewall   | 56 +++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 src/packages/fff/fff-layer3/files/usr/lib/firewall.d/20-stateful-firewall

diff --git a/src/packages/fff/fff-layer3-config/files/etc/layer3.d/30-network-client b/src/packages/fff/fff-layer3-config/files/etc/layer3.d/30-network-client
index 3c4e055..48ba746 100644
--- a/src/packages/fff/fff-layer3-config/files/etc/layer3.d/30-network-client
+++ b/src/packages/fff/fff-layer3-config/files/etc/layer3.d/30-network-client
@@ -57,6 +57,12 @@ configure() {
 	else
 		echo "WARNING: No Interface for client specified"
 	fi
+
+	# stateful firewall
+	uci -q del network.client.fff_stateful_firewall
+	if [ "$(uci -q get gateway.@client[0].stateful_firewall)" = 1 ]; then
+		uci set network.client.fff_stateful_firewall=1
+	fi
 }
 
 apply() {
diff --git a/src/packages/fff/fff-layer3/files/usr/lib/firewall.d/20-stateful-firewall b/src/packages/fff/fff-layer3/files/usr/lib/firewall.d/20-stateful-firewall
new file mode 100644
index 0000000..81fff15
--- /dev/null
+++ b/src/packages/fff/fff-layer3/files/usr/lib/firewall.d/20-stateful-firewall
@@ -0,0 +1,56 @@
+[ "$(uci -q get network.client.fff_stateful_firewall)" != 1 ] && return
+
+nft -f - << EOF
+table ip filter {
+	chain forward-client {
+		ct state {
+			established,
+			related,
+		} accept \
+		comment "accept traffic originating from clients"
+
+		ip protocol icmp icmp type {
+			echo-reply,
+			destination-unreachable,
+			echo-request,
+			time-exceeded,
+			parameter-problem,
+		} accept \
+		comment "accept icmp"
+
+		counter drop \
+		comment "drop the rest"
+	}
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname br-client goto forward-client
+	}
+}
+
+table ip6 filter {
+	chain forward-client {
+		ct state {
+			established,
+			related,
+		} accept \
+		comment "accept traffic originating from clients"
+
+		ip6 nexthdr icmpv6 icmpv6 type {
+			destination-unreachable,
+			packet-too-big,
+			time-exceeded,
+			parameter-problem,
+			echo-request,
+			echo-reply,
+		} accept \
+		comment "accept icmpv6 for basic ipv6 functionality"
+
+		counter drop \
+		comment "drop the rest"
+	}
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		oifname br-client goto forward-client
+	}
+}
+EOF