Add ebtables filters from the legacy firmware

gluon/gluon-ebtables-filter-multicast/Makefile

@@ -0,0 +1,40 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-ebtables-filter-multicast
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/gluon-ebtables-filter-multicast
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Ebtables filters for multicast packets
+  DEPENDS:=+gluon-core +gluon-ebtables
+endef
+
+define Package/gluon-ebtables-filter-multicast/description
+	Gluon community wifi mesh firmware framework: Ebtables filters for multicast packets
+
+	These filters drop non-essential multicast traffic before it enters the mesh.
+
+	Allowed protocols are: DHCP, DHCPv6, ARP, ICMP, ICMPv6, BitTorrent local peer discovery, BABEL and OSPF
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/gluon-ebtables-filter-multicast/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,gluon-ebtables-filter-multicast))

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain

@@ -0,0 +1 @@
+chain MULTICAST_OUT DROP

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp

@@ -0,0 +1 @@
+rule MULTICAST_OUT -p ARP -j RETURN

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel

@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd

@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4

@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6

@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j RETURN

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp

@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6

@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp

@@ -0,0 +1 @@
+rule MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf

@@ -0,0 +1,2 @@
+rule MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN
+rule MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN

gluon/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast

@@ -0,0 +1,2 @@
+rule FORWARD --logical-out br-freifunk -o bat0 -d Multicast -j MULTICAST_OUT
+rule OUTPUT --logical-out br-freifunk -o bat0 -d Multicast -j MULTICAST_OUT

gluon/gluon-ebtables-filter-ra-dhcp/Makefile

@@ -0,0 +1,39 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-ebtables-filter-ra-dhcp
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/gluon-ebtables-filter-ra-dhcp
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Ebtables filters for Router Advertisement and DHCP packets
+  DEPENDS:=+gluon-core +gluon-ebtables
+endef
+
+define Package/gluon-ebtables-filter-ra-dhcp/description
+	Gluon community wifi mesh firmware framework: Ebtables filters for Router Advertisement and DHCP packets
+
+	These filters ensure that RA and DHCP packets are only forwarded from the mesh into the
+	client network, and not vice-versa.
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/gluon-ebtables-filter-ra-dhcp/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,gluon-ebtables-filter-ra-dhcp))

gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4

@@ -0,0 +1,5 @@
+rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
+rule OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
+
+rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY
+rule INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY

gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6

@@ -0,0 +1,5 @@
+rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
+rule OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
+
+rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY
+rule INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY

gluon/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv

@@ -0,0 +1,5 @@
+rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+rule OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+
+rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+rule INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY

gluon/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain

@@ -0,0 +1,2 @@
+chain IN_ONLY RETURN
+chain OUT_ONLY RETURN

gluon/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules

@@ -0,0 +1,2 @@
+rule IN_ONLY --logical-in br-client -i ! bat0 -j DROP
+rule OUT_ONLY --logical-out br-client -o ! bat0 -j DROP