Port libremesh to fw4 and nftables

libremesh · Mar 27, 2023 · 8aa007e · 8aa007e
1 parent 282f9d5
commit 8aa007e
Show file tree

Hide file tree

Showing 10 changed files with 62 additions and 111 deletions.
diff --git a/packages/lime-proto-anygw/Makefile b/packages/lime-proto-anygw/Makefile
@@ -21,9 +21,9 @@ define Package/$(PKG_NAME)
 	CATEGORY:=LibreMesh
 	MAINTAINER:=Gioacchino Mazzurco <[email protected]>
 	URL:=http://libremesh.org
-	DEPENDS:=+dnsmasq-dhcpv6 +ebtables +libuci-lua \
-		+lime-system +lua +kmod-ebtables +kmod-macvlan \
-		+shared-state +shared-state-dnsmasq_leases +kmod-ebtables-ipv6 \
+	DEPENDS:=+ebtables-nft +dnsmasq-dhcpv6 +kmod-nft-bridge +libuci-lua \
+		+lime-system +lua +kmod-macvlan \
+		+shared-state +shared-state-dnsmasq_leases \
 		+luci-lib-nixio
   PKGARCH:=all
 endef

diff --git a/packages/lime-proto-anygw/files/etc/init.d/lime-anygw-ebtables b/packages/lime-proto-anygw/files/etc/init.d/lime-anygw-ebtables
@@ -0,0 +1,26 @@
+#!/bin/sh /etc/rc.common
+
+START=22
+USE_PROCD=0
+
+ANYGW_MACS="aa:aa:aa:00:00:00/ff:ff:ff:00:00:00"
+IPV6_ETHER_TYPE="86DD" # Workaround missing /etc/ethertypes
+
+RULE_DO_NOT_FORWARD_ANYGW_1="FORWARD -j DROP -d $ANYGW_MACS"
+RULE_DO_NOT_FORWARD_ANYGW_2="POSTROUTING -t nat -o bat0 -j DROP -s $ANYGW_MACS"
+RULE_DO_NOT_FORWARD_RA="POSTROUTING -t nat -o bat0 --protocol $IPV6_ETHER_TYPE --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j DROP"
+RULE_DO_NOT_FORWARD_ROGUE_RA="POSTROUTING -t nat -o bat0 --protocol $IPV6_ETHER_TYPE --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j DROP"
+
+start_service() {
+	ebtables -A $RULE_DO_NOT_FORWARD_ANYGW_1
+	ebtables -A $RULE_DO_NOT_FORWARD_ANYGW_2
+	ebtables -A $RULE_DO_NOT_FORWARD_RA
+	ebtables -A $RULE_DO_NOT_FORWARD_ROGUE_RA
+}
+
+stop_service() {
+	ebtables -D $RULE_DO_NOT_FORWARD_ANYGW_1
+	ebtables -D $RULE_DO_NOT_FORWARD_ANYGW_2
+	ebtables -D $RULE_DO_NOT_FORWARD_RA
+	ebtables -D $RULE_DO_NOT_FORWARD_ROGUE_RA
+}
diff --git a/packages/lime-proto-anygw/files/usr/lib/lua/lime/proto/anygw.lua b/packages/lime-proto-anygw/files/usr/lib/lua/lime/proto/anygw.lua
@@ -4,6 +4,7 @@ local fs = require("nixio.fs")
 local network = require("lime.network")
 local config = require("lime.config")
 local system = require("lime.system")
+local utils = require("lime.utils")
 
 
 anygw = {}
@@ -65,24 +66,7 @@ function anygw.configure(args)
 
 	uci:save("network")
 
-	fs.mkdir("/etc/firewall.lime.d")
-	fs.writefile(
-		"/etc/firewall.lime.d/20-anygw-ebtables",
-		"\n" ..
-		"ebtables -D FORWARD -j DROP -d " .. anygw_mac .. "/" .. anygw_mac_mask .. "\n" ..
-		"ebtables -A FORWARD -j DROP -d " .. anygw_mac .. "/" .. anygw_mac_mask .. "\n" ..
-		"ebtables -t nat -D POSTROUTING -o bat0 -j DROP -s " .. anygw_mac .. "/" .. anygw_mac_mask .. "\n" ..
-		"ebtables -t nat -A POSTROUTING -o bat0 -j DROP -s " .. anygw_mac .. "/" .. anygw_mac_mask .. "\n" ..
-		"# Filter IPv6 Router Solicitation\n" ..
-		"ebtables -t nat -D POSTROUTING -o bat0 --protocol ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j DROP\n" ..
-		"ebtables -t nat -A POSTROUTING -o bat0 --protocol ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j DROP\n" ..
-		"# Filter rogue IPv6 Router advertisement\n" ..
-		"ebtables -t nat -D POSTROUTING -o bat0 --protocol ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j DROP\n" ..
-		"ebtables -t nat -A POSTROUTING -o bat0 --protocol ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j DROP\n"
-	)
-
 	uci:set("dhcp", "lan", "ignore", "1")
-
 	uci:set("dhcp", owrtInterfaceName.."_dhcp", "dhcp")
 	uci:set("dhcp", owrtInterfaceName.."_dhcp", "interface", owrtInterfaceName)
 	anygw_dhcp_start = config.get("network", "anygw_dhcp_start")
@@ -128,7 +112,8 @@ function anygw.configure(args)
 	table.insert(content, "dhcp-option=tag:anygw,option6:domain-search,"..cloudDomain)
 	fs.writefile("/etc/dnsmasq.d/lime-proto-anygw-20-ipv6.conf", table.concat(content, "\n").."\n")
 
-	io.popen("/etc/init.d/dnsmasq enable || true"):close()
+	utils.unsafe_shell("/etc/init.d/dnsmasq enable || true")
+	utils.unsafe_shell("/etc/init.d/lime-anygw-ebtables enable || true")
 end
 
 function anygw.setup_interface(ifname, args) end

diff --git a/packages/lime-proto-wan/Makefile b/packages/lime-proto-wan/Makefile
@@ -4,7 +4,7 @@ define Package/$(PKG_NAME)
   SECTION:=lime
   CATEGORY:=LibreMesh
   TITLE:=LiMe wan proto support
-  DEPENDS:=+lime-system +lua +libuci-lua +kmod-ipt-nat +iptables +luci-lib-nixio
+  DEPENDS:=+firewall4 +lime-system +lua +libuci-lua
   MAINTAINER:=Gioacchino Mazzurco <[email protected]>
   VERSION:=$(if $(PKG_VERSION),$(PKG_VERSION),$(PKG_SRC_VERSION))
   PKGARCH:=all

diff --git a/packages/lime-proto-wan/files/usr/lib/lua/lime/proto/wan.lua b/packages/lime-proto-wan/files/usr/lib/lua/lime/proto/wan.lua
@@ -8,8 +8,6 @@
 --! SPDX-License-Identifier: AGPL-3.0-only
 
 local libuci = require("uci")
-local fs = require("nixio.fs")
-local utils = require("lime.utils")
 
 wan = {}
 
@@ -30,31 +28,18 @@ function wan.setup_interface(ifname, args)
 	uci:set("network", "wan", "device", ifname)
 	uci:save("network")
 
-	if utils.is_installed('firewall') then
-		fs.remove("/etc/firewall.lime.d/20-wan-out-masquerade")
-	else
-		fs.mkdir("/etc/firewall.lime.d")
-		fs.writefile(
-			"/etc/firewall.lime.d/20-wan-out-masquerade",
-			"iptables -t nat -D POSTROUTING -o " .. ifname .. " -j MASQUERADE\n" ..
-			"iptables -t nat -A POSTROUTING -o " .. ifname .. " -j MASQUERADE\n"
-		)
-	end
-
-	if utils.is_installed('firewall') then
-		fs.mkdir("/etc/firewall.lime.d")
-		fs.writefile(
-			"/etc/firewall.lime.d/20-allow-all-fe80-traffic-over-wan",
-			"# These will do nothing if fw3 is not running, since *put_wan_rule will not exist\n" ..
-			"ip6tables -D input_wan_rule  -j ACCEPT -p all -s fe80::/10 -m comment --comment 'Allow all link-local traffic over WAN'\n" ..
-			"ip6tables -A input_wan_rule  -j ACCEPT -p all -s fe80::/10 -m comment --comment 'Allow all link-local traffic over WAN'\n" ..
-			"ip6tables -D output_wan_rule -j ACCEPT -p all -s fe80::/10 -m comment --comment 'Allow all link-local traffic over WAN'\n" ..
-			"ip6tables -A output_wan_rule -j ACCEPT -p all -s fe80::/10 -m comment --comment 'Allow all link-local traffic over WAN'\n"
-		)
-	else
-		fs.remove("/etc/firewall.lime.d/20-allow-all-fe80-traffic-over-wan")
-	end
-
+	--! Accepting link local traffic also on WAN should not cause hazards.
+	--! It is very helpful in cases where the devices have problem to the other
+	--! ports, to have at least an addictional way to enter for rescue operation
+	local ALLOW_WAN_LL_SECT = "lime_allow_wan_all_link_local"
+	uci:set("firewall", ALLOW_WAN_LL_SECT, "rule")
+	uci:set("firewall", ALLOW_WAN_LL_SECT, "name", ALLOW_WAN_LL_SECT)
+	uci:set("firewall", ALLOW_WAN_LL_SECT, "src", "wan")
+	uci:set("firewall", ALLOW_WAN_LL_SECT, "family", "ipv6")
+	uci:set("firewall", ALLOW_WAN_LL_SECT, "src_ip", "fe80::/10")
+	uci:set("firewall", ALLOW_WAN_LL_SECT, "dest_ip", "fe80::/10")
+	uci:set("firewall", ALLOW_WAN_LL_SECT, "target", "ACCEPT")
+	uci:save("firewall")
 end
 
 return wan
diff --git a/packages/lime-report/files/lime-report.sh b/packages/lime-report/files/lime-report.sh
@@ -53,17 +53,15 @@ generate_status() {
     paste_cmd logread -l 20
     paste_cmd iw dev wlan0-mesh station dump
     paste_cmd iw dev wlan1-mesh station dump
+    paste_cmd iw dev wlan2-mesh station dump
     paste_cmd iw dev wlan0-mesh mpath dump
     paste_cmd iw dev wlan1-mesh mpath dump
+    paste_cmd iw dev wlan2-mesh mpath dump
     paste_cmd iwinfo
     paste_cmd wifi status
     paste_cmd swconfig dev switch0 show
-    paste_cmd iptables -vnL -t filter
-    paste_cmd iptables -vnL -t nat
-    paste_cmd iptables -vnL -t mangle
-    paste_cmd ebtables -t filter -L --Lc
-    paste_cmd ebtables -t nat -L --Lc
-    paste_cmd ebtables -t broute -L --Lc
+    paste_cmd fw4 print
+    paste_cmd nft list ruleset
     paste_cmd opkg list-installed
 }
 

diff --git a/packages/lime-system/Makefile b/packages/lime-system/Makefile
@@ -27,7 +27,7 @@ define Package/$(PKG_NAME)
   CATEGORY:=LibreMesh
   MAINTAINER:=Gioacchino Mazzurco <[email protected]>
   URL:=http://libremesh.org
-  DEPENDS:=+libiwinfo-lua +lua +libuci-lua +luci-lib-ip +luci-lib-nixio +luci-lib-jsonc
+  DEPENDS:=+firewall4 +libiwinfo-lua +lua +libuci-lua +luci-lib-ip +luci-lib-nixio +luci-lib-jsonc
   PKGARCH:=all
 endef
 
@@ -57,7 +57,8 @@ endef
 
 define Package/$(PKG_NAME)/postinst
 #!/bin/sh
-[ -n "$${IPKG_INSTROOT}" ] || /etc/init.d/firewall-lime enable || true
+#[ -n "$${IPKG_INSTROOT}" ] || /etc/init.d/firewall-lime enable || true
+# Add here stuff to be executed after installation at image creation time
 endef
 
 $(eval $(call BuildPackage,$(PKG_NAME)))
diff --git a/packages/lime-system/files/etc/firewall.lime b/packages/lime-system/files/etc/firewall.lime
diff --git a/packages/lime-system/files/etc/init.d/firewall-lime b/packages/lime-system/files/etc/init.d/firewall-lime
diff --git a/packages/lime-system/files/usr/lib/lua/lime/firewall.lua b/packages/lime-system/files/usr/lib/lua/lime/firewall.lua
@@ -14,16 +14,13 @@ local config = require("lime.config")
 
 firewall = {}
 
-firewall.RULES_DIR="/etc/firewall.lime.d/"
-
 function firewall.clean()
 	--! There could be things to cleanup here, but we don't do it as it would
 	--! interfere with rules generated by network protocols, deleting them too.
 	--! So better we do nothing here.
 end
 
 function firewall.configure()
-	if utils.is_installed('firewall') then
         local uci = config:get_uci_cursor()
         local lanIfs = {}
         uci:foreach("firewall", "defaults",
@@ -44,36 +41,17 @@ function firewall.configure()
             end
         )
 
-		uci:foreach("firewall", "zone",
-			function(section)
-				if uci:get("firewall", section[".name"], "name") == "lan" then
-					uci:set("firewall", section[".name"], "input", "ACCEPT")
-					uci:set("firewall", section[".name"], "output", "ACCEPT")
-					uci:set("firewall", section[".name"], "forward", "ACCEPT")
-					uci:set("firewall", section[".name"], "mtu_fix", "1")
-					uci:set("firewall", section[".name"], "network", lanIfs)
-				end
+	uci:foreach("firewall", "zone",
+		function(section)
+			if uci:get("firewall", section[".name"], "name") == "lan" then
+				uci:set("firewall", section[".name"], "input", "ACCEPT")
+				uci:set("firewall", section[".name"], "output", "ACCEPT")
+				uci:set("firewall", section[".name"], "forward", "ACCEPT")
+				uci:set("firewall", section[".name"], "mtu_fix", "1")
+				uci:set("firewall", section[".name"], "network", lanIfs)
 			end
-		)
-
-        uci:set("firewall", "include_firewall_lime", "include")
-        uci:set("firewall", "include_firewall_lime", "path", "/etc/firewall.lime")
-        uci:save("firewall")
-	else
-		fs.mkdir(firewall.RULES_DIR)
-		fs.writefile(
-			firewall.RULES_DIR.."/20-lime-system-mtu_fix",
-			"\n" ..
-		--! Workaround PMTU discovery being historically broken on IPv4 Internet
-		"iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" ..
-		"iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" ..
-
-		--! For some reason with some websites like https://www.rt.com/ PMTU
-		--! discovery doesn't work even for IPv6, so workaround this too
-		"ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" ..
-		"ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"
-		)
-	end
+		end
+	)
 end
 
 return firewall