From 8aa007e456d3cc98fd45997689624dbbeade3c7b Mon Sep 17 00:00:00 2001 From: Gioacchino Mazzurco Date: Mon, 27 Mar 2023 12:13:24 +0200 Subject: [PATCH] Port libremesh to fw4 and nftables --- packages/lime-proto-anygw/Makefile | 6 +-- .../files/etc/init.d/lime-anygw-ebtables | 26 ++++++++++++ .../files/usr/lib/lua/lime/proto/anygw.lua | 21 ++-------- packages/lime-proto-wan/Makefile | 2 +- .../files/usr/lib/lua/lime/proto/wan.lua | 39 ++++++----------- packages/lime-report/files/lime-report.sh | 10 ++--- packages/lime-system/Makefile | 5 ++- packages/lime-system/files/etc/firewall.lime | 10 ----- .../files/etc/init.d/firewall-lime | 12 ------ .../files/usr/lib/lua/lime/firewall.lua | 42 +++++-------------- 10 files changed, 62 insertions(+), 111 deletions(-) create mode 100755 packages/lime-proto-anygw/files/etc/init.d/lime-anygw-ebtables delete mode 100644 packages/lime-system/files/etc/firewall.lime delete mode 100755 packages/lime-system/files/etc/init.d/firewall-lime diff --git a/packages/lime-proto-anygw/Makefile b/packages/lime-proto-anygw/Makefile index 2a8322aa3..c9b2fe8f0 100644 --- a/packages/lime-proto-anygw/Makefile +++ b/packages/lime-proto-anygw/Makefile @@ -21,9 +21,9 @@ define Package/$(PKG_NAME) CATEGORY:=LibreMesh MAINTAINER:=Gioacchino Mazzurco URL:=http://libremesh.org - DEPENDS:=+dnsmasq-dhcpv6 +ebtables +libuci-lua \ - +lime-system +lua +kmod-ebtables +kmod-macvlan \ - +shared-state +shared-state-dnsmasq_leases +kmod-ebtables-ipv6 \ + DEPENDS:=+ebtables-nft +dnsmasq-dhcpv6 +kmod-nft-bridge +libuci-lua \ + +lime-system +lua +kmod-macvlan \ + +shared-state +shared-state-dnsmasq_leases \ +luci-lib-nixio PKGARCH:=all endef diff --git a/packages/lime-proto-anygw/files/etc/init.d/lime-anygw-ebtables b/packages/lime-proto-anygw/files/etc/init.d/lime-anygw-ebtables new file mode 100755 index 000000000..6d72e737e --- /dev/null +++ b/packages/lime-proto-anygw/files/etc/init.d/lime-anygw-ebtables @@ -0,0 +1,26 @@ +#!/bin/sh /etc/rc.common + +START=22 +USE_PROCD=0 + +ANYGW_MACS="aa:aa:aa:00:00:00/ff:ff:ff:00:00:00" +IPV6_ETHER_TYPE="86DD" # Workaround missing /etc/ethertypes + +RULE_DO_NOT_FORWARD_ANYGW_1="FORWARD -j DROP -d $ANYGW_MACS" +RULE_DO_NOT_FORWARD_ANYGW_2="POSTROUTING -t nat -o bat0 -j DROP -s $ANYGW_MACS" +RULE_DO_NOT_FORWARD_RA="POSTROUTING -t nat -o bat0 --protocol $IPV6_ETHER_TYPE --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j DROP" +RULE_DO_NOT_FORWARD_ROGUE_RA="POSTROUTING -t nat -o bat0 --protocol $IPV6_ETHER_TYPE --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j DROP" + +start_service() { + ebtables -A $RULE_DO_NOT_FORWARD_ANYGW_1 + ebtables -A $RULE_DO_NOT_FORWARD_ANYGW_2 + ebtables -A $RULE_DO_NOT_FORWARD_RA + ebtables -A $RULE_DO_NOT_FORWARD_ROGUE_RA +} + +stop_service() { + ebtables -D $RULE_DO_NOT_FORWARD_ANYGW_1 + ebtables -D $RULE_DO_NOT_FORWARD_ANYGW_2 + ebtables -D $RULE_DO_NOT_FORWARD_RA + ebtables -D $RULE_DO_NOT_FORWARD_ROGUE_RA +} diff --git a/packages/lime-proto-anygw/files/usr/lib/lua/lime/proto/anygw.lua b/packages/lime-proto-anygw/files/usr/lib/lua/lime/proto/anygw.lua index 56c894926..f5547680b 100644 --- a/packages/lime-proto-anygw/files/usr/lib/lua/lime/proto/anygw.lua +++ b/packages/lime-proto-anygw/files/usr/lib/lua/lime/proto/anygw.lua @@ -4,6 +4,7 @@ local fs = require("nixio.fs") local network = require("lime.network") local config = require("lime.config") local system = require("lime.system") +local utils = require("lime.utils") anygw = {} @@ -65,24 +66,7 @@ function anygw.configure(args) uci:save("network") - fs.mkdir("/etc/firewall.lime.d") - fs.writefile( - "/etc/firewall.lime.d/20-anygw-ebtables", - "\n" .. - "ebtables -D FORWARD -j DROP -d " .. anygw_mac .. "/" .. anygw_mac_mask .. "\n" .. - "ebtables -A FORWARD -j DROP -d " .. anygw_mac .. "/" .. anygw_mac_mask .. "\n" .. - "ebtables -t nat -D POSTROUTING -o bat0 -j DROP -s " .. anygw_mac .. "/" .. anygw_mac_mask .. "\n" .. - "ebtables -t nat -A POSTROUTING -o bat0 -j DROP -s " .. anygw_mac .. "/" .. anygw_mac_mask .. "\n" .. - "# Filter IPv6 Router Solicitation\n" .. - "ebtables -t nat -D POSTROUTING -o bat0 --protocol ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j DROP\n" .. - "ebtables -t nat -A POSTROUTING -o bat0 --protocol ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j DROP\n" .. - "# Filter rogue IPv6 Router advertisement\n" .. - "ebtables -t nat -D POSTROUTING -o bat0 --protocol ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j DROP\n" .. - "ebtables -t nat -A POSTROUTING -o bat0 --protocol ipv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j DROP\n" - ) - uci:set("dhcp", "lan", "ignore", "1") - uci:set("dhcp", owrtInterfaceName.."_dhcp", "dhcp") uci:set("dhcp", owrtInterfaceName.."_dhcp", "interface", owrtInterfaceName) anygw_dhcp_start = config.get("network", "anygw_dhcp_start") @@ -128,7 +112,8 @@ function anygw.configure(args) table.insert(content, "dhcp-option=tag:anygw,option6:domain-search,"..cloudDomain) fs.writefile("/etc/dnsmasq.d/lime-proto-anygw-20-ipv6.conf", table.concat(content, "\n").."\n") - io.popen("/etc/init.d/dnsmasq enable || true"):close() + utils.unsafe_shell("/etc/init.d/dnsmasq enable || true") + utils.unsafe_shell("/etc/init.d/lime-anygw-ebtables enable || true") end function anygw.setup_interface(ifname, args) end diff --git a/packages/lime-proto-wan/Makefile b/packages/lime-proto-wan/Makefile index 0ee6b84a0..65009062f 100644 --- a/packages/lime-proto-wan/Makefile +++ b/packages/lime-proto-wan/Makefile @@ -4,7 +4,7 @@ define Package/$(PKG_NAME) SECTION:=lime CATEGORY:=LibreMesh TITLE:=LiMe wan proto support - DEPENDS:=+lime-system +lua +libuci-lua +kmod-ipt-nat +iptables +luci-lib-nixio + DEPENDS:=+firewall4 +lime-system +lua +libuci-lua MAINTAINER:=Gioacchino Mazzurco VERSION:=$(if $(PKG_VERSION),$(PKG_VERSION),$(PKG_SRC_VERSION)) PKGARCH:=all diff --git a/packages/lime-proto-wan/files/usr/lib/lua/lime/proto/wan.lua b/packages/lime-proto-wan/files/usr/lib/lua/lime/proto/wan.lua index 90c17c282..5ab90930b 100644 --- a/packages/lime-proto-wan/files/usr/lib/lua/lime/proto/wan.lua +++ b/packages/lime-proto-wan/files/usr/lib/lua/lime/proto/wan.lua @@ -8,8 +8,6 @@ --! SPDX-License-Identifier: AGPL-3.0-only local libuci = require("uci") -local fs = require("nixio.fs") -local utils = require("lime.utils") wan = {} @@ -30,31 +28,18 @@ function wan.setup_interface(ifname, args) uci:set("network", "wan", "device", ifname) uci:save("network") - if utils.is_installed('firewall') then - fs.remove("/etc/firewall.lime.d/20-wan-out-masquerade") - else - fs.mkdir("/etc/firewall.lime.d") - fs.writefile( - "/etc/firewall.lime.d/20-wan-out-masquerade", - "iptables -t nat -D POSTROUTING -o " .. ifname .. " -j MASQUERADE\n" .. - "iptables -t nat -A POSTROUTING -o " .. ifname .. " -j MASQUERADE\n" - ) - end - - if utils.is_installed('firewall') then - fs.mkdir("/etc/firewall.lime.d") - fs.writefile( - "/etc/firewall.lime.d/20-allow-all-fe80-traffic-over-wan", - "# These will do nothing if fw3 is not running, since *put_wan_rule will not exist\n" .. - "ip6tables -D input_wan_rule -j ACCEPT -p all -s fe80::/10 -m comment --comment 'Allow all link-local traffic over WAN'\n" .. - "ip6tables -A input_wan_rule -j ACCEPT -p all -s fe80::/10 -m comment --comment 'Allow all link-local traffic over WAN'\n" .. - "ip6tables -D output_wan_rule -j ACCEPT -p all -s fe80::/10 -m comment --comment 'Allow all link-local traffic over WAN'\n" .. - "ip6tables -A output_wan_rule -j ACCEPT -p all -s fe80::/10 -m comment --comment 'Allow all link-local traffic over WAN'\n" - ) - else - fs.remove("/etc/firewall.lime.d/20-allow-all-fe80-traffic-over-wan") - end - + --! Accepting link local traffic also on WAN should not cause hazards. + --! It is very helpful in cases where the devices have problem to the other + --! ports, to have at least an addictional way to enter for rescue operation + local ALLOW_WAN_LL_SECT = "lime_allow_wan_all_link_local" + uci:set("firewall", ALLOW_WAN_LL_SECT, "rule") + uci:set("firewall", ALLOW_WAN_LL_SECT, "name", ALLOW_WAN_LL_SECT) + uci:set("firewall", ALLOW_WAN_LL_SECT, "src", "wan") + uci:set("firewall", ALLOW_WAN_LL_SECT, "family", "ipv6") + uci:set("firewall", ALLOW_WAN_LL_SECT, "src_ip", "fe80::/10") + uci:set("firewall", ALLOW_WAN_LL_SECT, "dest_ip", "fe80::/10") + uci:set("firewall", ALLOW_WAN_LL_SECT, "target", "ACCEPT") + uci:save("firewall") end return wan diff --git a/packages/lime-report/files/lime-report.sh b/packages/lime-report/files/lime-report.sh index 093b70f79..aab6d6a27 100644 --- a/packages/lime-report/files/lime-report.sh +++ b/packages/lime-report/files/lime-report.sh @@ -53,17 +53,15 @@ generate_status() { paste_cmd logread -l 20 paste_cmd iw dev wlan0-mesh station dump paste_cmd iw dev wlan1-mesh station dump + paste_cmd iw dev wlan2-mesh station dump paste_cmd iw dev wlan0-mesh mpath dump paste_cmd iw dev wlan1-mesh mpath dump + paste_cmd iw dev wlan2-mesh mpath dump paste_cmd iwinfo paste_cmd wifi status paste_cmd swconfig dev switch0 show - paste_cmd iptables -vnL -t filter - paste_cmd iptables -vnL -t nat - paste_cmd iptables -vnL -t mangle - paste_cmd ebtables -t filter -L --Lc - paste_cmd ebtables -t nat -L --Lc - paste_cmd ebtables -t broute -L --Lc + paste_cmd fw4 print + paste_cmd nft list ruleset paste_cmd opkg list-installed } diff --git a/packages/lime-system/Makefile b/packages/lime-system/Makefile index d60d83a09..d327c9c54 100644 --- a/packages/lime-system/Makefile +++ b/packages/lime-system/Makefile @@ -27,7 +27,7 @@ define Package/$(PKG_NAME) CATEGORY:=LibreMesh MAINTAINER:=Gioacchino Mazzurco URL:=http://libremesh.org - DEPENDS:=+libiwinfo-lua +lua +libuci-lua +luci-lib-ip +luci-lib-nixio +luci-lib-jsonc + DEPENDS:=+firewall4 +libiwinfo-lua +lua +libuci-lua +luci-lib-ip +luci-lib-nixio +luci-lib-jsonc PKGARCH:=all endef @@ -57,7 +57,8 @@ endef define Package/$(PKG_NAME)/postinst #!/bin/sh -[ -n "$${IPKG_INSTROOT}" ] || /etc/init.d/firewall-lime enable || true +#[ -n "$${IPKG_INSTROOT}" ] || /etc/init.d/firewall-lime enable || true +# Add here stuff to be executed after installation at image creation time endef $(eval $(call BuildPackage,$(PKG_NAME))) diff --git a/packages/lime-system/files/etc/firewall.lime b/packages/lime-system/files/etc/firewall.lime deleted file mode 100644 index 8727f120c..000000000 --- a/packages/lime-system/files/etc/firewall.lime +++ /dev/null @@ -1,10 +0,0 @@ -# Essential LiMe eb/iptables rules are placed in /etc/firewall.lime.d/ -# they will be executed during each firewall (re-)start -# or, if firewall package is not installed, just during boot. -# They are interpreted as shell script. - -[ $(ls -1 /etc/firewall.lime.d/* 2>/dev/null | wc -l) = 0 ] && return 0 - -for hook in /etc/firewall.lime.d/* ; do - [ -s "$hook" ] && /bin/sh "$hook" -done diff --git a/packages/lime-system/files/etc/init.d/firewall-lime b/packages/lime-system/files/etc/init.d/firewall-lime deleted file mode 100755 index b342d7433..000000000 --- a/packages/lime-system/files/etc/init.d/firewall-lime +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2013-2014 OpenWrt.org - -START=99 - -start() { - if ! /etc/init.d/firewall enabled 2> /dev/null ; then - echo "$0: Firewall is not enabled. Executing /etc/firewall.lime script." - /bin/sh /etc/firewall.lime - fi -} - diff --git a/packages/lime-system/files/usr/lib/lua/lime/firewall.lua b/packages/lime-system/files/usr/lib/lua/lime/firewall.lua index 6fbcd299d..b96d38efe 100644 --- a/packages/lime-system/files/usr/lib/lua/lime/firewall.lua +++ b/packages/lime-system/files/usr/lib/lua/lime/firewall.lua @@ -14,8 +14,6 @@ local config = require("lime.config") firewall = {} -firewall.RULES_DIR="/etc/firewall.lime.d/" - function firewall.clean() --! There could be things to cleanup here, but we don't do it as it would --! interfere with rules generated by network protocols, deleting them too. @@ -23,7 +21,6 @@ function firewall.clean() end function firewall.configure() - if utils.is_installed('firewall') then local uci = config:get_uci_cursor() local lanIfs = {} uci:foreach("firewall", "defaults", @@ -44,36 +41,17 @@ function firewall.configure() end ) - uci:foreach("firewall", "zone", - function(section) - if uci:get("firewall", section[".name"], "name") == "lan" then - uci:set("firewall", section[".name"], "input", "ACCEPT") - uci:set("firewall", section[".name"], "output", "ACCEPT") - uci:set("firewall", section[".name"], "forward", "ACCEPT") - uci:set("firewall", section[".name"], "mtu_fix", "1") - uci:set("firewall", section[".name"], "network", lanIfs) - end + uci:foreach("firewall", "zone", + function(section) + if uci:get("firewall", section[".name"], "name") == "lan" then + uci:set("firewall", section[".name"], "input", "ACCEPT") + uci:set("firewall", section[".name"], "output", "ACCEPT") + uci:set("firewall", section[".name"], "forward", "ACCEPT") + uci:set("firewall", section[".name"], "mtu_fix", "1") + uci:set("firewall", section[".name"], "network", lanIfs) end - ) - - uci:set("firewall", "include_firewall_lime", "include") - uci:set("firewall", "include_firewall_lime", "path", "/etc/firewall.lime") - uci:save("firewall") - else - fs.mkdir(firewall.RULES_DIR) - fs.writefile( - firewall.RULES_DIR.."/20-lime-system-mtu_fix", - "\n" .. - --! Workaround PMTU discovery being historically broken on IPv4 Internet - "iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" .. - "iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" .. - - --! For some reason with some websites like https://www.rt.com/ PMTU - --! discovery doesn't work even for IPv6, so workaround this too - "ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" .. - "ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" - ) - end + end + ) end return firewall