blob: addabe9d83b76cf4249689c3f25d65c12c077908 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
#!/bin/sh
# BCP38 filtering implementation for CeroWrt.
#
# This program is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.
#
# Author: Toke Høiland-Jørgensen <toke@toke.dk>
STOP=$1
TABLE=bcp38
FAMILY=ip
MATCHSET=bcp38-match
NOMATCHSET=bcp38-nomatch
CHAIN=bcp38
. /lib/functions.sh
config_load bcp38
add_bcp38_rule()
{
local subnet="$1"
local action="$2"
setname="$MATCHSET"
[ "$action" == "nomatch" ] && setname="$NOMATCHSET"
nft add element "$FAMILY" "$TABLE" "$setname" { "$subnet" }
}
detect_upstream_subnet()
{
local interface="$1"
subnets=$(ip route show dev "$interface" | grep 'scope link' | awk '{print $1}')
for subnet in $subnets; do
#test for that; add as exception if there's a match
nft get element "$FAMILY" "$TABLE" "$MATCHSET" { $subnet } >/dev/null 2>/dev/null && add_bcp38_rule $subnet nomatch
done
}
run() {
local section="$1"
local enabled
local interface
local priority
local detect_upstream
config_get_bool enabled "$section" enabled 0
config_get interface "$section" interface
config_get detect_upstream "$section" detect_upstream
config_get priority "$section" priority "2"
if [ "$enabled" -eq "1" -a -n "$interface" -a -z "$STOP" ] ; then
setup_table
setup_sets
setup_chains "$interface" "$priority"
config_list_foreach "$section" match add_bcp38_rule match
config_list_foreach "$section" nomatch add_bcp38_rule nomatch
[ "$detect_upstream" -eq "1" ] && detect_upstream_subnet "$interface"
fi
exit 0
}
setup_table()
{
nft add table "$FAMILY" "$TABLE"
}
setup_sets()
{
#create and flush sets
nft add set "$FAMILY" "$TABLE" "$MATCHSET" '{ type ipv4_addr; flags interval; }'
nft flush set "$FAMILY" "$TABLE" "$MATCHSET"
nft add set "$FAMILY" "$TABLE" "$NOMATCHSET" '{ type ipv4_addr; flags interval; }'
nft flush set "$FAMILY" "$TABLE" "$NOMATCHSET"
}
setup_chains()
{
local interface="$1"
local priority="$2"
nft add chain "$FAMILY" "$TABLE" "$CHAIN" 2>/dev/null
nft flush chain "$FAMILY" "$TABLE" "$CHAIN" 2>/dev/null
nft add rule "$FAMILY" "$TABLE" "$CHAIN" udp dport {67,68} udp sport {67,68} counter return comment \"always accept DHCP traffic\"
nft add rule "$FAMILY" "$TABLE" "$CHAIN" oifname $interface ip daddr @"$MATCHSET" ip daddr != @"$NOMATCHSET" counter reject with icmp type host-unreachable
nft add rule "$FAMILY" "$TABLE" "$CHAIN" iifname $interface ip saddr @"$MATCHSET" ip saddr != @"$NOMATCHSET" counter drop
nft add chain "$FAMILY" "$TABLE" input "{ type filter hook input priority $priority; policy accept; comment \"bcp38 filter\"; }"
nft add chain "$FAMILY" "$TABLE" forward "{ type filter hook forward priority $priority; policy accept; comment \"bcp38 filter\"; }"
nft add chain "$FAMILY" "$TABLE" output "{ type filter hook output priority $priority; policy accept; comment \"bcp38 filter\"; }"
nft insert rule "$FAMILY" "$TABLE" input ct state new jump "$CHAIN"
nft insert rule "$FAMILY" "$TABLE" forward ct state new jump "$CHAIN"
nft insert rule "$FAMILY" "$TABLE" output ct state new jump "$CHAIN"
}
destroy_table()
{
if [ "$TABLE" != "fw4" ]; then
#as of kernel 3.18 we can delete a table without need to flush it
nft delete table "$FAMILY" "$TABLE" 2>/dev/null
fi
}
destroy_table
config_foreach run bcp38
exit 0
|