mirror of
https://github.com/openNDS/openNDS.git
synced 2026-01-09 11:57:55 -05:00
Rob White
@@ -1028,7 +1028,7 @@ check_mhd() {
|
||||
}
|
||||
|
||||
nft_get_status() {
|
||||
nfttest=$(nft -a list chain ip nds_filter ndsNET 2> /dev/null)
|
||||
nfttest=$(nft -a list chain inet nds_filter ndsNET 2> /dev/null)
|
||||
|
||||
if [ ! -z "$nfttest" ]; then
|
||||
nftstatus="1"
|
||||
@@ -1275,17 +1275,17 @@ delete_chains () {
|
||||
delete_rule
|
||||
|
||||
# now we can delete our chains - the quickest way is to delete our tables:
|
||||
nft delete table ip nds_filter 2> /dev/null
|
||||
nft delete table ip nds_mangle 2> /dev/null
|
||||
nft delete table ip nds_nat 2> /dev/null
|
||||
nft delete table inet nds_filter 2> /dev/null
|
||||
nft delete table inet nds_mangle 2> /dev/null
|
||||
nft delete table inet nds_nat 2> /dev/null
|
||||
}
|
||||
|
||||
delete_rule () {
|
||||
# Requires table, src_chain and dst_chain variables
|
||||
rule=$(nft -a list table ip "$table" 2> /dev/null | grep -w -A 30 "chain $src_chain" | grep -w "jump $dst_chain" | awk -F "handle " '{printf "%s", $2}')
|
||||
rule=$(nft -a list table inet "$table" 2> /dev/null | grep -w -A 30 "chain $src_chain" | grep -w "jump $dst_chain" | awk -F "handle " '{printf "%s", $2}')
|
||||
|
||||
if [ ! -z "$rule" ]; then
|
||||
nft delete rule ip "$table" "$src_chain" handle "$rule"
|
||||
nft delete rule inet "$table" "$src_chain" handle "$rule"
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -1324,12 +1324,12 @@ pre_setup () {
|
||||
ndstables="nds_filter nds_mangle nds_nat"
|
||||
|
||||
for ndstable in $ndstables; do
|
||||
nft list table ip "$ndstable" &>/dev/null
|
||||
nft list table inet "$ndstable" &>/dev/null
|
||||
ret=$?
|
||||
|
||||
if [ $ret -gt 0 ]; then
|
||||
# Table does not exist
|
||||
nft add table ip $ndstable
|
||||
nft add table inet $ndstable
|
||||
ret=$?
|
||||
|
||||
if [ $ret -gt 0 ]; then
|
||||
@@ -1339,21 +1339,21 @@ pre_setup () {
|
||||
done
|
||||
|
||||
# add required chains
|
||||
nft add chain ip nds_filter ndsINP "{ type filter hook input priority -100 ; }" 2> /dev/null
|
||||
nft add chain ip nds_filter ndsFWD "{ type filter hook forward priority -100 ; }" 2> /dev/null
|
||||
nft add chain ip nds_nat ndsPRE "{ type nat hook prerouting priority -100 ; }"
|
||||
nft add chain ip nds_mangle ndsPRE "{ type filter hook prerouting priority -100 ; }"
|
||||
nft add chain ip nds_mangle ndsPOST "{ type filter hook forward priority -100 ; }"
|
||||
nft add chain ip nds_mangle ndsINC
|
||||
nft add chain ip nds_mangle nds_ft_INC
|
||||
nft add chain ip nds_filter nds_ft_OUT
|
||||
nft add chain ip nds_filter nds_allow_INP "{ type filter hook input priority 100 ; }"
|
||||
nft add chain ip nds_filter nds_allow_FWD "{ type filter hook forward priority 100 ; }"
|
||||
nft add chain inet nds_filter ndsINP "{ type filter hook input priority -100 ; }" 2> /dev/null
|
||||
nft add chain inet nds_filter ndsFWD "{ type filter hook forward priority -100 ; }" 2> /dev/null
|
||||
nft add chain inet nds_nat ndsPRE "{ type nat hook prerouting priority -100 ; }"
|
||||
nft add chain inet nds_mangle ndsPRE "{ type filter hook prerouting priority -100 ; }"
|
||||
nft add chain inet nds_mangle ndsPOST "{ type filter hook forward priority -100 ; }"
|
||||
nft add chain inet nds_mangle ndsINC
|
||||
nft add chain inet nds_mangle nds_ft_INC
|
||||
nft add chain inet nds_filter nds_ft_OUT
|
||||
nft add chain inet nds_filter nds_allow_INP "{ type filter hook input priority 100 ; }"
|
||||
nft add chain inet nds_filter nds_allow_FWD "{ type filter hook forward priority 100 ; }"
|
||||
|
||||
# add initial rules
|
||||
nft insert rule ip nds_filter nds_allow_INP iifname "\"$gatewayinterface\"" counter accept comment "\"!opennds: allow input\""
|
||||
nft insert rule ip nds_filter nds_allow_FWD iifname "\"$gatewayinterface\"" counter accept comment "\"!opennds: allow forward\""
|
||||
nft insert rule ip nds_mangle ndsINC oifname "\"$gatewayinterface\"" counter jump nds_ft_INC
|
||||
nft insert rule inet nds_filter nds_allow_INP iifname "\"$gatewayinterface\"" counter accept comment "\"!opennds: allow input\""
|
||||
nft insert rule inet nds_filter nds_allow_FWD iifname "\"$gatewayinterface\"" counter accept comment "\"!opennds: allow forward\""
|
||||
nft insert rule inet nds_mangle ndsINC oifname "\"$gatewayinterface\"" counter jump nds_ft_INC
|
||||
|
||||
ret=$?
|
||||
|
||||
@@ -1371,26 +1371,26 @@ ipt_to_nft () {
|
||||
delete_client_rule () {
|
||||
|
||||
if [ "$nds_verdict" = "all" ]; then
|
||||
local handles=$(nft -a list chain ip "$nds_table" "$nds_chain" | grep -w "$client_ip" | awk -F"handle " '{printf "%s ", $2}')
|
||||
local handles=$(nft -a list chain inet "$nds_table" "$nds_chain" | grep -w "$client_ip" | awk -F"handle " '{printf "%s ", $2}')
|
||||
else
|
||||
local handles=$(nft -a list chain ip "$nds_table" "$nds_chain" | grep -w "$client_ip" | grep -w "$nds_verdict" | awk -F"handle " '{printf "%s ", $2}')
|
||||
local handles=$(nft -a list chain inet "$nds_table" "$nds_chain" | grep -w "$client_ip" | grep -w "$nds_verdict" | awk -F"handle " '{printf "%s ", $2}')
|
||||
fi
|
||||
|
||||
for rulehandle in $handles; do
|
||||
nft delete rule ip $nds_table "$nds_chain" handle "$rulehandle" 2> /dev/null
|
||||
nft delete rule inet $nds_table "$nds_chain" handle "$rulehandle" 2> /dev/null
|
||||
done
|
||||
}
|
||||
|
||||
replace_client_rule () {
|
||||
|
||||
if [ "$nds_verdict" = "all" ]; then
|
||||
local handles=$(nft -a list chain ip "$nds_table" "$nds_chain" | grep -w "$client_ip" | awk -F"handle " '{printf "%s ", $2}')
|
||||
local handles=$(nft -a list chain inet "$nds_table" "$nds_chain" | grep -w "$client_ip" | awk -F"handle " '{printf "%s ", $2}')
|
||||
else
|
||||
local handles=$(nft -a list chain ip "$nds_table" "$nds_chain" | grep -w "$client_ip" | grep -w "$nds_verdict" | awk -F"handle " '{printf "%s ", $2}')
|
||||
local handles=$(nft -a list chain inet "$nds_table" "$nds_chain" | grep -w "$client_ip" | grep -w "$nds_verdict" | awk -F"handle " '{printf "%s ", $2}')
|
||||
fi
|
||||
|
||||
for rulehandle in $handles; do
|
||||
nft replace rule ip $nds_table "$nds_chain" handle "$rulehandle" "$new_rule" 2> /dev/null
|
||||
nft replace rule inet $nds_table "$nds_chain" handle "$rulehandle" "$new_rule" 2> /dev/null
|
||||
done
|
||||
}
|
||||
|
||||
@@ -1507,7 +1507,7 @@ nft_set () {
|
||||
fi
|
||||
|
||||
if [ -z "$ports" ]; then
|
||||
nft $nftsetmode rule ip nds_filter ndsNET counter ip daddr "@$nftsetname" "$nftruletype"
|
||||
nft $nftsetmode rule inet nds_filter ndsNET counter ip daddr "@$nftsetname" "$nftruletype"
|
||||
|
||||
else
|
||||
numports=$(echo $ports | tr -d "'" | awk '{printf NF}')
|
||||
@@ -1516,7 +1516,7 @@ nft_set () {
|
||||
ports=$(printf "$ports" | tr -d "'" | tr -s " " ",")
|
||||
fi
|
||||
|
||||
nft $nftsetmode rule ip nds_filter ndsNET counter ip daddr "@$nftsetname" tcp dport {"$ports"} "$nftruletype"
|
||||
nft $nftsetmode rule inet nds_filter ndsNET counter ip daddr "@$nftsetname" tcp dport {"$ports"} "$nftruletype"
|
||||
fi
|
||||
|
||||
|
||||
@@ -1929,17 +1929,17 @@ create_client_ruleset () {
|
||||
fi
|
||||
|
||||
if [ "$ruleset_name" = "authenticated_users" ]; then
|
||||
nft insert rule ip nds_filter $chain index 2 "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict"
|
||||
nft insert rule inet nds_filter $chain index 2 "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict"
|
||||
status=$?
|
||||
fi
|
||||
|
||||
if [ "$ruleset_name" = "preauthenticated_users" ]; then
|
||||
nft insert rule ip nds_filter $chain index 2 "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict"
|
||||
nft insert rule inet nds_filter $chain index 2 "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict"
|
||||
status=$?
|
||||
fi
|
||||
|
||||
if [ "$ruleset_name" = "users_to_router" ]; then
|
||||
nft add rule ip nds_filter $chain "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict"
|
||||
nft add rule inet nds_filter $chain "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict"
|
||||
status=$?
|
||||
fi
|
||||
|
||||
@@ -1947,10 +1947,10 @@ create_client_ruleset () {
|
||||
|
||||
if [ "$ruleset_name" = "users_to_router" ]; then
|
||||
# allow ping4 max 4 per second
|
||||
nft insert rule ip nds_filter ndsRTR icmp type echo-request counter drop
|
||||
nft insert rule ip nds_filter ndsRTR icmp type echo-request limit rate 4/second counter accept
|
||||
nft insert rule inet nds_filter ndsRTR icmp type echo-request counter drop
|
||||
nft insert rule inet nds_filter ndsRTR icmp type echo-request limit rate 4/second counter accept
|
||||
# Block everything else
|
||||
nft add rule ip nds_filter $chain counter reject
|
||||
nft add rule inet nds_filter $chain counter reject
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -2546,27 +2546,27 @@ elif [ "$1" = "gatewayroute" ]; then
|
||||
|
||||
if [ "$ftdevices" != "{ $wandevices }" ]; then
|
||||
|
||||
rulehandles=$(nft -a list chain ip nds_mangle nds_ft_INC | grep "@ndsftINC"| awk -F "handle " '{printf "%s ", $2}')
|
||||
rulehandles=$(nft -a list chain inet nds_mangle nds_ft_INC | grep "@ndsftINC"| awk -F "handle " '{printf "%s ", $2}')
|
||||
|
||||
for rulehandle in $rulehandles; do
|
||||
nft delete rule ip nds_mangle nds_ft_INC handle "$rulehandle"
|
||||
nft delete rule inet nds_mangle nds_ft_INC handle "$rulehandle"
|
||||
done
|
||||
|
||||
nft delete flowtable ip nds_mangle handle "$handle"
|
||||
nft add flowtable ip nds_mangle ndsftINC "{ hook ingress priority -100 ; devices = { $wandevices } ; }" 2> /dev/null
|
||||
nft add rule ip nds_mangle nds_ft_INC flow offload @ndsftINC counter
|
||||
nft add rule ip nds_mangle nds_ft_INC counter return
|
||||
nft delete flowtable inet nds_mangle handle "$handle"
|
||||
nft add flowtable inet nds_mangle ndsftINC "{ hook ingress priority -100 ; devices = { $wandevices } ; }" 2> /dev/null
|
||||
nft add rule inet nds_mangle nds_ft_INC flow offload @ndsftINC counter
|
||||
nft add rule inet nds_mangle nds_ft_INC counter return
|
||||
fi
|
||||
else
|
||||
nft add flowtable ip nds_mangle ndsftINC "{ hook ingress priority -100 ; devices = { $wandevices } ; }" 2> /dev/null
|
||||
nft add rule ip nds_mangle nds_ft_INC meta l4proto { tcp, udp } flow offload @ndsftINC counter
|
||||
nft add rule ip nds_mangle nds_ft_INC counter return
|
||||
nft add flowtable inet nds_mangle ndsftINC "{ hook ingress priority -100 ; devices = { $wandevices } ; }" 2> /dev/null
|
||||
nft add rule inet nds_mangle nds_ft_INC meta l4proto { tcp, udp } flow offload @ndsftINC counter
|
||||
nft add rule inet nds_mangle nds_ft_INC counter return
|
||||
fi
|
||||
fi
|
||||
|
||||
# add upload flowtable
|
||||
|
||||
fttest=$(nft list flowtable ip nds_filter ndsftOUT &> /dev/null ; echo $?)
|
||||
fttest=$(nft list flowtable inet nds_filter ndsftOUT &> /dev/null ; echo $?)
|
||||
|
||||
if [ $fttest -gt 0 ]; then
|
||||
option="gatewayinterface"
|
||||
@@ -2576,14 +2576,14 @@ elif [ "$1" = "gatewayroute" ]; then
|
||||
gatewayinterface="br-lan"
|
||||
fi
|
||||
|
||||
nft add flowtable ip nds_filter ndsftOUT "{ hook ingress priority -100 ; devices = { $gatewayinterface } ; }"
|
||||
nft add flowtable inet nds_filter ndsftOUT "{ hook ingress priority -100 ; devices = { $gatewayinterface } ; }"
|
||||
fi
|
||||
|
||||
ftruletest=$(nft list chain ip nds_filter nds_ft_OUT 2> /dev/null | grep -q -w "meta l4proto"; echo $?)
|
||||
ftruletest=$(nft list chain inet nds_filter nds_ft_OUT 2> /dev/null | grep -q -w "meta l4proto"; echo $?)
|
||||
|
||||
if [ $ftruletest -gt 0 ]; then
|
||||
nft add rule ip nds_filter nds_ft_OUT meta l4proto { tcp, udp } flow offload @ndsftOUT counter
|
||||
nft add rule ip nds_filter nds_ft_OUT counter return
|
||||
nft add rule inet nds_filter nds_ft_OUT meta l4proto { tcp, udp } flow offload @ndsftOUT counter
|
||||
nft add rule inet nds_filter nds_ft_OUT counter return
|
||||
fi
|
||||
|
||||
exit 0
|
||||
@@ -3351,13 +3351,13 @@ elif [ "$1" = "ipv6_routing" ]; then
|
||||
if [ -z "$2" ] || [ "$is_uci" -gt 0 ]; then
|
||||
exit 0
|
||||
|
||||
elif [ "$2" = "block" ]; then
|
||||
uci set network.wan6.proto='none'
|
||||
service network reload
|
||||
|
||||
elif [ "$2" = "allow" ]; then
|
||||
uci set network.wan6.proto='dhcpv6'
|
||||
service network reload
|
||||
# elif [ "$2" = "block" ]; then
|
||||
# uci set network.wan6.proto='none'
|
||||
# service network reload
|
||||
#
|
||||
# elif [ "$2" = "allow" ]; then
|
||||
# uci set network.wan6.proto='dhcpv6'
|
||||
# service network reload
|
||||
fi
|
||||
|
||||
exit 0
|
||||
|
||||
@@ -167,7 +167,7 @@ nftables_do_command(const char *format, ...)
|
||||
int
|
||||
iptables_trust_mac(const char mac[])
|
||||
{
|
||||
return nftables_do_command("add rule ip nds_mangle %s ether saddr %s counter meta mark set mark or 0x%x", CHAIN_TRUSTED, mac, FW_MARK_TRUSTED);
|
||||
return nftables_do_command("add rule inet nds_mangle %s ether saddr %s counter meta mark set mark or 0x%x", CHAIN_TRUSTED, mac, FW_MARK_TRUSTED);
|
||||
}
|
||||
|
||||
int
|
||||
@@ -252,17 +252,17 @@ iptables_fw_init(void)
|
||||
|
||||
|
||||
// Create new chains in the mangle table
|
||||
rc |= nftables_do_command("add chain ip nds_mangle " CHAIN_TRUSTED); // for marking trusted packets
|
||||
rc |= nftables_do_command("add chain ip nds_mangle " CHAIN_INCOMING); // for counting incoming packets
|
||||
rc |= nftables_do_command("add chain ip nds_mangle " CHAIN_DOWNLOAD_RATE); // for controlling download rate per client
|
||||
rc |= nftables_do_command("add chain ip nds_mangle " CHAIN_OUTGOING); // for marking authenticated packets, and for counting outgoing packets
|
||||
rc |= nftables_do_command("add chain inet nds_mangle " CHAIN_TRUSTED); // for marking trusted packets
|
||||
rc |= nftables_do_command("add chain inet nds_mangle " CHAIN_INCOMING); // for counting incoming packets
|
||||
rc |= nftables_do_command("add chain inet nds_mangle " CHAIN_DOWNLOAD_RATE); // for controlling download rate per client
|
||||
rc |= nftables_do_command("add chain inet nds_mangle " CHAIN_OUTGOING); // for marking authenticated packets, and for counting outgoing packets
|
||||
|
||||
// Assign jumps to these new chains
|
||||
rc |= nftables_do_command("insert rule ip nds_mangle %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_OUTGOING);
|
||||
rc |= nftables_do_command("insert rule ip nds_mangle %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_TRUSTED);
|
||||
rc |= nftables_do_command("insert rule ip nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_POSTROUTING, gw_interface, CHAIN_INCOMING);
|
||||
rc |= nftables_do_command("insert rule ip nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_INCOMING, gw_interface, CHAIN_FT_INC);
|
||||
rc |= nftables_do_command("insert rule ip nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_INCOMING, gw_interface, CHAIN_DOWNLOAD_RATE);
|
||||
rc |= nftables_do_command("insert rule inet nds_mangle %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_OUTGOING);
|
||||
rc |= nftables_do_command("insert rule inet nds_mangle %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_TRUSTED);
|
||||
rc |= nftables_do_command("insert rule inet nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_POSTROUTING, gw_interface, CHAIN_INCOMING);
|
||||
rc |= nftables_do_command("insert rule inet nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_INCOMING, gw_interface, CHAIN_FT_INC);
|
||||
rc |= nftables_do_command("insert rule inet nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_INCOMING, gw_interface, CHAIN_DOWNLOAD_RATE);
|
||||
|
||||
// Rules to mark as trusted MAC address packets in mangle PREROUTING
|
||||
for (; pt != NULL; pt = pt->next) {
|
||||
@@ -284,18 +284,18 @@ iptables_fw_init(void)
|
||||
|
||||
if (!config->ip6) {
|
||||
// Create new chains in nat table
|
||||
rc |= nftables_do_command("add chain ip nds_nat " CHAIN_OUTGOING);
|
||||
rc |= nftables_do_command("add chain inet nds_nat " CHAIN_OUTGOING);
|
||||
|
||||
// nat PREROUTING chain
|
||||
|
||||
// packets coming in on gw_interface jump to CHAIN_OUTGOING
|
||||
rc |= nftables_do_command("insert rule ip nds_nat %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_OUTGOING);
|
||||
rc |= nftables_do_command("insert rule inet nds_nat %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_OUTGOING);
|
||||
|
||||
// CHAIN_OUTGOING, packets marked TRUSTED ACCEPT
|
||||
rc |= nftables_do_command("add rule ip nds_nat %s mark and 0x%x == 0x%x counter return", CHAIN_OUTGOING, FW_MARK_MASK, FW_MARK_TRUSTED);
|
||||
rc |= nftables_do_command("add rule inet nds_nat %s mark and 0x%x == 0x%x counter return", CHAIN_OUTGOING, FW_MARK_MASK, FW_MARK_TRUSTED);
|
||||
|
||||
// CHAIN_OUTGOING, packets marked AUTHENTICATED ACCEPT
|
||||
rc |= nftables_do_command("add rule ip nds_nat %s mark and 0x%x == 0x%x counter return", CHAIN_OUTGOING, FW_MARK_MASK, FW_MARK_AUTHENTICATED);
|
||||
rc |= nftables_do_command("add rule inet nds_nat %s mark and 0x%x == 0x%x counter return", CHAIN_OUTGOING, FW_MARK_MASK, FW_MARK_AUTHENTICATED);
|
||||
|
||||
// Allow access to remote FAS - CHAIN_OUTGOING and CHAIN_TO_INTERNET packets for remote FAS, ACCEPT
|
||||
if (config->fas_port != 0) {
|
||||
@@ -305,27 +305,27 @@ iptables_fw_init(void)
|
||||
safe_snprintf(fqdncmd, SMALL_BUF, "/usr/lib/opennds/libopennds.sh resolve_fqdn \"%s\"", fas_remotefqdn);
|
||||
fqdnip = safe_calloc(SMALL_BUF);
|
||||
rc = execute_ret_url_encoded(fqdnip, SMALL_BUF, fqdncmd);
|
||||
rc |= nftables_do_command("add rule ip nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, fqdnip, fas_port);
|
||||
rc |= nftables_do_command("add rule inet nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, fqdnip, fas_port);
|
||||
free(fqdncmd);
|
||||
// do not free(fqdnip) just yet, we will need it again shortly
|
||||
} else {
|
||||
|
||||
if (strcmp(config->fas_remoteip, "disabled") != 0) {
|
||||
rc |= nftables_do_command("add rule ip nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, fas_remoteip, fas_port);
|
||||
rc |= nftables_do_command("add rule inet nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, fas_remoteip, fas_port);
|
||||
} else {
|
||||
rc |= nftables_do_command("add rule ip nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, gw_ip, fas_port);
|
||||
rc |= nftables_do_command("add rule inet nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, gw_ip, fas_port);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// CHAIN_OUTGOING, packets for tcp port 80, redirect to gw_port on primary address for the iface
|
||||
rc |= nftables_do_command("add rule ip nds_nat %s tcp dport 80 counter dnat to %s", CHAIN_OUTGOING, gw_address);
|
||||
rc |= nftables_do_command("add rule inet nds_nat %s tcp dport 80 counter dnat ip to %s", CHAIN_OUTGOING, gw_address);
|
||||
|
||||
// CHAIN_OUTGOING, other packets ACCEPT
|
||||
rc |= nftables_do_command("add rule ip nds_nat %s counter accept", CHAIN_OUTGOING);
|
||||
rc |= nftables_do_command("add rule inet nds_nat %s counter accept", CHAIN_OUTGOING);
|
||||
|
||||
if (strcmp(config->gw_fqdn, "disable") != 0) {
|
||||
rc |= nftables_do_command("insert rule ip nds_nat ndsOUT ip daddr %s tcp dport 80 counter redirect to :%d", config->gw_ip, config->gw_port);
|
||||
rc |= nftables_do_command("insert rule inet nds_nat ndsOUT ip daddr %s tcp dport 80 counter redirect to :%d", config->gw_ip, config->gw_port);
|
||||
}
|
||||
}
|
||||
/*
|
||||
@@ -341,26 +341,26 @@ iptables_fw_init(void)
|
||||
*/
|
||||
|
||||
// Create new chains in the filter table
|
||||
rc |= nftables_do_command("add chain ip nds_filter " CHAIN_TO_INTERNET);
|
||||
rc |= nftables_do_command("add chain ip nds_filter " CHAIN_TO_ROUTER);
|
||||
rc |= nftables_do_command("add chain ip nds_filter " CHAIN_AUTHENTICATED);
|
||||
rc |= nftables_do_command("add chain ip nds_filter " CHAIN_UPLOAD_RATE);
|
||||
rc |= nftables_do_command("add chain ip nds_filter " CHAIN_FT_OUT); // flowoffload for outgoing packets
|
||||
rc |= nftables_do_command("add chain inet nds_filter " CHAIN_TO_INTERNET);
|
||||
rc |= nftables_do_command("add chain inet nds_filter " CHAIN_TO_ROUTER);
|
||||
rc |= nftables_do_command("add chain inet nds_filter " CHAIN_AUTHENTICATED);
|
||||
rc |= nftables_do_command("add chain inet nds_filter " CHAIN_UPLOAD_RATE);
|
||||
rc |= nftables_do_command("add chain inet nds_filter " CHAIN_FT_OUT); // flowoffload for outgoing packets
|
||||
|
||||
// filter CHAIN_INPUT chain
|
||||
|
||||
// packets coming in on gw_interface jump to CHAIN_TO_ROUTER
|
||||
rc |= nftables_do_command("insert rule ip nds_filter %s iifname \"%s\" counter jump %s", CHAIN_INPUT, gw_interface, CHAIN_TO_ROUTER);
|
||||
rc |= nftables_do_command("insert rule inet nds_filter %s iifname \"%s\" counter jump %s", CHAIN_INPUT, gw_interface, CHAIN_TO_ROUTER);
|
||||
|
||||
// CHAIN_TO_ROUTER, invalid packets DROP
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s ct state invalid counter drop", CHAIN_TO_ROUTER);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s ct state invalid counter drop", CHAIN_TO_ROUTER);
|
||||
|
||||
// CHAIN_TO_ROUTER, packets to HTTP listening on gw_port on router ACCEPT
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s tcp dport %d counter accept", CHAIN_TO_ROUTER, gw_port);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s tcp dport %d counter accept", CHAIN_TO_ROUTER, gw_port);
|
||||
|
||||
// CHAIN_TO_ROUTER, packets to HTTP listening on fas_port on router ACCEPT
|
||||
if (fas_port != gw_port && strcmp(fas_remoteip, gw_ip) == 0 && strcmp(fas_remotefqdn, gw_fqdn) == 0) {
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s tcp dport %d counter accept", CHAIN_TO_ROUTER, fas_port);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s tcp dport %d counter accept", CHAIN_TO_ROUTER, fas_port);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -368,30 +368,30 @@ iptables_fw_init(void)
|
||||
*/
|
||||
|
||||
// packets coming in on gw_interface jump to CHAIN_TO_INTERNET
|
||||
rc |= nftables_do_command("insert rule ip nds_filter %s iifname \"%s\" counter jump %s", CHAIN_FORWARD, gw_interface, CHAIN_TO_INTERNET);
|
||||
rc |= nftables_do_command("insert rule inet nds_filter %s iifname \"%s\" counter jump %s", CHAIN_FORWARD, gw_interface, CHAIN_TO_INTERNET);
|
||||
|
||||
// CHAIN_TO_INTERNET, invalid packets DROP
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s ct state invalid counter drop", CHAIN_TO_INTERNET);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s ct state invalid counter drop", CHAIN_TO_INTERNET);
|
||||
|
||||
// Allow access to remote FAS - CHAIN_TO_INTERNET packets for remote FAS, ACCEPT
|
||||
|
||||
if (config->fas_port != 0) {
|
||||
if (strcmp(config->fas_remotefqdn, "disabled") != 0) {
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, fqdnip, fas_port);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, fqdnip, fas_port);
|
||||
// Now we can free(fqdnip) as we are now finished with it
|
||||
free(fqdnip);
|
||||
} else {
|
||||
|
||||
if (strcmp(config->fas_remoteip, "disabled") != 0) {
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, fas_remoteip, fas_port);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, fas_remoteip, fas_port);
|
||||
} else {
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, gw_ip, fas_port);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, gw_ip, fas_port);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// CHAIN_TO_INTERNET, packets marked TRUSTED:
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s mark and 0x%x == 0x%x counter accept", CHAIN_TO_INTERNET, FW_MARK_MASK, FW_MARK_TRUSTED);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s mark and 0x%x == 0x%x counter accept", CHAIN_TO_INTERNET, FW_MARK_MASK, FW_MARK_TRUSTED);
|
||||
|
||||
// CHAIN_TO_INTERNET, packets marked AUTHENTICATED:
|
||||
|
||||
@@ -401,19 +401,19 @@ iptables_fw_init(void)
|
||||
* jump to CHAIN_AUTHENTICATED, and load and use authenticated-users ruleset
|
||||
*/
|
||||
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s mark and 0x%x == 0x%x counter goto %s", CHAIN_TO_INTERNET, FW_MARK_MASK, FW_MARK_AUTHENTICATED, CHAIN_AUTHENTICATED);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s mark and 0x%x == 0x%x counter goto %s", CHAIN_TO_INTERNET, FW_MARK_MASK, FW_MARK_AUTHENTICATED, CHAIN_AUTHENTICATED);
|
||||
|
||||
// CHAIN_AUTHENTICATED, jump to CHAIN_UPLOAD_RATE to handle upload rate limiting
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s counter jump %s", CHAIN_AUTHENTICATED, CHAIN_UPLOAD_RATE);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s counter jump %s", CHAIN_AUTHENTICATED, CHAIN_UPLOAD_RATE);
|
||||
|
||||
// CHAIN_AUTHENTICATED, jump to CHAIN_FT_OUT to handle upload flowtable
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s counter jump %s", CHAIN_AUTHENTICATED, CHAIN_FT_OUT);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s counter jump %s", CHAIN_AUTHENTICATED, CHAIN_FT_OUT);
|
||||
|
||||
// CHAIN_AUTHENTICATED, any packets not matching that ruleset ACCEPT
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s counter accept", CHAIN_AUTHENTICATED);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s counter accept", CHAIN_AUTHENTICATED);
|
||||
|
||||
// CHAIN_TO_INTERNET, all other packets REJECT
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s counter reject", CHAIN_TO_INTERNET);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s counter reject", CHAIN_TO_INTERNET);
|
||||
|
||||
/*
|
||||
* End of filter table chains and rules
|
||||
@@ -674,14 +674,14 @@ iptables_fw_authenticate(t_client *client)
|
||||
debug(LOG_NOTICE, "Authenticating %s %s", client->ip, client->mac);
|
||||
|
||||
// This rule is for marking upload (outgoing) packets, and for upload byte accounting. Drop all bucket overflow packets
|
||||
rc |= nftables_do_command("insert rule ip nds_mangle %s ip saddr %s ether saddr %s counter meta mark set mark or 0x%x", CHAIN_OUTGOING, client->ip, client->mac, FW_MARK_AUTHENTICATED);
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s ip saddr %s counter return", CHAIN_UPLOAD_RATE, client->ip);
|
||||
rc |= nftables_do_command("add rule ip nds_filter %s ip saddr %s counter drop", CHAIN_UPLOAD_RATE, client->ip);
|
||||
rc |= nftables_do_command("insert rule inet nds_mangle %s ip saddr %s ether saddr %s counter meta mark set mark or 0x%x", CHAIN_OUTGOING, client->ip, client->mac, FW_MARK_AUTHENTICATED);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s ip saddr %s counter return", CHAIN_UPLOAD_RATE, client->ip);
|
||||
rc |= nftables_do_command("add rule inet nds_filter %s ip saddr %s counter drop", CHAIN_UPLOAD_RATE, client->ip);
|
||||
|
||||
// This rule is just for download (incoming) byte accounting. Drop all bucket overflow packets
|
||||
rc |= nftables_do_command("insert rule ip nds_mangle %s ip daddr %s counter meta mark set mark or 0x%x", CHAIN_INCOMING, client->ip, FW_MARK_AUTHENTICATED);
|
||||
rc |= nftables_do_command("add rule ip nds_mangle %s ip daddr %s counter return", CHAIN_DOWNLOAD_RATE, client->ip);
|
||||
rc |= nftables_do_command("add rule ip nds_mangle %s ip daddr %s counter drop", CHAIN_DOWNLOAD_RATE, client->ip);
|
||||
rc |= nftables_do_command("insert rule inet nds_mangle %s ip daddr %s counter meta mark set mark or 0x%x", CHAIN_INCOMING, client->ip, FW_MARK_AUTHENTICATED);
|
||||
rc |= nftables_do_command("add rule inet nds_mangle %s ip daddr %s counter return", CHAIN_DOWNLOAD_RATE, client->ip);
|
||||
rc |= nftables_do_command("add rule inet nds_mangle %s ip daddr %s counter drop", CHAIN_DOWNLOAD_RATE, client->ip);
|
||||
|
||||
client->counters.incoming = 0;
|
||||
client->counters.incoming_previous = 0;
|
||||
@@ -723,7 +723,7 @@ iptables_fw_total_upload()
|
||||
unsigned long long int counter;
|
||||
|
||||
// Look for outgoing traffic
|
||||
safe_asprintf(&script, "nft list chain ip nds_mangle %s 2>/dev/null | grep -w %s ", CHAIN_PREROUTING, CHAIN_OUTGOING);
|
||||
safe_asprintf(&script, "nft list chain inet nds_mangle %s 2>/dev/null | grep -w %s ", CHAIN_PREROUTING, CHAIN_OUTGOING);
|
||||
output = popen(script, "r");
|
||||
free (script);
|
||||
|
||||
@@ -761,7 +761,7 @@ iptables_fw_total_download()
|
||||
unsigned long long int counter;
|
||||
|
||||
// Look for incoming traffic
|
||||
safe_asprintf(&script, "nft list chain ip nds_mangle %s 2>/dev/null | grep -w %s ", CHAIN_POSTROUTING, CHAIN_INCOMING);
|
||||
safe_asprintf(&script, "nft list chain inet nds_mangle %s 2>/dev/null | grep -w %s ", CHAIN_POSTROUTING, CHAIN_INCOMING);
|
||||
output = popen(script, "r");
|
||||
free (script);
|
||||
|
||||
@@ -807,7 +807,7 @@ iptables_fw_counters_update(void)
|
||||
af = config->ip6 ? AF_INET6 : AF_INET;
|
||||
|
||||
// Look for outgoing (upload) traffic of authenticated clients.
|
||||
safe_asprintf(&script, "nft list chain ip nds_mangle %s 2>/dev/null", CHAIN_OUTGOING);
|
||||
safe_asprintf(&script, "nft list chain inet nds_mangle %s 2>/dev/null", CHAIN_OUTGOING);
|
||||
output = popen(script, "r");
|
||||
free(script);
|
||||
|
||||
@@ -863,7 +863,7 @@ iptables_fw_counters_update(void)
|
||||
pclose(output);
|
||||
|
||||
// Look for incoming (download) traffic
|
||||
safe_asprintf(&script, "nft list chain ip nds_mangle %s 2>/dev/null", CHAIN_INCOMING);
|
||||
safe_asprintf(&script, "nft list chain inet nds_mangle %s 2>/dev/null", CHAIN_INCOMING);
|
||||
output = popen(script, "r");
|
||||
free(script);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user