From dc46a46cc01185eaf0ba71c03862fac355b37ca5 Mon Sep 17 00:00:00 2001 From: Rob White Date: Mon, 7 Jul 2025 09:43:07 +0100 Subject: [PATCH] Add - ipv6 support Signed-off-by: Rob White --- .../libs/libopennds.sh | 112 +++++++++--------- src/fw_iptables.c | 100 ++++++++-------- 2 files changed, 106 insertions(+), 106 deletions(-) diff --git a/forward_authentication_service/libs/libopennds.sh b/forward_authentication_service/libs/libopennds.sh index b93bcdf..d03a6e6 100755 --- a/forward_authentication_service/libs/libopennds.sh +++ b/forward_authentication_service/libs/libopennds.sh @@ -1028,7 +1028,7 @@ check_mhd() { } nft_get_status() { - nfttest=$(nft -a list chain ip nds_filter ndsNET 2> /dev/null) + nfttest=$(nft -a list chain inet nds_filter ndsNET 2> /dev/null) if [ ! -z "$nfttest" ]; then nftstatus="1" @@ -1275,17 +1275,17 @@ delete_chains () { delete_rule # now we can delete our chains - the quickest way is to delete our tables: - nft delete table ip nds_filter 2> /dev/null - nft delete table ip nds_mangle 2> /dev/null - nft delete table ip nds_nat 2> /dev/null + nft delete table inet nds_filter 2> /dev/null + nft delete table inet nds_mangle 2> /dev/null + nft delete table inet nds_nat 2> /dev/null } delete_rule () { # Requires table, src_chain and dst_chain variables - rule=$(nft -a list table ip "$table" 2> /dev/null | grep -w -A 30 "chain $src_chain" | grep -w "jump $dst_chain" | awk -F "handle " '{printf "%s", $2}') + rule=$(nft -a list table inet "$table" 2> /dev/null | grep -w -A 30 "chain $src_chain" | grep -w "jump $dst_chain" | awk -F "handle " '{printf "%s", $2}') if [ ! -z "$rule" ]; then - nft delete rule ip "$table" "$src_chain" handle "$rule" + nft delete rule inet "$table" "$src_chain" handle "$rule" fi } @@ -1324,12 +1324,12 @@ pre_setup () { ndstables="nds_filter nds_mangle nds_nat" for ndstable in $ndstables; do - nft list table ip "$ndstable" &>/dev/null + nft list table inet "$ndstable" &>/dev/null ret=$? if [ $ret -gt 0 ]; then # Table does not exist - nft add table ip $ndstable + nft add table inet $ndstable ret=$? if [ $ret -gt 0 ]; then @@ -1339,21 +1339,21 @@ pre_setup () { done # add required chains - nft add chain ip nds_filter ndsINP "{ type filter hook input priority -100 ; }" 2> /dev/null - nft add chain ip nds_filter ndsFWD "{ type filter hook forward priority -100 ; }" 2> /dev/null - nft add chain ip nds_nat ndsPRE "{ type nat hook prerouting priority -100 ; }" - nft add chain ip nds_mangle ndsPRE "{ type filter hook prerouting priority -100 ; }" - nft add chain ip nds_mangle ndsPOST "{ type filter hook forward priority -100 ; }" - nft add chain ip nds_mangle ndsINC - nft add chain ip nds_mangle nds_ft_INC - nft add chain ip nds_filter nds_ft_OUT - nft add chain ip nds_filter nds_allow_INP "{ type filter hook input priority 100 ; }" - nft add chain ip nds_filter nds_allow_FWD "{ type filter hook forward priority 100 ; }" + nft add chain inet nds_filter ndsINP "{ type filter hook input priority -100 ; }" 2> /dev/null + nft add chain inet nds_filter ndsFWD "{ type filter hook forward priority -100 ; }" 2> /dev/null + nft add chain inet nds_nat ndsPRE "{ type nat hook prerouting priority -100 ; }" + nft add chain inet nds_mangle ndsPRE "{ type filter hook prerouting priority -100 ; }" + nft add chain inet nds_mangle ndsPOST "{ type filter hook forward priority -100 ; }" + nft add chain inet nds_mangle ndsINC + nft add chain inet nds_mangle nds_ft_INC + nft add chain inet nds_filter nds_ft_OUT + nft add chain inet nds_filter nds_allow_INP "{ type filter hook input priority 100 ; }" + nft add chain inet nds_filter nds_allow_FWD "{ type filter hook forward priority 100 ; }" # add initial rules - nft insert rule ip nds_filter nds_allow_INP iifname "\"$gatewayinterface\"" counter accept comment "\"!opennds: allow input\"" - nft insert rule ip nds_filter nds_allow_FWD iifname "\"$gatewayinterface\"" counter accept comment "\"!opennds: allow forward\"" - nft insert rule ip nds_mangle ndsINC oifname "\"$gatewayinterface\"" counter jump nds_ft_INC + nft insert rule inet nds_filter nds_allow_INP iifname "\"$gatewayinterface\"" counter accept comment "\"!opennds: allow input\"" + nft insert rule inet nds_filter nds_allow_FWD iifname "\"$gatewayinterface\"" counter accept comment "\"!opennds: allow forward\"" + nft insert rule inet nds_mangle ndsINC oifname "\"$gatewayinterface\"" counter jump nds_ft_INC ret=$? @@ -1371,26 +1371,26 @@ ipt_to_nft () { delete_client_rule () { if [ "$nds_verdict" = "all" ]; then - local handles=$(nft -a list chain ip "$nds_table" "$nds_chain" | grep -w "$client_ip" | awk -F"handle " '{printf "%s ", $2}') + local handles=$(nft -a list chain inet "$nds_table" "$nds_chain" | grep -w "$client_ip" | awk -F"handle " '{printf "%s ", $2}') else - local handles=$(nft -a list chain ip "$nds_table" "$nds_chain" | grep -w "$client_ip" | grep -w "$nds_verdict" | awk -F"handle " '{printf "%s ", $2}') + local handles=$(nft -a list chain inet "$nds_table" "$nds_chain" | grep -w "$client_ip" | grep -w "$nds_verdict" | awk -F"handle " '{printf "%s ", $2}') fi for rulehandle in $handles; do - nft delete rule ip $nds_table "$nds_chain" handle "$rulehandle" 2> /dev/null + nft delete rule inet $nds_table "$nds_chain" handle "$rulehandle" 2> /dev/null done } replace_client_rule () { if [ "$nds_verdict" = "all" ]; then - local handles=$(nft -a list chain ip "$nds_table" "$nds_chain" | grep -w "$client_ip" | awk -F"handle " '{printf "%s ", $2}') + local handles=$(nft -a list chain inet "$nds_table" "$nds_chain" | grep -w "$client_ip" | awk -F"handle " '{printf "%s ", $2}') else - local handles=$(nft -a list chain ip "$nds_table" "$nds_chain" | grep -w "$client_ip" | grep -w "$nds_verdict" | awk -F"handle " '{printf "%s ", $2}') + local handles=$(nft -a list chain inet "$nds_table" "$nds_chain" | grep -w "$client_ip" | grep -w "$nds_verdict" | awk -F"handle " '{printf "%s ", $2}') fi for rulehandle in $handles; do - nft replace rule ip $nds_table "$nds_chain" handle "$rulehandle" "$new_rule" 2> /dev/null + nft replace rule inet $nds_table "$nds_chain" handle "$rulehandle" "$new_rule" 2> /dev/null done } @@ -1507,7 +1507,7 @@ nft_set () { fi if [ -z "$ports" ]; then - nft $nftsetmode rule ip nds_filter ndsNET counter ip daddr "@$nftsetname" "$nftruletype" + nft $nftsetmode rule inet nds_filter ndsNET counter ip daddr "@$nftsetname" "$nftruletype" else numports=$(echo $ports | tr -d "'" | awk '{printf NF}') @@ -1516,7 +1516,7 @@ nft_set () { ports=$(printf "$ports" | tr -d "'" | tr -s " " ",") fi - nft $nftsetmode rule ip nds_filter ndsNET counter ip daddr "@$nftsetname" tcp dport {"$ports"} "$nftruletype" + nft $nftsetmode rule inet nds_filter ndsNET counter ip daddr "@$nftsetname" tcp dport {"$ports"} "$nftruletype" fi @@ -1929,17 +1929,17 @@ create_client_ruleset () { fi if [ "$ruleset_name" = "authenticated_users" ]; then - nft insert rule ip nds_filter $chain index 2 "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict" + nft insert rule inet nds_filter $chain index 2 "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict" status=$? fi if [ "$ruleset_name" = "preauthenticated_users" ]; then - nft insert rule ip nds_filter $chain index 2 "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict" + nft insert rule inet nds_filter $chain index 2 "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict" status=$? fi if [ "$ruleset_name" = "users_to_router" ]; then - nft add rule ip nds_filter $chain "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict" + nft add rule inet nds_filter $chain "$ipstr" "$proto" "$sdport" "$portnum" counter "$verdict" status=$? fi @@ -1947,10 +1947,10 @@ create_client_ruleset () { if [ "$ruleset_name" = "users_to_router" ]; then # allow ping4 max 4 per second - nft insert rule ip nds_filter ndsRTR icmp type echo-request counter drop - nft insert rule ip nds_filter ndsRTR icmp type echo-request limit rate 4/second counter accept + nft insert rule inet nds_filter ndsRTR icmp type echo-request counter drop + nft insert rule inet nds_filter ndsRTR icmp type echo-request limit rate 4/second counter accept # Block everything else - nft add rule ip nds_filter $chain counter reject + nft add rule inet nds_filter $chain counter reject fi } @@ -2546,27 +2546,27 @@ elif [ "$1" = "gatewayroute" ]; then if [ "$ftdevices" != "{ $wandevices }" ]; then - rulehandles=$(nft -a list chain ip nds_mangle nds_ft_INC | grep "@ndsftINC"| awk -F "handle " '{printf "%s ", $2}') + rulehandles=$(nft -a list chain inet nds_mangle nds_ft_INC | grep "@ndsftINC"| awk -F "handle " '{printf "%s ", $2}') for rulehandle in $rulehandles; do - nft delete rule ip nds_mangle nds_ft_INC handle "$rulehandle" + nft delete rule inet nds_mangle nds_ft_INC handle "$rulehandle" done - nft delete flowtable ip nds_mangle handle "$handle" - nft add flowtable ip nds_mangle ndsftINC "{ hook ingress priority -100 ; devices = { $wandevices } ; }" 2> /dev/null - nft add rule ip nds_mangle nds_ft_INC flow offload @ndsftINC counter - nft add rule ip nds_mangle nds_ft_INC counter return + nft delete flowtable inet nds_mangle handle "$handle" + nft add flowtable inet nds_mangle ndsftINC "{ hook ingress priority -100 ; devices = { $wandevices } ; }" 2> /dev/null + nft add rule inet nds_mangle nds_ft_INC flow offload @ndsftINC counter + nft add rule inet nds_mangle nds_ft_INC counter return fi else - nft add flowtable ip nds_mangle ndsftINC "{ hook ingress priority -100 ; devices = { $wandevices } ; }" 2> /dev/null - nft add rule ip nds_mangle nds_ft_INC meta l4proto { tcp, udp } flow offload @ndsftINC counter - nft add rule ip nds_mangle nds_ft_INC counter return + nft add flowtable inet nds_mangle ndsftINC "{ hook ingress priority -100 ; devices = { $wandevices } ; }" 2> /dev/null + nft add rule inet nds_mangle nds_ft_INC meta l4proto { tcp, udp } flow offload @ndsftINC counter + nft add rule inet nds_mangle nds_ft_INC counter return fi fi # add upload flowtable - fttest=$(nft list flowtable ip nds_filter ndsftOUT &> /dev/null ; echo $?) + fttest=$(nft list flowtable inet nds_filter ndsftOUT &> /dev/null ; echo $?) if [ $fttest -gt 0 ]; then option="gatewayinterface" @@ -2576,14 +2576,14 @@ elif [ "$1" = "gatewayroute" ]; then gatewayinterface="br-lan" fi - nft add flowtable ip nds_filter ndsftOUT "{ hook ingress priority -100 ; devices = { $gatewayinterface } ; }" + nft add flowtable inet nds_filter ndsftOUT "{ hook ingress priority -100 ; devices = { $gatewayinterface } ; }" fi - ftruletest=$(nft list chain ip nds_filter nds_ft_OUT 2> /dev/null | grep -q -w "meta l4proto"; echo $?) + ftruletest=$(nft list chain inet nds_filter nds_ft_OUT 2> /dev/null | grep -q -w "meta l4proto"; echo $?) if [ $ftruletest -gt 0 ]; then - nft add rule ip nds_filter nds_ft_OUT meta l4proto { tcp, udp } flow offload @ndsftOUT counter - nft add rule ip nds_filter nds_ft_OUT counter return + nft add rule inet nds_filter nds_ft_OUT meta l4proto { tcp, udp } flow offload @ndsftOUT counter + nft add rule inet nds_filter nds_ft_OUT counter return fi exit 0 @@ -3351,13 +3351,13 @@ elif [ "$1" = "ipv6_routing" ]; then if [ -z "$2" ] || [ "$is_uci" -gt 0 ]; then exit 0 - elif [ "$2" = "block" ]; then - uci set network.wan6.proto='none' - service network reload - - elif [ "$2" = "allow" ]; then - uci set network.wan6.proto='dhcpv6' - service network reload +# elif [ "$2" = "block" ]; then +# uci set network.wan6.proto='none' +# service network reload +# +# elif [ "$2" = "allow" ]; then +# uci set network.wan6.proto='dhcpv6' +# service network reload fi exit 0 diff --git a/src/fw_iptables.c b/src/fw_iptables.c index d1dd419..1bc1123 100644 --- a/src/fw_iptables.c +++ b/src/fw_iptables.c @@ -167,7 +167,7 @@ nftables_do_command(const char *format, ...) int iptables_trust_mac(const char mac[]) { - return nftables_do_command("add rule ip nds_mangle %s ether saddr %s counter meta mark set mark or 0x%x", CHAIN_TRUSTED, mac, FW_MARK_TRUSTED); + return nftables_do_command("add rule inet nds_mangle %s ether saddr %s counter meta mark set mark or 0x%x", CHAIN_TRUSTED, mac, FW_MARK_TRUSTED); } int @@ -252,17 +252,17 @@ iptables_fw_init(void) // Create new chains in the mangle table - rc |= nftables_do_command("add chain ip nds_mangle " CHAIN_TRUSTED); // for marking trusted packets - rc |= nftables_do_command("add chain ip nds_mangle " CHAIN_INCOMING); // for counting incoming packets - rc |= nftables_do_command("add chain ip nds_mangle " CHAIN_DOWNLOAD_RATE); // for controlling download rate per client - rc |= nftables_do_command("add chain ip nds_mangle " CHAIN_OUTGOING); // for marking authenticated packets, and for counting outgoing packets + rc |= nftables_do_command("add chain inet nds_mangle " CHAIN_TRUSTED); // for marking trusted packets + rc |= nftables_do_command("add chain inet nds_mangle " CHAIN_INCOMING); // for counting incoming packets + rc |= nftables_do_command("add chain inet nds_mangle " CHAIN_DOWNLOAD_RATE); // for controlling download rate per client + rc |= nftables_do_command("add chain inet nds_mangle " CHAIN_OUTGOING); // for marking authenticated packets, and for counting outgoing packets // Assign jumps to these new chains - rc |= nftables_do_command("insert rule ip nds_mangle %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_OUTGOING); - rc |= nftables_do_command("insert rule ip nds_mangle %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_TRUSTED); - rc |= nftables_do_command("insert rule ip nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_POSTROUTING, gw_interface, CHAIN_INCOMING); - rc |= nftables_do_command("insert rule ip nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_INCOMING, gw_interface, CHAIN_FT_INC); - rc |= nftables_do_command("insert rule ip nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_INCOMING, gw_interface, CHAIN_DOWNLOAD_RATE); + rc |= nftables_do_command("insert rule inet nds_mangle %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_OUTGOING); + rc |= nftables_do_command("insert rule inet nds_mangle %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_TRUSTED); + rc |= nftables_do_command("insert rule inet nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_POSTROUTING, gw_interface, CHAIN_INCOMING); + rc |= nftables_do_command("insert rule inet nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_INCOMING, gw_interface, CHAIN_FT_INC); + rc |= nftables_do_command("insert rule inet nds_mangle %s oifname \"%s\" counter jump %s", CHAIN_INCOMING, gw_interface, CHAIN_DOWNLOAD_RATE); // Rules to mark as trusted MAC address packets in mangle PREROUTING for (; pt != NULL; pt = pt->next) { @@ -284,18 +284,18 @@ iptables_fw_init(void) if (!config->ip6) { // Create new chains in nat table - rc |= nftables_do_command("add chain ip nds_nat " CHAIN_OUTGOING); + rc |= nftables_do_command("add chain inet nds_nat " CHAIN_OUTGOING); // nat PREROUTING chain // packets coming in on gw_interface jump to CHAIN_OUTGOING - rc |= nftables_do_command("insert rule ip nds_nat %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_OUTGOING); + rc |= nftables_do_command("insert rule inet nds_nat %s iifname \"%s\" counter jump %s", CHAIN_PREROUTING, gw_interface, CHAIN_OUTGOING); // CHAIN_OUTGOING, packets marked TRUSTED ACCEPT - rc |= nftables_do_command("add rule ip nds_nat %s mark and 0x%x == 0x%x counter return", CHAIN_OUTGOING, FW_MARK_MASK, FW_MARK_TRUSTED); + rc |= nftables_do_command("add rule inet nds_nat %s mark and 0x%x == 0x%x counter return", CHAIN_OUTGOING, FW_MARK_MASK, FW_MARK_TRUSTED); // CHAIN_OUTGOING, packets marked AUTHENTICATED ACCEPT - rc |= nftables_do_command("add rule ip nds_nat %s mark and 0x%x == 0x%x counter return", CHAIN_OUTGOING, FW_MARK_MASK, FW_MARK_AUTHENTICATED); + rc |= nftables_do_command("add rule inet nds_nat %s mark and 0x%x == 0x%x counter return", CHAIN_OUTGOING, FW_MARK_MASK, FW_MARK_AUTHENTICATED); // Allow access to remote FAS - CHAIN_OUTGOING and CHAIN_TO_INTERNET packets for remote FAS, ACCEPT if (config->fas_port != 0) { @@ -305,27 +305,27 @@ iptables_fw_init(void) safe_snprintf(fqdncmd, SMALL_BUF, "/usr/lib/opennds/libopennds.sh resolve_fqdn \"%s\"", fas_remotefqdn); fqdnip = safe_calloc(SMALL_BUF); rc = execute_ret_url_encoded(fqdnip, SMALL_BUF, fqdncmd); - rc |= nftables_do_command("add rule ip nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, fqdnip, fas_port); + rc |= nftables_do_command("add rule inet nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, fqdnip, fas_port); free(fqdncmd); // do not free(fqdnip) just yet, we will need it again shortly } else { if (strcmp(config->fas_remoteip, "disabled") != 0) { - rc |= nftables_do_command("add rule ip nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, fas_remoteip, fas_port); + rc |= nftables_do_command("add rule inet nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, fas_remoteip, fas_port); } else { - rc |= nftables_do_command("add rule ip nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, gw_ip, fas_port); + rc |= nftables_do_command("add rule inet nds_nat %s ip daddr %s tcp dport %d counter accept", CHAIN_OUTGOING, gw_ip, fas_port); } } } // CHAIN_OUTGOING, packets for tcp port 80, redirect to gw_port on primary address for the iface - rc |= nftables_do_command("add rule ip nds_nat %s tcp dport 80 counter dnat to %s", CHAIN_OUTGOING, gw_address); + rc |= nftables_do_command("add rule inet nds_nat %s tcp dport 80 counter dnat ip to %s", CHAIN_OUTGOING, gw_address); // CHAIN_OUTGOING, other packets ACCEPT - rc |= nftables_do_command("add rule ip nds_nat %s counter accept", CHAIN_OUTGOING); + rc |= nftables_do_command("add rule inet nds_nat %s counter accept", CHAIN_OUTGOING); if (strcmp(config->gw_fqdn, "disable") != 0) { - rc |= nftables_do_command("insert rule ip nds_nat ndsOUT ip daddr %s tcp dport 80 counter redirect to :%d", config->gw_ip, config->gw_port); + rc |= nftables_do_command("insert rule inet nds_nat ndsOUT ip daddr %s tcp dport 80 counter redirect to :%d", config->gw_ip, config->gw_port); } } /* @@ -341,26 +341,26 @@ iptables_fw_init(void) */ // Create new chains in the filter table - rc |= nftables_do_command("add chain ip nds_filter " CHAIN_TO_INTERNET); - rc |= nftables_do_command("add chain ip nds_filter " CHAIN_TO_ROUTER); - rc |= nftables_do_command("add chain ip nds_filter " CHAIN_AUTHENTICATED); - rc |= nftables_do_command("add chain ip nds_filter " CHAIN_UPLOAD_RATE); - rc |= nftables_do_command("add chain ip nds_filter " CHAIN_FT_OUT); // flowoffload for outgoing packets + rc |= nftables_do_command("add chain inet nds_filter " CHAIN_TO_INTERNET); + rc |= nftables_do_command("add chain inet nds_filter " CHAIN_TO_ROUTER); + rc |= nftables_do_command("add chain inet nds_filter " CHAIN_AUTHENTICATED); + rc |= nftables_do_command("add chain inet nds_filter " CHAIN_UPLOAD_RATE); + rc |= nftables_do_command("add chain inet nds_filter " CHAIN_FT_OUT); // flowoffload for outgoing packets // filter CHAIN_INPUT chain // packets coming in on gw_interface jump to CHAIN_TO_ROUTER - rc |= nftables_do_command("insert rule ip nds_filter %s iifname \"%s\" counter jump %s", CHAIN_INPUT, gw_interface, CHAIN_TO_ROUTER); + rc |= nftables_do_command("insert rule inet nds_filter %s iifname \"%s\" counter jump %s", CHAIN_INPUT, gw_interface, CHAIN_TO_ROUTER); // CHAIN_TO_ROUTER, invalid packets DROP - rc |= nftables_do_command("add rule ip nds_filter %s ct state invalid counter drop", CHAIN_TO_ROUTER); + rc |= nftables_do_command("add rule inet nds_filter %s ct state invalid counter drop", CHAIN_TO_ROUTER); // CHAIN_TO_ROUTER, packets to HTTP listening on gw_port on router ACCEPT - rc |= nftables_do_command("add rule ip nds_filter %s tcp dport %d counter accept", CHAIN_TO_ROUTER, gw_port); + rc |= nftables_do_command("add rule inet nds_filter %s tcp dport %d counter accept", CHAIN_TO_ROUTER, gw_port); // CHAIN_TO_ROUTER, packets to HTTP listening on fas_port on router ACCEPT if (fas_port != gw_port && strcmp(fas_remoteip, gw_ip) == 0 && strcmp(fas_remotefqdn, gw_fqdn) == 0) { - rc |= nftables_do_command("add rule ip nds_filter %s tcp dport %d counter accept", CHAIN_TO_ROUTER, fas_port); + rc |= nftables_do_command("add rule inet nds_filter %s tcp dport %d counter accept", CHAIN_TO_ROUTER, fas_port); } /* @@ -368,30 +368,30 @@ iptables_fw_init(void) */ // packets coming in on gw_interface jump to CHAIN_TO_INTERNET - rc |= nftables_do_command("insert rule ip nds_filter %s iifname \"%s\" counter jump %s", CHAIN_FORWARD, gw_interface, CHAIN_TO_INTERNET); + rc |= nftables_do_command("insert rule inet nds_filter %s iifname \"%s\" counter jump %s", CHAIN_FORWARD, gw_interface, CHAIN_TO_INTERNET); // CHAIN_TO_INTERNET, invalid packets DROP - rc |= nftables_do_command("add rule ip nds_filter %s ct state invalid counter drop", CHAIN_TO_INTERNET); + rc |= nftables_do_command("add rule inet nds_filter %s ct state invalid counter drop", CHAIN_TO_INTERNET); // Allow access to remote FAS - CHAIN_TO_INTERNET packets for remote FAS, ACCEPT if (config->fas_port != 0) { if (strcmp(config->fas_remotefqdn, "disabled") != 0) { - rc |= nftables_do_command("add rule ip nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, fqdnip, fas_port); + rc |= nftables_do_command("add rule inet nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, fqdnip, fas_port); // Now we can free(fqdnip) as we are now finished with it free(fqdnip); } else { if (strcmp(config->fas_remoteip, "disabled") != 0) { - rc |= nftables_do_command("add rule ip nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, fas_remoteip, fas_port); + rc |= nftables_do_command("add rule inet nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, fas_remoteip, fas_port); } else { - rc |= nftables_do_command("add rule ip nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, gw_ip, fas_port); + rc |= nftables_do_command("add rule inet nds_filter %s ip daddr %s tcp dport %d counter accept", CHAIN_TO_INTERNET, gw_ip, fas_port); } } } // CHAIN_TO_INTERNET, packets marked TRUSTED: - rc |= nftables_do_command("add rule ip nds_filter %s mark and 0x%x == 0x%x counter accept", CHAIN_TO_INTERNET, FW_MARK_MASK, FW_MARK_TRUSTED); + rc |= nftables_do_command("add rule inet nds_filter %s mark and 0x%x == 0x%x counter accept", CHAIN_TO_INTERNET, FW_MARK_MASK, FW_MARK_TRUSTED); // CHAIN_TO_INTERNET, packets marked AUTHENTICATED: @@ -401,19 +401,19 @@ iptables_fw_init(void) * jump to CHAIN_AUTHENTICATED, and load and use authenticated-users ruleset */ - rc |= nftables_do_command("add rule ip nds_filter %s mark and 0x%x == 0x%x counter goto %s", CHAIN_TO_INTERNET, FW_MARK_MASK, FW_MARK_AUTHENTICATED, CHAIN_AUTHENTICATED); + rc |= nftables_do_command("add rule inet nds_filter %s mark and 0x%x == 0x%x counter goto %s", CHAIN_TO_INTERNET, FW_MARK_MASK, FW_MARK_AUTHENTICATED, CHAIN_AUTHENTICATED); // CHAIN_AUTHENTICATED, jump to CHAIN_UPLOAD_RATE to handle upload rate limiting - rc |= nftables_do_command("add rule ip nds_filter %s counter jump %s", CHAIN_AUTHENTICATED, CHAIN_UPLOAD_RATE); + rc |= nftables_do_command("add rule inet nds_filter %s counter jump %s", CHAIN_AUTHENTICATED, CHAIN_UPLOAD_RATE); // CHAIN_AUTHENTICATED, jump to CHAIN_FT_OUT to handle upload flowtable - rc |= nftables_do_command("add rule ip nds_filter %s counter jump %s", CHAIN_AUTHENTICATED, CHAIN_FT_OUT); + rc |= nftables_do_command("add rule inet nds_filter %s counter jump %s", CHAIN_AUTHENTICATED, CHAIN_FT_OUT); // CHAIN_AUTHENTICATED, any packets not matching that ruleset ACCEPT - rc |= nftables_do_command("add rule ip nds_filter %s counter accept", CHAIN_AUTHENTICATED); + rc |= nftables_do_command("add rule inet nds_filter %s counter accept", CHAIN_AUTHENTICATED); // CHAIN_TO_INTERNET, all other packets REJECT - rc |= nftables_do_command("add rule ip nds_filter %s counter reject", CHAIN_TO_INTERNET); + rc |= nftables_do_command("add rule inet nds_filter %s counter reject", CHAIN_TO_INTERNET); /* * End of filter table chains and rules @@ -674,14 +674,14 @@ iptables_fw_authenticate(t_client *client) debug(LOG_NOTICE, "Authenticating %s %s", client->ip, client->mac); // This rule is for marking upload (outgoing) packets, and for upload byte accounting. Drop all bucket overflow packets - rc |= nftables_do_command("insert rule ip nds_mangle %s ip saddr %s ether saddr %s counter meta mark set mark or 0x%x", CHAIN_OUTGOING, client->ip, client->mac, FW_MARK_AUTHENTICATED); - rc |= nftables_do_command("add rule ip nds_filter %s ip saddr %s counter return", CHAIN_UPLOAD_RATE, client->ip); - rc |= nftables_do_command("add rule ip nds_filter %s ip saddr %s counter drop", CHAIN_UPLOAD_RATE, client->ip); + rc |= nftables_do_command("insert rule inet nds_mangle %s ip saddr %s ether saddr %s counter meta mark set mark or 0x%x", CHAIN_OUTGOING, client->ip, client->mac, FW_MARK_AUTHENTICATED); + rc |= nftables_do_command("add rule inet nds_filter %s ip saddr %s counter return", CHAIN_UPLOAD_RATE, client->ip); + rc |= nftables_do_command("add rule inet nds_filter %s ip saddr %s counter drop", CHAIN_UPLOAD_RATE, client->ip); // This rule is just for download (incoming) byte accounting. Drop all bucket overflow packets - rc |= nftables_do_command("insert rule ip nds_mangle %s ip daddr %s counter meta mark set mark or 0x%x", CHAIN_INCOMING, client->ip, FW_MARK_AUTHENTICATED); - rc |= nftables_do_command("add rule ip nds_mangle %s ip daddr %s counter return", CHAIN_DOWNLOAD_RATE, client->ip); - rc |= nftables_do_command("add rule ip nds_mangle %s ip daddr %s counter drop", CHAIN_DOWNLOAD_RATE, client->ip); + rc |= nftables_do_command("insert rule inet nds_mangle %s ip daddr %s counter meta mark set mark or 0x%x", CHAIN_INCOMING, client->ip, FW_MARK_AUTHENTICATED); + rc |= nftables_do_command("add rule inet nds_mangle %s ip daddr %s counter return", CHAIN_DOWNLOAD_RATE, client->ip); + rc |= nftables_do_command("add rule inet nds_mangle %s ip daddr %s counter drop", CHAIN_DOWNLOAD_RATE, client->ip); client->counters.incoming = 0; client->counters.incoming_previous = 0; @@ -723,7 +723,7 @@ iptables_fw_total_upload() unsigned long long int counter; // Look for outgoing traffic - safe_asprintf(&script, "nft list chain ip nds_mangle %s 2>/dev/null | grep -w %s ", CHAIN_PREROUTING, CHAIN_OUTGOING); + safe_asprintf(&script, "nft list chain inet nds_mangle %s 2>/dev/null | grep -w %s ", CHAIN_PREROUTING, CHAIN_OUTGOING); output = popen(script, "r"); free (script); @@ -761,7 +761,7 @@ iptables_fw_total_download() unsigned long long int counter; // Look for incoming traffic - safe_asprintf(&script, "nft list chain ip nds_mangle %s 2>/dev/null | grep -w %s ", CHAIN_POSTROUTING, CHAIN_INCOMING); + safe_asprintf(&script, "nft list chain inet nds_mangle %s 2>/dev/null | grep -w %s ", CHAIN_POSTROUTING, CHAIN_INCOMING); output = popen(script, "r"); free (script); @@ -807,7 +807,7 @@ iptables_fw_counters_update(void) af = config->ip6 ? AF_INET6 : AF_INET; // Look for outgoing (upload) traffic of authenticated clients. - safe_asprintf(&script, "nft list chain ip nds_mangle %s 2>/dev/null", CHAIN_OUTGOING); + safe_asprintf(&script, "nft list chain inet nds_mangle %s 2>/dev/null", CHAIN_OUTGOING); output = popen(script, "r"); free(script); @@ -863,7 +863,7 @@ iptables_fw_counters_update(void) pclose(output); // Look for incoming (download) traffic - safe_asprintf(&script, "nft list chain ip nds_mangle %s 2>/dev/null", CHAIN_INCOMING); + safe_asprintf(&script, "nft list chain inet nds_mangle %s 2>/dev/null", CHAIN_INCOMING); output = popen(script, "r"); free(script);