mirror/iopsys-feed
1
0
Fork 0
mirror of https://dev.iopsys.eu/feed/iopsys.git synced 2025-12-10 07:44:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

l2filter: Create centralized ebtables setup.

Browse source 
Create a centralized setup for ebtables.
This is necessary to garantuee the order
of how chains are created.

Right now it provides a 1:1 drop-in
replacement of how things currently work
and no changes are needed in the short term.
This commit is contained in:
Markus Gothe 2025-01-17 16:04:53 +01:00
parent 4c0582b1a0
commit d67a40b6a0
6 changed files with 126 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
firewallmngr/Makefile
View file

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=firewallmngr PKG_NAME:=firewallmngr
PKG_VERSION:=1.0.9 PKG_VERSION:=1.0.10
LOCAL_DEV:=0 LOCAL_DEV:=0
ifneq ($(LOCAL_DEV),1) ifneq ($(LOCAL_DEV),1)
@ -55,8 +55,8 @@ endif
define Package/firewallmngr/install define Package/firewallmngr/install
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_DIR) $(1)/etc/uci-defaults
ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
$(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/init.d
ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
$(INSTALL_DIR) $(1)/lib/port-trigger $(INSTALL_DIR) $(1)/lib/port-trigger
$(INSTALL_BIN) ./files/port-trigger/etc/init.d/port-trigger $(1)/etc/init.d/ $(INSTALL_BIN) ./files/port-trigger/etc/init.d/port-trigger $(1)/etc/init.d/
@ -69,6 +69,9 @@ endif
$(INSTALL_BIN) ./files/firewall.service $(1)/etc/ $(INSTALL_BIN) ./files/firewall.service $(1)/etc/
$(INSTALL_DATA) ./files/etc/uci-defaults/97-firewall-service $(1)/etc/uci-defaults/ $(INSTALL_DATA) ./files/etc/uci-defaults/97-firewall-service $(1)/etc/uci-defaults/
$(INSTALL_BIN) ./files/etc/init.d/l2filter $(1)/etc/init.d
$(INSTALL_DATA) ./files/etc/config/l2filter $(1)/etc/config/
$(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME) $(BBFDM_REGISTER_SERVICES) ./bbfdm_service.json $(1) $(PKG_NAME)
$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libfirewallmngr.so $(1) $(PKG_NAME) $(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libfirewallmngr.so $(1) $(PKG_NAME)
endef endef

26
firewallmngr/files/etc/config/l2filter Normal file
View file

@ -0,0 +1,26 @@
#L2 filter UCI file
config chain 'qos_output'
option target 'qos_output'
option table 'nat'
option chain 'OUTPUT'
option policy 'RETURN'
config chain 'dscp2pbits'
option target 'dscp2pbits'
option table 'broute'
option chain 'BROUTING'
option policy 'RETURN'
config chain 'qos'
option target 'qos'
option table 'broute'
option chain 'BROUTING'
option policy 'RETURN'
config chain 'prevlanxlate'
option target 'prevlanxlate'
option table 'broute'
option chain 'BROUTING'
option policy 'RETURN'
option append 'false'

93
firewallmngr/files/etc/init.d/l2filter Executable file
View file

@ -0,0 +1,93 @@
#!/bin/sh /etc/rc.common
# Start after bdmf shell, wanconf, and switch-script but before the network-script
START=20
STOP=10
USE_PROCD=1
. /lib/functions.sh
handle_ebtables_chain() {
local sid="$1"
local table
local chain
local target
local policy
local append
local enabled
local ret
config_get table "$sid" table filter
config_get chain "$sid" chain
config_get policy "$sid" policy RETURN
config_get target "$sid" target
config_get_bool append "$sid" append 1
config_get_bool enabled "$sid" enabled 1
[ "$enabled" = "0" ] && return
[ -z "${chain}" -o -z "${target}" ] && return
if [ "$append" != "0" ]; then
append="-A"
else
append="-I"
fi
ebtables --concurrent -t "$table" -N "$target" -P "$policy" 2> /dev/null
ret=$?
if [ $ret -eq 0 ]; then
ebtables --concurrent -t "$table" ${append} "$chain" -j "$target"
else
ebtables --concurrent -t "$table" -D "$chain" -j "$target"
ebtables --concurrent -t "$table" ${append} "$chain" -j "$target"
fi
}
handle_ebtables_rule() {
local sid="$1"
local table
local chain
local target
local match
local value
local enabled
local ret
config_get table "$sid" table filter
config_get chain "$sid" chain
config_get match "$sid" match
config_get value "$sid" value
config_get target "$sid" target RETURN
config_get_bool append "$sid" append 1
config_get_bool enabled "$sid" enabled 1
[ "$enabled" = "0" ] && return
[ -z "${chain}" -o -z "${target}" ] && return
if [ "$append" != "0" ]; then
append="-A"
else
append="-I"
fi
ebtables --concurrent -t "$table" -D "$chain" ${match} -j "$target" ${value} 2> /dev/null
ebtables --concurrent -t "$table" ${append} "$chain" ${match} -j "$target" ${value}
}
start_service() {
config_load l2filter
config_foreach handle_ebtables_chain chain
config_foreach handle_ebtables_rule rule
}
reload_service() {
stop
start
}
service_triggers() {
procd_add_reload_trigger l2filter
}

2
qosmngr/Makefile
View file

@ -30,7 +30,7 @@ define Package/qosmngr
TITLE:=QoS Manager TITLE:=QoS Manager
DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libqos +!(TARGET_brcmbca||TARGET_airoha):tc-full DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libqos +!(TARGET_brcmbca||TARGET_airoha):tc-full
DEPENDS+=+kmod-vlantranslation +kmod-dscp2pbit +!(TARGET_brcmbca):ebtables-legacy DEPENDS+=+kmod-vlantranslation +kmod-dscp2pbit +!(TARGET_brcmbca):ebtables-legacy
DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service DEPENDS+=+libbbfdm-api +libbbfdm-ubus +dm-service +firewallmngr
endef endef
define Package/qosmngr/description define Package/qosmngr/description

2
qosmngr/files/common/lib/qos/classify.sh
View file

@ -122,7 +122,7 @@ setup_qos() {
cp /etc/config/qos /tmp/qos/qos cp /etc/config/qos /tmp/qos/qos
fi fi
create_ebtables_chains /etc/init.d/l2filter restart # Imitate the existing behaviour.
create_iptables_chains create_iptables_chains
} }

40
qosmngr/files/common/lib/qos/ebtables.sh
View file

@ -508,46 +508,6 @@ handle_ebtables_dscp2pbit() {
BR_RULE_DSCP2PBIT=" -i $in_if -j dscp2pbit --dscp2pbit-mapping $dscp2pbit_mapping_list --dscp2pbit-target CONTINUE" BR_RULE_DSCP2PBIT=" -i $in_if -j dscp2pbit --dscp2pbit-mapping $dscp2pbit_mapping_list --dscp2pbit-target CONTINUE"
} }
create_ebtables_chains() {
ebtables --concurrent -t nat -N qos_output -P RETURN 2> /dev/null
ret=$?
if [ $ret -eq 0 ]; then
ebtables --concurrent -t nat -A OUTPUT -j qos_output
else
ebtables --concurrent -t nat -D OUTPUT -j qos_output
ebtables --concurrent -t nat -A OUTPUT -j qos_output
fi
ebtables --concurrent -t broute -N dscp2pbits -P RETURN 2> /dev/null
ret=$?
if [ $ret -eq 0 ]; then
ebtables --concurrent -t broute -A BROUTING -j dscp2pbits
else
ebtables --concurrent -t broute -D BROUTING -j dscp2pbits
ebtables --concurrent -t broute -A BROUTING -j dscp2pbits
fi
ebtables --concurrent -t broute -N qos -P RETURN 2> /dev/null
ret=$?
if [ $ret -eq 0 ]; then
ebtables --concurrent -t broute -A BROUTING -j qos
else
ebtables --concurrent -t broute -D BROUTING -j qos
ebtables --concurrent -t broute -A BROUTING -j qos
fi
ebtables --concurrent -t broute -N prevlanxlate -P RETURN 2> /dev/null
ret=$?
if [ $ret -eq 0 ]; then
ebtables --concurrent -t broute -I BROUTING -j prevlanxlate
else
ebtables --concurrent -t broute -D BROUTING -j prevlanxlate
ebtables --concurrent -t broute -I BROUTING -j prevlanxlate
fi
}
flush_ebtables_chains() { flush_ebtables_chains() {
echo "ebtables --concurrent -t nat -F qos_output" > /tmp/qos/classify.ebtables echo "ebtables --concurrent -t nat -F qos_output" > /tmp/qos/classify.ebtables
echo "ebtables --concurrent -t broute -F qos" > /tmp/qos/classify.ebtables echo "ebtables --concurrent -t broute -F qos" > /tmp/qos/classify.ebtables