From 998fa669ea530f30a716cdfa3c6c8a6068110915 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Thu, 13 Jan 2022 22:21:14 +0100
Subject: nftables

---
 files/.config                               |  76 ++----------------
 files/files/etc/config/firewall             |  73 ------------------
 files/files/etc/hotplug.d/iface/20-nftables |   9 +++
 files/files/etc/init.d/nftables             |  28 +++++++
 files/files/etc/ruleset.nft                 | 115 ++++++++++++++++++++++++++++
 5 files changed, 160 insertions(+), 141 deletions(-)
 delete mode 100644 files/files/etc/config/firewall
 create mode 100755 files/files/etc/hotplug.d/iface/20-nftables
 create mode 100755 files/files/etc/init.d/nftables
 create mode 100644 files/files/etc/ruleset.nft

diff --git a/files/.config b/files/.config
index 32d2146..1379f21 100644
--- a/files/.config
+++ b/files/.config
@@ -3442,12 +3442,12 @@ CONFIG_PACKAGE_kmod-nf-nat6=m
 # CONFIG_PACKAGE_kmod-nf-nathelper-extra is not set
 CONFIG_PACKAGE_kmod-nf-reject=y
 CONFIG_PACKAGE_kmod-nf-reject6=y
-CONFIG_PACKAGE_kmod-nfnetlink=m
+CONFIG_PACKAGE_kmod-nfnetlink=y
 # CONFIG_PACKAGE_kmod-nfnetlink-log is not set
 # CONFIG_PACKAGE_kmod-nfnetlink-queue is not set
 # CONFIG_PACKAGE_kmod-nft-arp is not set
 # CONFIG_PACKAGE_kmod-nft-bridge is not set
-CONFIG_PACKAGE_kmod-nft-core=m
+CONFIG_PACKAGE_kmod-nft-core=y
 CONFIG_PACKAGE_kmod-nft-fib=m
 CONFIG_PACKAGE_kmod-nft-nat=m
 CONFIG_PACKAGE_kmod-nft-nat6=m
@@ -4963,7 +4963,7 @@ CONFIG_WOLFSSL_HAS_NO_HW=y
 # CONFIG_PACKAGE_icu is not set
 # CONFIG_PACKAGE_icu-data-tools is not set
 # CONFIG_PACKAGE_icu-full-data is not set
-CONFIG_PACKAGE_jansson=m
+CONFIG_PACKAGE_jansson=y
 # CONFIG_PACKAGE_json-glib is not set
 # CONFIG_PACKAGE_jsoncpp is not set
 # CONFIG_PACKAGE_knot-libs is not set
@@ -5109,7 +5109,7 @@ CONFIG_PACKAGE_liblua=y
 # CONFIG_PACKAGE_libmilter-sendmail is not set
 # CONFIG_PACKAGE_libminiupnpc is not set
 # CONFIG_PACKAGE_libmms is not set
-CONFIG_PACKAGE_libmnl=m
+CONFIG_PACKAGE_libmnl=y
 # CONFIG_PACKAGE_libmodbus is not set
 # CONFIG_PACKAGE_libmosquitto-nossl is not set
 # CONFIG_PACKAGE_libmosquitto-ssl is not set
@@ -5133,7 +5133,7 @@ CONFIG_PACKAGE_libncurses=y
 # CONFIG_PACKAGE_libnettle is not set
 # CONFIG_PACKAGE_libnewt is not set
 # CONFIG_PACKAGE_libnfnetlink is not set
-CONFIG_PACKAGE_libnftnl=m
+CONFIG_PACKAGE_libnftnl=y
 # CONFIG_PACKAGE_libnghttp2 is not set
 # CONFIG_PACKAGE_libnl is not set
 # CONFIG_PACKAGE_libnl-core is not set
@@ -5496,7 +5496,6 @@ CONFIG_LUCI_CSSTIDY=y
 # CONFIG_PACKAGE_luci-app-smartdns is not set
 # CONFIG_PACKAGE_luci-app-snmpd is not set
 # CONFIG_PACKAGE_luci-app-softether is not set
-# CONFIG_PACKAGE_luci-app-splash is not set
 # CONFIG_PACKAGE_luci-app-sqm is not set
 # CONFIG_PACKAGE_luci-app-squid is not set
 # CONFIG_PACKAGE_luci-app-statistics is not set
@@ -5667,12 +5666,7 @@ CONFIG_PACKAGE_luci-lib-nixio_notls=y
 #
 # Captive Portals
 #
-# CONFIG_PACKAGE_apfree-wifidog is not set
 # CONFIG_PACKAGE_coova-chilli is not set
-# CONFIG_PACKAGE_nodogsplash is not set
-# CONFIG_PACKAGE_opennds is not set
-# CONFIG_PACKAGE_wifidog is not set
-# CONFIG_PACKAGE_wifidog-tls is not set
 # end of Captive Portals
 
 #
@@ -5738,57 +5732,11 @@ CONFIG_PACKAGE_luci-lib-nixio_notls=y
 # CONFIG_PACKAGE_ebtables is not set
 # CONFIG_PACKAGE_fwknop is not set
 # CONFIG_PACKAGE_fwknopd is not set
-CONFIG_PACKAGE_ip6tables=y
-# CONFIG_PACKAGE_ip6tables-extra is not set
-# CONFIG_PACKAGE_ip6tables-mod-nat is not set
-CONFIG_PACKAGE_iptables=y
+# CONFIG_PACKAGE_ip6tables is not set
+# CONFIG_PACKAGE_iptables is not set
 # CONFIG_IPTABLES_CONNLABEL is not set
 # CONFIG_IPTABLES_NFTABLES is not set
-# CONFIG_PACKAGE_iptables-mod-account is not set
-# CONFIG_PACKAGE_iptables-mod-chaos is not set
-# CONFIG_PACKAGE_iptables-mod-checksum is not set
-# CONFIG_PACKAGE_iptables-mod-cluster is not set
-# CONFIG_PACKAGE_iptables-mod-clusterip is not set
-# CONFIG_PACKAGE_iptables-mod-condition is not set
-# CONFIG_PACKAGE_iptables-mod-conntrack-extra is not set
-# CONFIG_PACKAGE_iptables-mod-delude is not set
-# CONFIG_PACKAGE_iptables-mod-dhcpmac is not set
-# CONFIG_PACKAGE_iptables-mod-dnetmap is not set
-# CONFIG_PACKAGE_iptables-mod-extra is not set
-# CONFIG_PACKAGE_iptables-mod-filter is not set
-# CONFIG_PACKAGE_iptables-mod-fuzzy is not set
-# CONFIG_PACKAGE_iptables-mod-geoip is not set
-# CONFIG_PACKAGE_iptables-mod-hashlimit is not set
-# CONFIG_PACKAGE_iptables-mod-iface is not set
-# CONFIG_PACKAGE_iptables-mod-ipmark is not set
-# CONFIG_PACKAGE_iptables-mod-ipopt is not set
-# CONFIG_PACKAGE_iptables-mod-ipp2p is not set
-# CONFIG_PACKAGE_iptables-mod-iprange is not set
-# CONFIG_PACKAGE_iptables-mod-ipsec is not set
-# CONFIG_PACKAGE_iptables-mod-ipv4options is not set
-# CONFIG_PACKAGE_iptables-mod-led is not set
-# CONFIG_PACKAGE_iptables-mod-length2 is not set
-# CONFIG_PACKAGE_iptables-mod-logmark is not set
-# CONFIG_PACKAGE_iptables-mod-lscan is not set
-# CONFIG_PACKAGE_iptables-mod-lua is not set
-# CONFIG_PACKAGE_iptables-mod-nat-extra is not set
-# CONFIG_PACKAGE_iptables-mod-nflog is not set
-# CONFIG_PACKAGE_iptables-mod-nfqueue is not set
-# CONFIG_PACKAGE_iptables-mod-physdev is not set
-# CONFIG_PACKAGE_iptables-mod-proto is not set
-# CONFIG_PACKAGE_iptables-mod-psd is not set
-# CONFIG_PACKAGE_iptables-mod-quota2 is not set
-# CONFIG_PACKAGE_iptables-mod-rpfilter is not set
 # CONFIG_PACKAGE_iptables-mod-rtpengine is not set
-# CONFIG_PACKAGE_iptables-mod-sysrq is not set
-# CONFIG_PACKAGE_iptables-mod-tarpit is not set
-# CONFIG_PACKAGE_iptables-mod-tee is not set
-# CONFIG_PACKAGE_iptables-mod-tproxy is not set
-# CONFIG_PACKAGE_iptables-mod-trace is not set
-# CONFIG_PACKAGE_iptables-mod-u32 is not set
-# CONFIG_PACKAGE_iptables-mod-ulog is not set
-# CONFIG_PACKAGE_iptaccount is not set
-# CONFIG_PACKAGE_iptgeoip is not set
 
 #
 # Select iptgeoip options
@@ -5800,7 +5748,7 @@ CONFIG_PACKAGE_iptables=y
 # CONFIG_PACKAGE_miniupnpd-iptables is not set
 # CONFIG_PACKAGE_miniupnpd-nftables is not set
 # CONFIG_PACKAGE_natpmpc is not set
-CONFIG_PACKAGE_nftables-json=m
+CONFIG_PACKAGE_nftables-json=y
 # CONFIG_PACKAGE_nftables-nojson is not set
 # CONFIG_PACKAGE_shorewall is not set
 # CONFIG_PACKAGE_shorewall-core is not set
@@ -6233,7 +6181,6 @@ CONFIG_LLDPD_WITH_CUSTOM=y
 # CONFIG_PACKAGE_chaosvpn is not set
 # CONFIG_PACKAGE_eoip is not set
 # CONFIG_PACKAGE_fastd is not set
-# CONFIG_PACKAGE_libreswan is not set
 # CONFIG_PACKAGE_ocserv is not set
 # CONFIG_PACKAGE_openconnect is not set
 # CONFIG_PACKAGE_openfortivpn is not set
@@ -6250,7 +6197,6 @@ CONFIG_LLDPD_WITH_CUSTOM=y
 # CONFIG_PACKAGE_softethervpn5-client is not set
 # CONFIG_PACKAGE_softethervpn5-server is not set
 # CONFIG_PACKAGE_sstp-client is not set
-# CONFIG_PACKAGE_strongswan is not set
 # CONFIG_PACKAGE_tailscale is not set
 # CONFIG_PACKAGE_tailscaled is not set
 # CONFIG_PACKAGE_tinc is not set
@@ -6317,7 +6263,6 @@ CONFIG_PACKAGE_wireguard-tools=y
 # CONFIG_PACKAGE_shadowsocks-libev-config is not set
 # CONFIG_PACKAGE_shadowsocks-libev-ss-local is not set
 # CONFIG_PACKAGE_shadowsocks-libev-ss-redir is not set
-# CONFIG_PACKAGE_shadowsocks-libev-ss-rules is not set
 # CONFIG_PACKAGE_shadowsocks-libev-ss-server is not set
 # CONFIG_PACKAGE_shadowsocks-libev-ss-tunnel is not set
 # CONFIG_PACKAGE_sockd is not set
@@ -6328,7 +6273,6 @@ CONFIG_PACKAGE_wireguard-tools=y
 # CONFIG_PACKAGE_trojan-go is not set
 # CONFIG_PACKAGE_uhttpd is not set
 # CONFIG_PACKAGE_uwsgi is not set
-# CONFIG_PACKAGE_v2raya is not set
 # end of Web Servers/Proxies
 
 #
@@ -6437,7 +6381,6 @@ CONFIG_PACKAGE_wpad-openssl=y
 # CONFIG_PACKAGE_coap-server is not set
 # CONFIG_PACKAGE_conserver is not set
 # CONFIG_PACKAGE_crowdsec is not set
-# CONFIG_PACKAGE_crowdsec-firewall-bouncer is not set
 # CONFIG_PACKAGE_cshark is not set
 # CONFIG_PACKAGE_daemonlogger is not set
 # CONFIG_PACKAGE_darkstat is not set
@@ -6450,7 +6393,6 @@ CONFIG_PACKAGE_wpad-openssl=y
 # CONFIG_PACKAGE_ds-lite is not set
 # CONFIG_PACKAGE_esniper is not set
 # CONFIG_PACKAGE_etherwake is not set
-# CONFIG_PACKAGE_etherwake-nfqueue is not set
 # CONFIG_PACKAGE_ethtool is not set
 # CONFIG_PACKAGE_ethtool-full is not set
 # CONFIG_PACKAGE_fail2ban is not set
@@ -6512,7 +6454,6 @@ CONFIG_PACKAGE_iw=y
 # CONFIG_PACKAGE_mac-telnet-discover is not set
 # CONFIG_PACKAGE_mac-telnet-ping is not set
 # CONFIG_PACKAGE_mac-telnet-server is not set
-# CONFIG_PACKAGE_map is not set
 # CONFIG_PACKAGE_mbusd is not set
 # CONFIG_PACKAGE_mdns-repeater is not set
 # CONFIG_PACKAGE_memcached is not set
@@ -7075,7 +7016,6 @@ CONFIG_PACKAGE_sunwait=y
 # CONFIG_PACKAGE_dmesg is not set
 # CONFIG_PACKAGE_docker is not set
 # CONFIG_PACKAGE_docker-compose is not set
-# CONFIG_PACKAGE_dockerd is not set
 # CONFIG_PACKAGE_domoticz is not set
 # CONFIG_PACKAGE_dropbearconvert is not set
 # CONFIG_PACKAGE_dtc is not set
diff --git a/files/files/etc/config/firewall b/files/files/etc/config/firewall
deleted file mode 100644
index f2675d4..0000000
--- a/files/files/etc/config/firewall
+++ /dev/null
@@ -1,73 +0,0 @@
-config defaults
-  option synflood_protect '1'
-  option input 'REJECT'
-  option output 'ACCEPT'
-  option forward 'REJECT'
-
-config zone 'lan'
-  option name 'lan'
-  list network 'lan'
-  option input 'DROP'
-  option output 'DROP'
-  option forward 'DROP'
-
-config zone 'mgmt'
-  option name 'mgmt'
-  list network 'mgmt'
-
-config rule
-  option name 'Allow-Ping'
-  option src '*'
-  option proto 'icmp'
-  option icmp_type 'echo-request'
-  option family 'ipv4'
-  option target 'ACCEPT'
-
-config rule
-  option name 'Allow-ICMPv6-Input'
-  option src '*'
-  option proto 'icmp'
-  list icmp_type 'echo-request'
-  list icmp_type 'echo-reply'
-  list icmp_type 'destination-unreachable'
-  list icmp_type 'packet-too-big'
-  list icmp_type 'time-exceeded'
-  list icmp_type 'bad-header'
-  list icmp_type 'unknown-header-type'
-  list icmp_type 'router-solicitation'
-  list icmp_type 'neighbour-solicitation'
-  list icmp_type 'router-advertisement'
-  list icmp_type 'neighbour-advertisement'
-  option limit '1000/sec'
-  option family 'ipv6'
-  option target 'ACCEPT'
-
-config rule
-  option name 'Allow-ICMPv6-Forward'
-  option src '*'
-  option dest '*'
-  option proto 'icmp'
-  list icmp_type 'echo-request'
-  list icmp_type 'echo-reply'
-  list icmp_type 'destination-unreachable'
-  list icmp_type 'packet-too-big'
-  list icmp_type 'time-exceeded'
-  list icmp_type 'bad-header'
-  list icmp_type 'unknown-header-type'
-  option limit '1000/sec'
-  option family 'ipv6'
-  option target 'ACCEPT'
-
-config rule
-  option name 'Allow-SSH'
-  option src 'mgmt'
-  option dest_port '22'
-  option proto 'tcp'
-  option target 'ACCEPT'
-
-config rule
-  option name 'Allow-Prometheus'
-  option src 'mgmt'
-  option dest_port '9100'
-  option proto 'tcp'
-  option target 'ACCEPT'
diff --git a/files/files/etc/hotplug.d/iface/20-nftables b/files/files/etc/hotplug.d/iface/20-nftables
new file mode 100755
index 0000000..4fdcad8
--- /dev/null
+++ b/files/files/etc/hotplug.d/iface/20-nftables
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0
+[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0
+
+/etc/init.d/firewall enabled || exit 0
+
+logger -t firewall "Reloading firewall due to $ACTION of $INTERFACE ($DEVICE)"
+/etc/init.d/firewall reload
\ No newline at end of file
diff --git a/files/files/etc/init.d/nftables b/files/files/etc/init.d/nftables
new file mode 100755
index 0000000..40bc1b6
--- /dev/null
+++ b/files/files/etc/init.d/nftables
@@ -0,0 +1,28 @@
+#!/bin/sh /etc/rc.common
+
+START=19
+USE_PROCD=1
+QUIET=""
+
+service_triggers() {
+  procd_add_reload_trigger firewall
+}
+
+restart() {
+  reload_service
+}
+
+start_service() {
+  nft -f - <<EOF
+flush ruleset
+include "/etc/ruleset.nft"
+EOF
+}
+
+stop_service() {
+  nft flush ruleset
+}
+
+reload_service() {
+  start_service
+}
\ No newline at end of file
diff --git a/files/files/etc/ruleset.nft b/files/files/etc/ruleset.nft
new file mode 100644
index 0000000..7767eb6
--- /dev/null
+++ b/files/files/etc/ruleset.nft
@@ -0,0 +1,115 @@
+define icmp_protos = { ipv6-icmp, icmp, igmp }
+
+table inet filter {
+  counter icmp-ratelimit-fw {}
+
+  counter icmp-fw {}
+
+  counter invalid-fw {}
+  counter fw-lo {}
+
+  counter reject-ratelimit-fw {}
+  counter reject-fw {}
+  counter reject-tcp-fw {}
+  counter reject-icmp-fw {}
+
+
+  counter invalid-rx {}
+  counter rx-lo {}
+  counter invalid-local4-rx {}
+  counter invalid-local6-rx {}
+
+  counter icmp-ratelimit-rx {}
+  counter icmp-rx {}
+
+  counter ssh-rx {}
+  counter prometheus-rx {}
+
+  counter established-rx {}
+
+  counter reject-ratelimit-rx {}
+  counter reject-rx {}
+  counter reject-tcp-rx {}
+  counter reject-icmp-rx {}
+
+
+  counter tx-lo {}
+
+  counter icmp-ratelimit-tx {}
+  counter icmp-tx {}
+
+  counter ssh-tx {}
+  counter prometheus-tx {}
+
+  counter tx {}
+
+
+  chain forward {
+    type filter hook forward priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid forward: " counter name invalid-fw drop
+
+
+    iifname lo counter name fw-lo accept
+
+
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-fw drop
+    meta l4proto $icmp_protos counter name icmp-fw accept
+
+
+    limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop
+    log level debug prefix "reject forward: " counter name reject-fw
+    meta l4proto tcp ct state new counter name reject-tcp-fw reject with tcp reset
+    ct state new counter name reject-icmp-fw reject
+  }
+
+  chain input {
+    type filter hook input priority filter
+    policy drop
+
+
+    ct state invalid log level debug prefix "drop invalid input: " counter name invalid-rx drop
+
+
+    iifname lo counter name rx-lo accept
+    iif != lo ip daddr 127.0.0.1/8 counter name invalid-local4-rx reject
+    iif != lo ip6 daddr ::1/128 counter name invalid-local6-rx reject
+
+
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-rx drop
+    meta l4proto $icmp_protos counter name icmp-rx accept
+
+
+    iifname mgmt tcp dport 22 counter name ssh-rx accept
+    iifname mgmt tcp dport 9100 counter name prometheus-rx accept
+
+
+    ct state {established, related} counter name established-rx accept
+
+
+    limit name lim_reject log level debug prefix "drop input: " counter name reject-ratelimit-rx drop
+    log level debug prefix "reject input: " counter name reject-rx
+    meta l4proto tcp ct state new counter name reject-tcp-rx reject with tcp reset
+    ct state new counter name reject-icmp-rx reject
+  }
+
+  chain output {
+    type filter hook output priority filter
+
+
+    oifname lo counter name tx-lo accept
+
+    
+    meta l4proto $icmp_protos limit name lim_icmp counter name icmp-ratelimit-tx drop
+    meta l4proto $icmp_protos counter name icmp-tx accept
+
+
+    tcp sport 22 counter name ssh-tx
+    tcp sport 9100 counter name prometheus-tx
+
+
+    counter name tx
+  }
+}
\ No newline at end of file
-- 
cgit v1.2.3