firewall: switch to nftables

.github/labeler.yml

@@ -28,7 +28,7 @@
   - package/gluon-mesh-vpn-fastd/**
 "3. topic: firewall":
   - package/**/*-firewall
-  - package/gluon-ebtables-*/**
+  - package/gluon-nftables-*/**
 "3. topic: hardware":
   - package/gluon-core/luasrc/lib/gluon/upgrade/010-primary-mac
   - package/gluon-core/luasrc/usr/lib/lua/gluon/platform.lua

.luacheckrc

@@ -81,10 +81,17 @@ files["package/**/luasrc/lib/gluon/**/controller/*"] = {
 	},
 }
 
-files["package/**/luasrc/lib/gluon/ebtables/*"] = {
+files["package/**/luasrc/lib/gluon/nftables/*"] = {
 	read_globals = {
-		"chain",
+		"path",
+		"include",
 		"rule",
+
+		"bridge_rule",
+		"bridge_chain",
+		"bridge_table",
+		"bridge_include_rule",
+		"bridge_include_table",
 	},
 	max_line_length = false,
 }

contrib/ci/olsr-site/site.mk

@@ -7,9 +7,6 @@
 
 GLUON_FEATURES := \
 	autoupdater \
-	ebtables-filter-multicast \
-	ebtables-filter-ra-dhcp \
-	ebtables-limit-arp \
 	mesh-olsrd \
 	mesh-vpn-fastd \
 	respondd \

docs/dev/packages.rst

@@ -29,10 +29,10 @@ the workflow using these scripts:
   contrib/run_qemu.sh output/images/factory/[...]-x86-64.img
 
   # apply changes to the desired package
-  vi package/gluon-ebtables/files/etc/init.d/gluon-ebtables
+  vi package/gluon-nftables/files/etc/init.d/gluon-nftables
 
   # rebuild and push the package to the qemu instance
-  contrib/push_pkg.sh package/gluon-ebtables/
+  contrib/push_pkg.sh package/gluon-nftables/
 
   # test your changes
   ...
@@ -41,7 +41,7 @@ the workflow using these scripts:
   ...
 
   # rebuild and push the package to the qemu instance
-  contrib/push_pkg.sh package/gluon-ebtables/
+  contrib/push_pkg.sh package/gluon-nftables/
 
   # test your changes
   ...
@@ -83,7 +83,7 @@ Note that:
 * If you add new packages, you must run ``make update config GLUON_TARGET=...``.
 * You can change the gluon target of the target machine via ``make config GLUON_TARGET=...``.
 * If you want to update the ``site.conf`` of the target machine, use ``push_pkg.sh package/gluon-site/``.
-* Sometimes when things break, you can heal them by compiling a package with its dependencies: ``cd openwrt; make package/gluon-ebtables/clean; make package/gluon-ebtables/compile; cd ..``.
+* Sometimes when things break, you can heal them by compiling a package with its dependencies: ``cd openwrt; make package/gluon-nftables/clean; make package/gluon-nftables/compile; cd ..``.
 * You can exit qemu by pressing ``CTRL + a`` and ``c`` afterwards.
 
 Gluon package makefiles

docs/index.rst

@@ -62,10 +62,10 @@ Several Freifunk communities in Germany use Gluon as the foundation of their Fre
 
   package/gluon-client-bridge
   package/gluon-config-mode-domain-select
-  package/gluon-ebtables-filter-multicast
-  package/gluon-ebtables-filter-ra-dhcp
-  package/gluon-ebtables-limit-arp
-  package/gluon-ebtables-source-filter
+  package/gluon-nftables-filter-multicast
+  package/gluon-nftables-filter-ra-dhcp
+  package/gluon-nftables-limit-arp
+  package/gluon-nftables-source-filter
   package/gluon-hoodselector
   package/gluon-logging
   package/gluon-mesh-batman-adv

docs/multidomain-site-example/site.mk

@@ -7,9 +7,9 @@
 
 GLUON_FEATURES := \
 	autoupdater \
-	ebtables-filter-multicast \
-	ebtables-filter-ra-dhcp \
-	ebtables-limit-arp \
+	nftables-filter-multicast \
+	nftables-filter-ra-dhcp \
+	nftables-limit-arp \
 	mesh-batman-adv-15 \
 	mesh-vpn-fastd \
 	respondd \

docs/package/gluon-mesh-batman-adv.rst

@@ -13,7 +13,7 @@ domain and will see each other "as if they were connected to one giant switch".
 This comes with a set of advantages (like quick and economical client device roaming,
 layer 3 protocol agnosticism, broadcast/multicast). But also impediments, especially
 layer 2 multicast overhead - which Gluon tries to mitigate to achieve a certain degree
-of scalability. See :doc:`gluon-ebtables-filter-multicast` and
+of scalability. See :doc:`gluon-nftables-filter-multicast` and
 :ref:`batman-adv-multicast-architecture` for details.
 
 B.A.T.M.A.N. Advanced project homepage:
@@ -53,9 +53,9 @@ While generally broadcast capability is a nice feature of a layer 2
 mesh protocol, it quickly reaches its limit.
 
 For meshes with about **50 nodes / 100 clients, or more** it is therefore highly
-recommended to add the :doc:`gluon-ebtables-filter-multicast`
+recommended to add the :doc:`gluon-nftables-filter-multicast`
 package. Also, with the *mesh-batman-adv-15* feature,
-:doc:`gluon-ebtables-limit-arp` is selected by default.
+:doc:`gluon-nftables-limit-arp` is selected by default.
 
 Furthermore, by default IGMP and MLD messages are filtered. See
 :ref:`site.conf mesh section <user-site-mesh>` and

docs/package/gluon-ebtables-filter-multicast.rst → docs/package/gluon-nftables-filter-multicast.rst

@@ -1,7 +1,7 @@
-gluon-ebtables-filter-multicast
+gluon-nftables-filter-multicast
 ===============================
 
-The *gluon-ebtables-filter-multicast* package filters out various kinds of
+The *gluon-nftables-filter-multicast* package filters out various kinds of
 non-essential multicast traffic, as this traffic often constitutes a
 disproportionate burden on the mesh network. Unfortunately, this breaks many useful services
 (Avahi, Bonjour chat, ...), but this seems unavoidable, as the current Avahi implementation is

docs/package/gluon-ebtables-filter-ra-dhcp.rst → docs/package/gluon-nftables-filter-ra-dhcp.rst

@@ -1,7 +1,7 @@
-gluon-ebtables-filter-ra-dhcp
+gluon-nftables-filter-ra-dhcp
 =============================
 
-The *gluon-ebtables-filter-ra-dhcp* package tries to prevent common
+The *gluon-nftables-filter-ra-dhcp* package tries to prevent common
 misconfigurations (i.e. connecting the client interface of a Gluon
 node to a private network) from causing issues for either of the
 networks.

docs/package/gluon-ebtables-limit-arp.rst → docs/package/gluon-nftables-limit-arp.rst

@@ -1,14 +1,14 @@
-gluon-ebtables-limit-arp
+gluon-nftables-limit-arp
 ========================
 
-The *gluon-ebtables-limit-arp* package adds filters to limit the
+The *gluon-nftables-limit-arp* package adds filters to limit the
 amount of ARP requests client devices are allowed to send into the
 mesh.
 
 The limits per client device, identified by its MAC address, are
 6 packets per minute and 1 per second per node in total.
 A burst of up to 50 ARP requests is allowed until the rate-limiting
-takes effect (see ``--limit-burst`` in ``ebtables(8)``).
+takes effect (see ``--limit-burst`` in ``nftables(8)``).
 
 Furthermore, ARP requests for a target IP already present in the
 batman-adv DAT cache are excluded from rate-limiting, in regard
@@ -26,4 +26,4 @@ feature is *mesh-batman-adv-15*.
 It can be unselected via::
 
     GLUON_SITE_PACKAGES := \
-      -gluon-ebtables-limit-arp
+      -gluon-nftables-limit-arp

docs/package/gluon-ebtables-source-filter.rst → docs/package/gluon-nftables-source-filter.rst

@@ -1,7 +1,7 @@
-gluon-ebtables-source-filter
+gluon-nftables-source-filter
 ============================
 
-The *gluon-ebtables-source-filter* package adds an additional layer-2 filter
+The *gluon-nftables-source-filter* package adds an additional layer-2 filter
 ruleset to prevent unreasonable traffic entering the network via the nodes.
 Unreasonable means traffic entering the mesh via a node which source IP does
 not belong to the configured IP space.

docs/package/gluon-radv-filterd.rst

@@ -35,7 +35,7 @@ connected to the client interface via cable or WLAN instead of via the mesh
 fake TQ of 512, so that they are always preferred.
 
 Be aware of problems if you plan to use local routers together with the
-:doc:`gluon-ebtables-filter-ra-dhcp` package. These router advertisements are
+:doc:`gluon-nftables-filter-ra-dhcp` package. These router advertisements are
 filtered anyway and reach neither the node nor any other client. Therefore the
 use of local routers is not possible as long as the package
 ``gluon-radv-filterd`` is used.

docs/releases/v2017.1.rst

@@ -105,7 +105,7 @@ New features
   The new package *gluon-ebtables-source-filter* can be used to prevent traffic
   using unexpected IP addresses or packet types from entering the mesh.
 
-  See also: :doc:`../package/gluon-ebtables-source-filter`
+  See also: :doc:`../package/gluon-nftables-source-filter`
 
 Bugfixes
 ~~~~~~~~

docs/releases/v2018.2.rst

@@ -120,7 +120,7 @@ trying it out, please contact us on our mailing list or in our IRC channel.
 gluon-ebtables-limit-arp enabled by default
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-The :doc:`../package/gluon-ebtables-limit-arp` package, introduced in Gluon
+The :doc:`../package/gluon-nftables-limit-arp` package, introduced in Gluon
 2018.1, is now included by default. In case of issues, it can be removed by
 adding ``-gluon-ebtables-limit-arp`` to *GLUON_SITE_PACKAGES*.
 

docs/site-example/site.mk

@@ -7,9 +7,9 @@
 
 GLUON_FEATURES := \
 	autoupdater \
-	ebtables-filter-multicast \
-	ebtables-filter-ra-dhcp \
-	ebtables-limit-arp \
+	nftables-filter-multicast \
+	nftables-filter-ra-dhcp \
+	nftables-limit-arp \
 	mesh-batman-adv-15 \
 	mesh-vpn-fastd \
 	respondd \

package/features

@@ -38,7 +38,7 @@ when(_'web-advanced' and _'autoupdater', {
 
 
 when(_'mesh-batman-adv-15', {
-	'gluon-ebtables-limit-arp',
+	'gluon-nftables-limit-arp',
 	'gluon-radvd',
 })
 

package/gluon-core/Makefile

@@ -11,7 +11,7 @@ define Package/gluon-core
   TITLE:=Base files of Gluon
   DEPENDS:= \
 	+gluon-site +libgluonutil +libiwinfo-lua +lua-platform-info +lua-simple-uci +lua-hash +lua-jsonc \
-	+luabitop +luaposix +vxlan +odhcp6c +firewall +pretty-hostname
+	+luabitop +luaposix +vxlan +odhcp6c +firewall4 +pretty-hostname
 endef
 
 define Package/gluon-core/description