Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
From 73a1d367abc056e86f8cd6da4685f9c64c4a724b Mon Sep 17 00:00:00 2001
From: runner02 <runner02@ffnw.de>
Date: Mon, 2 Apr 2018 19:22:28 +0200
Subject: [PATCH 7/7] backport gluon-ebtables-limit-arp
---
package/gluon-ebtables-limit-arp/Makefile | 59 ++
.../files/etc/init.d/gluon-arp-limiter | 14 +
.../files/lib/gluon/ebtables/100-arp-limit-chains | 3 +
.../files/lib/gluon/ebtables/320-arp-limit-rules | 6 +
package/gluon-ebtables-limit-arp/src/LICENSE | 339 +++++++
package/gluon-ebtables-limit-arp/src/Makefile | 14 +
package/gluon-ebtables-limit-arp/src/addr_store.c | 167 ++++
package/gluon-ebtables-limit-arp/src/addr_store.h | 33 +
.../src/gluon-arp-limiter.c | 302 +++++++
.../src/gluon-arp-limiter.h | 13 +
package/gluon-ebtables-limit-arp/src/lookup3.c | 998 +++++++++++++++++++++
package/gluon-ebtables-limit-arp/src/lookup3.h | 6 +
package/gluon-ebtables-limit-arp/src/mac.c | 47 +
package/gluon-ebtables-limit-arp/src/mac.h | 24 +
14 files changed, 2025 insertions(+)
create mode 100644 package/gluon-ebtables-limit-arp/Makefile
create mode 100755 package/gluon-ebtables-limit-arp/files/etc/init.d/gluon-arp-limiter
create mode 100644 package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/100-arp-limit-chains
create mode 100644 package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/320-arp-limit-rules
create mode 100644 package/gluon-ebtables-limit-arp/src/LICENSE
create mode 100644 package/gluon-ebtables-limit-arp/src/Makefile
create mode 100644 package/gluon-ebtables-limit-arp/src/addr_store.c
create mode 100644 package/gluon-ebtables-limit-arp/src/addr_store.h
create mode 100644 package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c
create mode 100644 package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.h
create mode 100644 package/gluon-ebtables-limit-arp/src/lookup3.c
create mode 100644 package/gluon-ebtables-limit-arp/src/lookup3.h
create mode 100644 package/gluon-ebtables-limit-arp/src/mac.c
create mode 100644 package/gluon-ebtables-limit-arp/src/mac.h
diff --git a/package/gluon-ebtables-limit-arp/Makefile b/package/gluon-ebtables-limit-arp/Makefile
new file mode 100644
index 00000000..a722e0d5
--- /dev/null
+++ b/package/gluon-ebtables-limit-arp/Makefile
@@ -0,0 +1,59 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-ebtables-limit-arp
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/gluon-ebtables-limit-arp
+ SECTION:=gluon
+ CATEGORY:=Gluon
+ TITLE:=Ebtables limiter for ARP packets
+ DEPENDS:=+gluon-core +gluon-ebtables gluon-mesh-batman-adv
+endef
+
+define Package/gluon-ebtables-limit-arp/description
+ Gluon community wifi mesh firmware framework: Ebtables rules to
+ rate-limit ARP packets.
+
+ This package adds filters to limit the amount of ARP Requests
+ devices are allowed to send into the mesh. The limits are 6 packets
+ per minute per client device, by MAC address, and 1 per second per
+ node in total.
+
+ A burst of up to 50 ARP Requests is allowed until the rate-limiting
+ takes effect (see --limit-burst in the ebtables manpage).
+
+ Furthermore, ARP Requests with a target IP already present in the
+ batman-adv DAT Cache are excluded from the rate-limiting,
+ both regarding counting and filtering, as batman-adv will respond
+ locally with no burden for the mesh. Therefore, this limiter
+ should not affect popular target IPs, like gateways.
+
+ However it should mitigate the problem of curious people or
+ smart devices scanning the whole IP range. Which could create
+ a significant amount of overhead for all participants so far.
+endef
+
+define Build/Prepare
+ mkdir -p $(PKG_BUILD_DIR)
+ $(CP) ./src/* $(PKG_BUILD_DIR)/
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+ $(call Build/Compile/Default)
+endef
+
+define Package/gluon-ebtables-limit-arp/install
+ $(CP) ./files/* $(1)/
+ $(INSTALL_DIR) $(1)/usr/sbin/
+ $(CP) $(PKG_BUILD_DIR)/gluon-arp-limiter $(1)/usr/sbin/gluon-arp-limiter
+endef
+
+$(eval $(call BuildPackage,gluon-ebtables-limit-arp))
diff --git a/package/gluon-ebtables-limit-arp/files/etc/init.d/gluon-arp-limiter b/package/gluon-ebtables-limit-arp/files/etc/init.d/gluon-arp-limiter
new file mode 100755
index 00000000..553b4e20
--- /dev/null
+++ b/package/gluon-ebtables-limit-arp/files/etc/init.d/gluon-arp-limiter
@@ -0,0 +1,14 @@
+#!/bin/sh /etc/rc.common
+
+USE_PROCD=1
+START=20
+STOP=90
+
+start_service() {
+ procd_open_instance
+ procd_set_param command /usr/sbin/gluon-arp-limiter
+ procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
+
+ procd_set_param stderr 1
+ procd_close_instance
+}
diff --git a/package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/100-arp-limit-chains b/package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/100-arp-limit-chains
new file mode 100644
index 00000000..b39b35c8
--- /dev/null
+++ b/package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/100-arp-limit-chains
@@ -0,0 +1,3 @@
+chain('ARP_LIMIT', 'DROP')
+chain('ARP_LIMIT_DATCHECK', 'RETURN')
+chain('ARP_LIMIT_TLCHECK', 'RETURN')
diff --git a/package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/320-arp-limit-rules b/package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/320-arp-limit-rules
new file mode 100644
index 00000000..416bdd96
--- /dev/null
+++ b/package/gluon-ebtables-limit-arp/files/lib/gluon/ebtables/320-arp-limit-rules
@@ -0,0 +1,6 @@
+rule('ARP_LIMIT -j ARP_LIMIT_DATCHECK')
+rule('ARP_LIMIT --mark 0x2/0x2 -j RETURN')
+rule('ARP_LIMIT -j ARP_LIMIT_TLCHECK')
+rule('ARP_LIMIT --limit 1/sec --limit-burst 50 -j RETURN')
+
+rule('FORWARD -p ARP --logical-out br-client -o bat0 --arp-op Request -j ARP_LIMIT')
diff --git a/package/gluon-ebtables-limit-arp/src/LICENSE b/package/gluon-ebtables-limit-arp/src/LICENSE
new file mode 100644
index 00000000..d159169d
--- /dev/null
+++ b/package/gluon-ebtables-limit-arp/src/LICENSE
@@ -0,0 +1,339 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
Loading
Loading full blame...