From 8fb3a6f1bbdc705fb0f61ca4980d3a145d651adb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Goli=C5=84ski?= Date: Sun, 8 Jul 2018 16:43:42 +0200 Subject: [PATCH 1/7] Add method "nft" --- create_ap | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 58 insertions(+), 4 deletions(-) diff --git a/create_ap b/create_ap index 8fa6671..cef59ee 100755 --- a/create_ap +++ b/create_ap @@ -14,6 +14,10 @@ # dnsmasq # iptables +# dependencies for 'nft' Internet sharing method +# dnsmasq +# nftables + VERSION=0.4.6 PROGNAME="$(basename $0)" @@ -720,6 +724,10 @@ _cleanup() { iptables -w -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 ! -o ${WIFI_IFACE} -j MASQUERADE || die iptables -w -D FORWARD -i ${WIFI_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT iptables -w -D FORWARD -i ${INTERNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT + elif [[ "$SHARE_METHOD" == "nft" ]]; then + nft del rule ip nat POSTROUTING oifname != ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 masquerade + nft del rule ip filter FORWARD iifname ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 accept + nft del rule ip filter FORWARD iifname ${INTERNET_IFACE} ip daddr ${GATEWAY%.*}.0/24 accept elif [[ "$SHARE_METHOD" == "bridge" ]]; then if ! is_bridge_interface $INTERNET_IFACE; then ip link set dev $BRIDGE_IFACE down @@ -759,7 +767,7 @@ _cleanup() { fi fi - if [[ "$SHARE_METHOD" != "bridge" ]]; then + if [[ "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "nft" ]]; then if [[ $NO_DNS -eq 0 ]]; then iptables -w -D INPUT -p tcp -m tcp --dport $DNS_PORT -j ACCEPT iptables -w -D INPUT -p udp -m udp --dport $DNS_PORT -j ACCEPT @@ -771,6 +779,16 @@ _cleanup() { iptables -w -D INPUT -p udp -m udp --dport 67 -j ACCEPT fi + if [[ "$SHARE_METHOD" == "nft" ]]; then + if [[ $NO_DNS -eq 0 ]]; then + nft del rule ip filter INPUT tcp dport $DNS_PORT accept + nft del rule ip filter INPUT ucp dport $DNS_PORT accept + nft del rule ip nat PREROUTING ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} tcp dport 53 redirect to :$DNS_PORT + nft del rule ip nat PREROUTING ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} udp dport 53 redirect to :$DNS_PORT + fi + nft del rule ip filter INPUT udp dport 67 accept || die + fi + if [[ $NO_VIRT -eq 0 ]]; then if [[ -n "$VWIFI_IFACE" ]]; then ip link set down dev ${VWIFI_IFACE} @@ -1350,7 +1368,7 @@ if [[ $(get_adapter_kernel_module ${WIFI_IFACE}) =~ ^(8192[cd][ue]|8723a[sue])$ fi fi -if [[ "$SHARE_METHOD" != "nat" && "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "none" ]]; then +if [[ "$SHARE_METHOD" != "nat" && "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "none" && "$SHARE_METHOD" != "nft" ]]; then echo "ERROR: Wrong Internet sharing method" >&2 echo usage >&2 @@ -1492,7 +1510,7 @@ chmod 444 $CONFDIR/pid COMMON_CONFDIR=/tmp/create_ap.common.conf mkdir -p $COMMON_CONFDIR -if [[ "$SHARE_METHOD" == "nat" ]]; then +if [[ "$SHARE_METHOD" == "nat" || "$SHARE_METHOD" == "nft" ]]; then echo $INTERNET_IFACE > $CONFDIR/nat_internet_iface cp -n /proc/sys/net/ipv4/conf/$INTERNET_IFACE/forwarding \ $COMMON_CONFDIR/${INTERNET_IFACE}_forwarding @@ -1723,6 +1741,14 @@ if [[ "$SHARE_METHOD" != "none" ]]; then # to enable clients to establish PPTP connections we must # load nf_nat_pptp module modprobe nf_nat_pptp > /dev/null 2>&1 + elif [[ "$SHARE_METHOD" == "nft" ]]; then + nft table ip nat + nft add rule ip nat POSTROUTING oifname != ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 masquerade + nft add rule ip filter FORWARD iifname ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 accept + nft add rule ip filter FORWARD iifname ${INTERNET_IFACE} ip daddr ${GATEWAY%.*}.0/24 accept + echo 1 > /proc/sys/net/ipv4/conf/$INTERNET_IFACE/forwarding || die + echo 1 > /proc/sys/net/ipv4/ip_forward || die + modprobe nf_nat_pptp > /dev/null 2>&1 elif [[ "$SHARE_METHOD" == "bridge" ]]; then # disable iptables rules for bridged interfaces if [[ -e /proc/sys/net/bridge/bridge-nf-call-iptables ]]; then @@ -1798,7 +1824,7 @@ else fi # start dhcp + dns (optional) -if [[ "$SHARE_METHOD" != "bridge" ]]; then +if [[ "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "nft"]]; then if [[ $NO_DNS -eq 0 ]]; then DNS_PORT=5353 iptables -w -I INPUT -p tcp -m tcp --dport $DNS_PORT -j ACCEPT || die @@ -1826,6 +1852,34 @@ if [[ "$SHARE_METHOD" != "bridge" ]]; then fi fi +# start dhcp + dns (optional) +if [[ "$SHARE_METHOD" == "nft"]]; then + if [[ $NO_DNS -eq 0 ]]; then + DNS_PORT=5353 + nft insert rule ip filter INPUT tcp dport $DNS_PORT accept || die + nft insert rule ip filter INPUT ucp dport $DNS_PORT accept || die + nft insert rule ip nat PREROUTING ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} tcp dport 53 redirect to :$DNS_PORT || die + nft insert rule ip nat PREROUTING ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} udp dport 53 redirect to :$DNS_PORT || die + else + DNS_PORT=0 + fi + + if [[ $NO_DNSMASQ -eq 0 ]]; then + nft insert rule ip filter INPUT udp dport 67 accept || die + + if which complain > /dev/null 2>&1; then + # openSUSE's apparmor does not allow dnsmasq to read files. + # remove restriction. + complain dnsmasq + fi + + umask 0033 + dnsmasq -C $CONFDIR/dnsmasq.conf -x $CONFDIR/dnsmasq.pid -l $CONFDIR/dnsmasq.leases -p $DNS_PORT || die + umask $SCRIPT_UMASK + fi +fi + + # start access point echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl" From 680a47f7c0bcbbf5ede3e8516ea6c7dbdab8f730 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Goli=C5=84ski?= Date: Sun, 8 Jul 2018 16:55:56 +0200 Subject: [PATCH 2/7] nftables cleanup --- create_ap | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/create_ap b/create_ap index cef59ee..467dfa7 100755 --- a/create_ap +++ b/create_ap @@ -1742,10 +1742,13 @@ if [[ "$SHARE_METHOD" != "none" ]]; then # load nf_nat_pptp module modprobe nf_nat_pptp > /dev/null 2>&1 elif [[ "$SHARE_METHOD" == "nft" ]]; then + nft table ip filter + nft add chain ip filter forward { type filter hook forward priority 0\; } nft table ip nat - nft add rule ip nat POSTROUTING oifname != ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 masquerade - nft add rule ip filter FORWARD iifname ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 accept - nft add rule ip filter FORWARD iifname ${INTERNET_IFACE} ip daddr ${GATEWAY%.*}.0/24 accept + nft add chain ip nat postrouting { type nat hook postrouting priority 0\; } + nft add rule ip nat postrouting oifname != ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 masquerade + nft add rule ip filter forward iifname ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 accept + nft add rule ip filter forward iifname ${INTERNET_IFACE} ip daddr ${GATEWAY%.*}.0/24 accept echo 1 > /proc/sys/net/ipv4/conf/$INTERNET_IFACE/forwarding || die echo 1 > /proc/sys/net/ipv4/ip_forward || die modprobe nf_nat_pptp > /dev/null 2>&1 @@ -1824,7 +1827,7 @@ else fi # start dhcp + dns (optional) -if [[ "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "nft"]]; then +if [[ "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "nft" ]]; then if [[ $NO_DNS -eq 0 ]]; then DNS_PORT=5353 iptables -w -I INPUT -p tcp -m tcp --dport $DNS_PORT -j ACCEPT || die @@ -1853,13 +1856,15 @@ if [[ "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "nft"]]; then fi # start dhcp + dns (optional) -if [[ "$SHARE_METHOD" == "nft"]]; then +if [[ "$SHARE_METHOD" == "nft" ]]; then if [[ $NO_DNS -eq 0 ]]; then DNS_PORT=5353 - nft insert rule ip filter INPUT tcp dport $DNS_PORT accept || die - nft insert rule ip filter INPUT ucp dport $DNS_PORT accept || die - nft insert rule ip nat PREROUTING ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} tcp dport 53 redirect to :$DNS_PORT || die - nft insert rule ip nat PREROUTING ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} udp dport 53 redirect to :$DNS_PORT || die + nft add chain ip filter input { type filter hook input priority 0\; } + nft insert rule ip filter input tcp dport $DNS_PORT accept || die + nft insert rule ip filter input udp dport $DNS_PORT accept || die + nft add chain ip nat prerouting { type nat hook prerouting priority 0\; } + nft insert rule ip nat prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} tcp dport 53 redirect to :$DNS_PORT || die + nft insert rule ip nat prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} udp dport 53 redirect to :$DNS_PORT || die else DNS_PORT=0 fi From 149d2319cbd922d1bccf8aa993e1fb1e9d197052 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Goli=C5=84ski?= Date: Wed, 11 Jul 2018 11:06:56 +0200 Subject: [PATCH 3/7] nft move rules to custom chains --- create_ap | 126 ++++++++++++++++++++++++++---------------------------- 1 file changed, 60 insertions(+), 66 deletions(-) diff --git a/create_ap b/create_ap index 467dfa7..c3a41f1 100755 --- a/create_ap +++ b/create_ap @@ -719,55 +719,54 @@ _cleanup() { rm -rf $COMMON_CONFDIR fi - if [[ "$SHARE_METHOD" != "none" ]]; then - if [[ "$SHARE_METHOD" == "nat" ]]; then - iptables -w -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 ! -o ${WIFI_IFACE} -j MASQUERADE || die - iptables -w -D FORWARD -i ${WIFI_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT - iptables -w -D FORWARD -i ${INTERNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT - elif [[ "$SHARE_METHOD" == "nft" ]]; then - nft del rule ip nat POSTROUTING oifname != ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 masquerade - nft del rule ip filter FORWARD iifname ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 accept - nft del rule ip filter FORWARD iifname ${INTERNET_IFACE} ip daddr ${GATEWAY%.*}.0/24 accept - elif [[ "$SHARE_METHOD" == "bridge" ]]; then - if ! is_bridge_interface $INTERNET_IFACE; then - ip link set dev $BRIDGE_IFACE down - ip link set dev $INTERNET_IFACE down - ip link set dev $INTERNET_IFACE promisc off - ip link set dev $INTERNET_IFACE nomaster - ip link delete $BRIDGE_IFACE type bridge - ip addr flush $INTERNET_IFACE - ip link set dev $INTERNET_IFACE up - dealloc_iface $BRIDGE_IFACE - - for x in "${IP_ADDRS[@]}"; do - x="${x/inet/}" - x="${x/secondary/}" - x="${x/dynamic/}" - x=$(echo $x | sed 's/\([0-9]\)sec/\1/g') - x="${x/${INTERNET_IFACE}/}" - ip addr add $x dev $INTERNET_IFACE - done - - ip route flush dev $INTERNET_IFACE - - for x in "${ROUTE_ADDRS[@]}"; do - [[ -z "$x" ]] && continue - [[ "$x" == default* ]] && continue - ip route add $x dev $INTERNET_IFACE - done - - for x in "${ROUTE_ADDRS[@]}"; do - [[ -z "$x" ]] && continue - [[ "$x" != default* ]] && continue - ip route add $x dev $INTERNET_IFACE - done - - networkmanager_rm_unmanaged_if_needed $INTERNET_IFACE - fi + if [[ "$SHARE_METHOD" == "nat" ]]; then + iptables -w -t nat -D POSTROUTING -s ${GATEWAY%.*}.0/24 ! -o ${WIFI_IFACE} -j MASQUERADE || die + iptables -w -D FORWARD -i ${WIFI_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT + iptables -w -D FORWARD -i ${INTERNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT + elif [[ "$SHARE_METHOD" == "nft" ]]; then + nft delete rule ip nat create_ap_postrouting + nft delete chain ip nat create_ap_postrouting + nft delete rule ip filter create_ap_forward + nft delete chain ip filter create_ap_forward + elif [[ "$SHARE_METHOD" == "bridge" ]]; then + if ! is_bridge_interface $INTERNET_IFACE; then + ip link set dev $BRIDGE_IFACE down + ip link set dev $INTERNET_IFACE down + ip link set dev $INTERNET_IFACE promisc off + ip link set dev $INTERNET_IFACE nomaster + ip link delete $BRIDGE_IFACE type bridge + ip addr flush $INTERNET_IFACE + ip link set dev $INTERNET_IFACE up + dealloc_iface $BRIDGE_IFACE + + for x in "${IP_ADDRS[@]}"; do + x="${x/inet/}" + x="${x/secondary/}" + x="${x/dynamic/}" + x=$(echo $x | sed 's/\([0-9]\)sec/\1/g') + x="${x/${INTERNET_IFACE}/}" + ip addr add $x dev $INTERNET_IFACE + done + + ip route flush dev $INTERNET_IFACE + + for x in "${ROUTE_ADDRS[@]}"; do + [[ -z "$x" ]] && continue + [[ "$x" == default* ]] && continue + ip route add $x dev $INTERNET_IFACE + done + + for x in "${ROUTE_ADDRS[@]}"; do + [[ -z "$x" ]] && continue + [[ "$x" != default* ]] && continue + ip route add $x dev $INTERNET_IFACE + done + + networkmanager_rm_unmanaged_if_needed $INTERNET_IFACE fi fi - if [[ "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "nft" ]]; then + if [[ "$SHARE_METHOD" == "none" || "$SHARE_METHOD" == "nat" ]]; then if [[ $NO_DNS -eq 0 ]]; then iptables -w -D INPUT -p tcp -m tcp --dport $DNS_PORT -j ACCEPT iptables -w -D INPUT -p udp -m udp --dport $DNS_PORT -j ACCEPT @@ -780,13 +779,10 @@ _cleanup() { fi if [[ "$SHARE_METHOD" == "nft" ]]; then - if [[ $NO_DNS -eq 0 ]]; then - nft del rule ip filter INPUT tcp dport $DNS_PORT accept - nft del rule ip filter INPUT ucp dport $DNS_PORT accept - nft del rule ip nat PREROUTING ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} tcp dport 53 redirect to :$DNS_PORT - nft del rule ip nat PREROUTING ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} udp dport 53 redirect to :$DNS_PORT - fi - nft del rule ip filter INPUT udp dport 67 accept || die + nft delete rule ip filter create_ap_input + nft delete chain ip filter create_ap_input + nft delete rule ip nat create_ap_input + nft delete chain ip nat create_ap_input fi if [[ $NO_VIRT -eq 0 ]]; then @@ -1743,12 +1739,12 @@ if [[ "$SHARE_METHOD" != "none" ]]; then modprobe nf_nat_pptp > /dev/null 2>&1 elif [[ "$SHARE_METHOD" == "nft" ]]; then nft table ip filter - nft add chain ip filter forward { type filter hook forward priority 0\; } + nft add chain ip filter create_ap_forward { type filter hook forward priority 0\; } nft table ip nat - nft add chain ip nat postrouting { type nat hook postrouting priority 0\; } - nft add rule ip nat postrouting oifname != ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 masquerade - nft add rule ip filter forward iifname ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 accept - nft add rule ip filter forward iifname ${INTERNET_IFACE} ip daddr ${GATEWAY%.*}.0/24 accept + nft add chain ip nat create_ap_postrouting { type nat hook postrouting priority 0\; } + nft add rule ip nat create_ap_postrouting oifname != ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 masquerade + nft add rule ip filter create_ap_forward iifname ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 accept + nft add rule ip filter create_ap_forward iifname ${INTERNET_IFACE} ip daddr ${GATEWAY%.*}.0/24 accept echo 1 > /proc/sys/net/ipv4/conf/$INTERNET_IFACE/forwarding || die echo 1 > /proc/sys/net/ipv4/ip_forward || die modprobe nf_nat_pptp > /dev/null 2>&1 @@ -1827,7 +1823,7 @@ else fi # start dhcp + dns (optional) -if [[ "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "nft" ]]; then +if [[ "$SHARE_METHOD" == "none" || "$SHARE_METHOD" == "nat" ]]; then if [[ $NO_DNS -eq 0 ]]; then DNS_PORT=5353 iptables -w -I INPUT -p tcp -m tcp --dport $DNS_PORT -j ACCEPT || die @@ -1853,16 +1849,13 @@ if [[ "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "nft" ]]; then dnsmasq -C $CONFDIR/dnsmasq.conf -x $CONFDIR/dnsmasq.pid -l $CONFDIR/dnsmasq.leases -p $DNS_PORT || die umask $SCRIPT_UMASK fi -fi - -# start dhcp + dns (optional) -if [[ "$SHARE_METHOD" == "nft" ]]; then +elif [[ "$SHARE_METHOD" == "nft" ]]; then if [[ $NO_DNS -eq 0 ]]; then DNS_PORT=5353 - nft add chain ip filter input { type filter hook input priority 0\; } + nft add chain ip filter create_ap_input { type filter hook input priority 0\; } nft insert rule ip filter input tcp dport $DNS_PORT accept || die nft insert rule ip filter input udp dport $DNS_PORT accept || die - nft add chain ip nat prerouting { type nat hook prerouting priority 0\; } + nft add chain ip nat create_ap_prerouting { type nat hook prerouting priority 0\; } nft insert rule ip nat prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} tcp dport 53 redirect to :$DNS_PORT || die nft insert rule ip nat prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} udp dport 53 redirect to :$DNS_PORT || die else @@ -1870,7 +1863,8 @@ if [[ "$SHARE_METHOD" == "nft" ]]; then fi if [[ $NO_DNSMASQ -eq 0 ]]; then - nft insert rule ip filter INPUT udp dport 67 accept || die + nft add chain ip filter create_ap_input { type filter hook input priority 0\; } + nft insert rule ip filter create_ap_input udp dport 67 accept || die if which complain > /dev/null 2>&1; then # openSUSE's apparmor does not allow dnsmasq to read files. From f56fd7e001af758ddb747e69a1b0861b12c2d407 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Goli=C5=84ski?= Date: Wed, 11 Jul 2018 11:21:26 +0200 Subject: [PATCH 4/7] nftables proper custom chains delete --- create_ap | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/create_ap b/create_ap index c3a41f1..6b39784 100755 --- a/create_ap +++ b/create_ap @@ -781,8 +781,8 @@ _cleanup() { if [[ "$SHARE_METHOD" == "nft" ]]; then nft delete rule ip filter create_ap_input nft delete chain ip filter create_ap_input - nft delete rule ip nat create_ap_input - nft delete chain ip nat create_ap_input + nft delete rule ip nat create_ap_prerouting + nft delete chain ip nat create_ap_prerouting fi if [[ $NO_VIRT -eq 0 ]]; then @@ -1853,11 +1853,11 @@ elif [[ "$SHARE_METHOD" == "nft" ]]; then if [[ $NO_DNS -eq 0 ]]; then DNS_PORT=5353 nft add chain ip filter create_ap_input { type filter hook input priority 0\; } - nft insert rule ip filter input tcp dport $DNS_PORT accept || die - nft insert rule ip filter input udp dport $DNS_PORT accept || die + nft insert rule ip filter create_ap_input tcp dport $DNS_PORT accept || die + nft insert rule ip filter create_ap_input udp dport $DNS_PORT accept || die nft add chain ip nat create_ap_prerouting { type nat hook prerouting priority 0\; } - nft insert rule ip nat prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} tcp dport 53 redirect to :$DNS_PORT || die - nft insert rule ip nat prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} udp dport 53 redirect to :$DNS_PORT || die + nft insert rule ip nat create_ap_prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} tcp dport 53 redirect to :$DNS_PORT || die + nft insert rule ip nat create_ap_prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} udp dport 53 redirect to :$DNS_PORT || die else DNS_PORT=0 fi From 32168bc1a47fef9ca79e07116f94f67b634d8ce4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Goli=C5=84ski?= Date: Wed, 11 Jul 2018 11:25:41 +0200 Subject: [PATCH 5/7] nftables refactoring --- create_ap | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/create_ap b/create_ap index 6b39784..0210568 100755 --- a/create_ap +++ b/create_ap @@ -728,6 +728,10 @@ _cleanup() { nft delete chain ip nat create_ap_postrouting nft delete rule ip filter create_ap_forward nft delete chain ip filter create_ap_forward + nft delete rule ip filter create_ap_input + nft delete chain ip filter create_ap_input + nft delete rule ip nat create_ap_prerouting + nft delete chain ip nat create_ap_prerouting elif [[ "$SHARE_METHOD" == "bridge" ]]; then if ! is_bridge_interface $INTERNET_IFACE; then ip link set dev $BRIDGE_IFACE down @@ -778,13 +782,6 @@ _cleanup() { iptables -w -D INPUT -p udp -m udp --dport 67 -j ACCEPT fi - if [[ "$SHARE_METHOD" == "nft" ]]; then - nft delete rule ip filter create_ap_input - nft delete chain ip filter create_ap_input - nft delete rule ip nat create_ap_prerouting - nft delete chain ip nat create_ap_prerouting - fi - if [[ $NO_VIRT -eq 0 ]]; then if [[ -n "$VWIFI_IFACE" ]]; then ip link set down dev ${VWIFI_IFACE} From d50a40fd4c4c055432524ed7034dc93186c33c76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Goli=C5=84ski?= Date: Wed, 11 Jul 2018 11:39:31 +0200 Subject: [PATCH 6/7] nftables refactoring --- create_ap | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/create_ap b/create_ap index 0210568..fb370fd 100755 --- a/create_ap +++ b/create_ap @@ -724,14 +724,15 @@ _cleanup() { iptables -w -D FORWARD -i ${WIFI_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT iptables -w -D FORWARD -i ${INTERNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT elif [[ "$SHARE_METHOD" == "nft" ]]; then - nft delete rule ip nat create_ap_postrouting - nft delete chain ip nat create_ap_postrouting - nft delete rule ip filter create_ap_forward - nft delete chain ip filter create_ap_forward - nft delete rule ip filter create_ap_input + # Flushing seems to be unnecessary on newer kernels + nft flush chain ip filter create_ap_input + nft flush chain ip filter create_ap_forward + nft flush chain ip nat create_ap_prerouting + nft flush chain ip nat create_ap_postrouting nft delete chain ip filter create_ap_input - nft delete rule ip nat create_ap_prerouting + nft delete chain ip filter create_ap_forward nft delete chain ip nat create_ap_prerouting + nft delete chain ip nat create_ap_postrouting elif [[ "$SHARE_METHOD" == "bridge" ]]; then if ! is_bridge_interface $INTERNET_IFACE; then ip link set dev $BRIDGE_IFACE down @@ -1737,8 +1738,11 @@ if [[ "$SHARE_METHOD" != "none" ]]; then elif [[ "$SHARE_METHOD" == "nft" ]]; then nft table ip filter nft add chain ip filter create_ap_forward { type filter hook forward priority 0\; } + nft add chain ip filter create_ap_input { type filter hook input priority 0\; } nft table ip nat + nft add chain ip nat create_ap_prerouting { type nat hook prerouting priority 0\; } nft add chain ip nat create_ap_postrouting { type nat hook postrouting priority 0\; } + nft add rule ip nat create_ap_postrouting oifname != ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 masquerade nft add rule ip filter create_ap_forward iifname ${WIFI_IFACE} ip saddr ${GATEWAY%.*}.0/24 accept nft add rule ip filter create_ap_forward iifname ${INTERNET_IFACE} ip daddr ${GATEWAY%.*}.0/24 accept @@ -1849,10 +1853,8 @@ if [[ "$SHARE_METHOD" == "none" || "$SHARE_METHOD" == "nat" ]]; then elif [[ "$SHARE_METHOD" == "nft" ]]; then if [[ $NO_DNS -eq 0 ]]; then DNS_PORT=5353 - nft add chain ip filter create_ap_input { type filter hook input priority 0\; } nft insert rule ip filter create_ap_input tcp dport $DNS_PORT accept || die nft insert rule ip filter create_ap_input udp dport $DNS_PORT accept || die - nft add chain ip nat create_ap_prerouting { type nat hook prerouting priority 0\; } nft insert rule ip nat create_ap_prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} tcp dport 53 redirect to :$DNS_PORT || die nft insert rule ip nat create_ap_prerouting ip saddr ${GATEWAY%.*}.0/24 ip daddr ${GATEWAY} udp dport 53 redirect to :$DNS_PORT || die else @@ -1860,7 +1862,6 @@ elif [[ "$SHARE_METHOD" == "nft" ]]; then fi if [[ $NO_DNSMASQ -eq 0 ]]; then - nft add chain ip filter create_ap_input { type filter hook input priority 0\; } nft insert rule ip filter create_ap_input udp dport 67 accept || die if which complain > /dev/null 2>&1; then From 9ee9e735a3bcd14c9b366b4f7e01b4176cee8f9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Goli=C5=84ski?= Date: Wed, 11 Jul 2018 11:44:04 +0200 Subject: [PATCH 7/7] nftables documentation --- README.md | 7 ++++++- bash_completion | 2 +- create_ap | 3 ++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a56e643..5790bcb 100644 --- a/README.md +++ b/README.md @@ -21,11 +21,16 @@ * iwconfig (you only need this if 'iw' can not recognize your adapter) * haveged (optional) -### For 'NATed' or 'None' Internet sharing method +### For 'nat' or 'none' Internet sharing method * dnsmasq * iptables +### For 'nft' Internet sharing method +* dnsmasq +* nftables + + ## Installation ### Generic git clone https://github.com/oblique/create_ap diff --git a/bash_completion b/bash_completion index aae0bb2..7053526 100644 --- a/bash_completion +++ b/bash_completion @@ -53,7 +53,7 @@ _create_ap() { # No Options ;; -m) - opts="nat bridge none" + opts="nat nft bridge none" ;; --psk) # No Options diff --git a/create_ap b/create_ap index fb370fd..e5a0cdf 100755 --- a/create_ap +++ b/create_ap @@ -41,7 +41,8 @@ usage() { echo " -n Disable Internet sharing (if you use this, don't pass" echo " the argument)" echo " -m Method for Internet sharing." - echo " Use: 'nat' for NAT (default)" + echo " Use: 'nat' for NAT using iptables (default)" + echo " 'nft' for NAT using nftables" echo " 'bridge' for bridging" echo " 'none' for no Internet sharing (equivalent to -n)" echo " --psk Use 64 hex digits pre-shared-key instead of passphrase"