firewall: switch to nftables

Author: mkg20001

package/gluon-core/Makefile

@@ -11,7 +11,7 @@ define Package/gluon-core
   TITLE:=Base files of Gluon
   DEPENDS:= \
 	+gluon-site +libgluonutil +libiwinfo-lua +lua-platform-info +lua-simple-uci +lua-hash +lua-jsonc \
-	+luabitop +luaposix +vxlan +odhcp6c +firewall +pretty-hostname
+	+luabitop +luaposix +vxlan +odhcp6c +firewall4 +pretty-hostname
 endef
 
 define Package/gluon-core/description

package/gluon-ebtables-limit-arp/src/gluon-arp-limiter.c

@@ -14,7 +14,7 @@
 
 #define BATCTL_DC "/usr/sbin/batctl dc -H -n"
 #define BATCTL_TL "/usr/sbin/batctl tl -H -n"
-#define EBTABLES "/usr/sbin/ebtables-tiny"
+#define EBTABLES "/usr/sbin/ebtables"
 
 #define BUILD_BUG_ON(check) ((void)sizeof(int[1-2*!!(check)]))
 

package/gluon-ebtables/Makefile

@@ -6,8 +6,7 @@ include ../gluon.mk
 
 define Package/gluon-ebtables
   TITLE:=Ebtables support
-  DEPENDS:=+gluon-core +ebtables-tiny \
-	+kmod-ebtables +kmod-ebtables-ipv4 +kmod-ebtables-ipv6
+  DEPENDS:=+gluon-core +ebtables-nft
 endef
 
 define Package/gluon-ebtables/description

package/gluon-ebtables/files/etc/init.d/gluon-ebtables

@@ -51,8 +51,8 @@ exec_all() {
 
 start() {
 	(
-		export EBTABLES_RULE='"ebtables-tiny -t " .. table .. " -A " .. command'
-		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. "  -N " .. name .. " -P " .. policy'
+		export EBTABLES_RULE='"ebtables -t " .. table .. " -A " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. "  -N " .. name .. " -P " .. policy'
 
 		# Contains /var/lib/ebtables/lock for '--concurrent'
 		[ ! -d "/var/lib/ebtables" ] && \
@@ -68,8 +68,8 @@ start() {
 
 stop() {
 	(
-		export EBTABLES_RULE='"ebtables-tiny -t " ..	table .. " -D " .. command'
-		export EBTABLES_CHAIN='"ebtables-tiny -t " .. table .. " -X " .. name'
+		export EBTABLES_RULE='"ebtables -t " ..	table .. " -D " .. command'
+		export EBTABLES_CHAIN='"ebtables -t " .. table .. " -X " .. name'
 
 		if [ -z "$1" ]; then
 			exec_all '-r'

package/gluon-iptables-clamp-mss-to-pmtu/Makefile

@@ -6,7 +6,6 @@ include ../gluon.mk
 
 define Package/$(PKG_NAME)
   TITLE:=This will establish a firewall rule to clamp the mss to pmtu on the mesh-vpn interface when the connection is towards 64:ff9b::/96
-  DEPENDS:= +ip6tables-zz-legacy
 endef
 
 define Package/$(PKG_NAME)/description

package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/iptables-mss.rules

@@ -0,0 +1 @@
+oifname "mesh-vpn*" tcp flags & (syn|rst) == syn counter tcp option maxseg size set rt mtu

package/gluon-iptables-clamp-mss-to-pmtu/files/lib/gluon/mesh-vpn/nftables-mss.rules

@@ -2,9 +2,10 @@
 
 local uci = require('simple-uci').cursor()
 uci:section('firewall', 'include', 'vpn_clamp_mss', {
-	family = 'ipv6',
-	type = 'restore',
-	path = '/lib/gluon/mesh-vpn/iptables-mss.rules'
+	type = 'nftables',
+	position = 'chain-prepend',
+	chain = 'mangle_forward',
+	path = '/lib/gluon/mesh-vpn/nftables-mss.rules',
 })
 
 uci:save('firewall')

package/gluon-iptables-clamp-mss-to-pmtu/luasrc/lib/gluon/upgrade/800-iptables-mesh-vpn-clamp-mss-to-pmtu

@@ -9,7 +9,7 @@ include ../gluon.mk
 
 define Package/gluon-mesh-babel
   TITLE:=Babel mesh
-  DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop
+  DEPENDS:=+gluon-core +babeld +gluon-mesh-layer3-common +libiwinfo +libgluonutil +firewall4 +libjson-c +libnl-tiny +libubus +libubox +libblobmsg-json +libbabelhelper +luabitop
   PROVIDES:=gluon-mesh-provider
 endef
 

package/gluon-mesh-babel/Makefile

@@ -13,7 +13,7 @@ define Package/gluon-mesh-batman-adv-15
 	+libgluonutil \
 	+gluon-client-bridge \
 	+gluon-ebtables \
-	+firewall \
+	+firewall4 \
 	+libiwinfo \
 	+kmod-dummy \
 	+libnl-tiny \