3 files changed, 53 insertions, 46 deletions

diff --git a/inventory/group_vars/accesspoints/vars.yml b/inventory/group_vars/accesspoints/vars.yml
index 8da64e56..c514a22f 100644
--- a/inventory/group_vars/accesspoints/vars.yml
+++ b/inventory/group_vars/accesspoints/vars.yml
@@ -1,13 +1,18 @@
 ---
 accesspoint_wired_interface: eth0
-accesspoint_wireless_device_paths:
-  2g4: "platform/qca956x_wmac"
-  5g: "pci0000:00/0000:00:00.0"
 
-accesspoint_wireless_frequencies:
-  - 2g4
+accesspoint_wireless_frequency_bands:
+  - 2g
   - 5g
 
+accesspoint_wifi_device_htmode:
+  2g: "HT20"
+  5g: "VHT80"
+
+accesspoint_wireless_device_paths:
+  2g: "platform/qca956x_wmac"
+  5g: "pci0000:00/0000:00:00.0"
+
 
 accesspoint_network_base: "{{ accesspoint_network_base_yaml | from_yaml }}"
 accesspoint_network_base_yaml: |
@@ -36,8 +41,7 @@ accesspoint_network_base_yaml: |
       device: "{{ accesspoint_wired_interface }}{% if 'vlan' in network_mgmt_zone %}.{{ network_mgmt_zone.vlan }}{% endif %}"
       accept_ra: 0
       proto: static
-      ipaddr: "{{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets[inventory_hostname]) | ipaddr('address') }}"
-      netmask: "{{ network_mgmt_zone.prefix | ipaddr('netmask') }}"
+      ipaddr: "{{ network_mgmt_zone.prefix | ipaddr(network_mgmt_zone.offsets[inventory_hostname]) }}"
 
 
 accesspoint_network_zones: "{{ accesspoint_network_zones_yaml | from_yaml }}"
@@ -66,26 +70,19 @@ accesspoint_network_zones_yaml: |
 
 
 
-accesspoint_wireless_devices:
-  - name: wifi-device 'radio5g'
+accesspoint_wireless_devices: "{{ accesspoint_wireless_devices_yaml | from_yaml }}"
+accesspoint_wireless_devices_yaml: |
+  {% for band in accesspoint_wireless_frequency_bands %}
+  - name: wifi-device 'radio{{ band }}'
     options:
       type: 'mac80211'
-      channel: "{{ accesspoint_wifi_channels['5g'][inventory_hostname] }}"
-      hwmode: '11a'
+      channel: "{{ accesspoint_wifi_channels[band][inventory_hostname] }}"
+      band: '{{ band }}'
       country: AT
-      path: "{{ accesspoint_wireless_device_paths['5g'] }}"
-      htmode: 'VHT80'
-      cell_density: '0'
-
-  - name: wifi-device 'radio2g4'
-    options:
-      type: 'mac80211'
-      channel: "{{ accesspoint_wifi_channels['2g4'][inventory_hostname] }}"
-      hwmode: '11g'
-      country: AT
-      path: "{{ accesspoint_wireless_device_paths['2g4'] }}"
-      htmode: 'HT20'
+      path: "{{ accesspoint_wireless_device_paths[band] }}"
+      htmode: '{{ accesspoint_wifi_device_htmode[band] }}'
       cell_density: '0'
+  {% endfor %}
 
 
 ## TODO: set up 802.11r see:
@@ -94,10 +91,10 @@ accesspoint_wireless_devices:
 accesspoint_wireless_ifaces: "{{ accesspoint_wireless_ifaces_yaml | from_yaml }}"
 accesspoint_wireless_ifaces_yaml: |
   {% for zone in accesspoint_zones.keys() %}
-  {%   for freq in accesspoint_wireless_frequencies %}
-  - name: wifi-iface '{{ zone }}{{ freq }}'
+  {%   for band in accesspoint_wireless_frequency_bands %}
+  - name: wifi-iface '{{ zone }}{{ band }}'
     options:
-      device: 'radio{{ freq }}'
+      device: 'radio{{ band }}'
       network: '{{ zone }}'
       mode: 'ap'
       disassoc_low_ack: '1'
@@ -127,6 +124,7 @@ openwrt_packages_add:
   - haveged
   - htop
   - ip
+  - nftables
   - less
   - nano
   - tcpdump-mini
@@ -161,35 +159,44 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
-  /etc/rc.d/S22network-fw:
-    link: "../init.d/network-fw"
+  /etc/rc.d/S21nftables:
+    link: "../init.d/nftables"
 
-  /etc/rc.d/K91network-fw:
-    link: "../init.d/network-fw"
+  /etc/rc.d/K89nftables:
+    link: "../init.d/nftables"
 
-  /etc/init.d/network-fw:
+  /etc/init.d/nftables:
     mode: "0755"
     content: |
       #!/bin/sh /etc/rc.common
 
-      START=22
-      STOP=91
-
-      MGMT_IF=$(uci get network.mgmt.device)
-      MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
-      MGMT_NETMASK=$(uci get network.mgmt.netmask)
+      START=21
+      STOP=89
 
       start() {
-        iptables -A INPUT -i lo -j ACCEPT
-        iptables -A INPUT -i "$MGMT_IF" -d "$MGMT_IPADDR" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
-        iptables -P INPUT DROP
-        iptables -P FORWARD DROP
+        nft -f /etc/nftables.conf
       }
 
       stop() {
-        iptables -P INPUT ACCEPT
-        iptables -F INPUT
-        iptables -P FORWARD ACCEPT
+        nft flush ruleset
+      }
+
+  /etc/nftables.conf:
+    content: |
+      flush ruleset
+
+      define nic_mgmt = {{ accesspoint_wired_interface }}.{{ network_zones.mgmt.vlan }}
+
+      table inet global {
+        chain input {
+          type filter hook input priority filter; policy drop;
+          ct state vmap { established: accept, related: accept, invalid: drop }
+          iifname vmap { lo: accept, $nic_mgmt: accept }
+        }
+
+        chain forward {
+          type filter hook forward priority filter; policy drop;
+        }
       }
 
   /usr/lib/lua/prometheus-collectors/wifi.lua:
diff --git a/inventory/group_vars/chaos-at-home-ap/vars.yml b/inventory/group_vars/chaos-at-home-ap/vars.yml
index 8f33d683..b3d9f84a 100644
--- a/inventory/group_vars/chaos-at-home-ap/vars.yml
+++ b/inventory/group_vars/chaos-at-home-ap/vars.yml
@@ -2,7 +2,7 @@
 network_mgmt_zone: "{{ network_zones.mgmt }}"
 
 accesspoint_wifi_channels:
-  2g4:
+  2g:
     ch-ap0: 1
     ch-ap1: 9
   5g:
diff --git a/inventory/group_vars/ele-ap/vars.yml b/inventory/group_vars/ele-ap/vars.yml
index d77e7c1a..5c14047c 100644
--- a/inventory/group_vars/ele-ap/vars.yml
+++ b/inventory/group_vars/ele-ap/vars.yml
@@ -6,7 +6,7 @@ ssh_users_root:
 network_mgmt_zone: "{{ network_zones.mgmt }}"
 
 accesspoint_wifi_channels:
-  2g4:
+  2g:
     # ele-ap-forum0: 5
     # ele-ap-forum1: 13
     # ele-ap-forum2: 9