From 7c9b8d03f5de2ecdae22ac9f3d635158c406dc46 Mon Sep 17 00:00:00 2001
From: Christian Dresel <freifunk@dresel.systems>
Date: Thu, 24 Dec 2020 09:57:25 +0100
Subject: [PATCH] Add package fff-layer3-ipv4snat

With this package it is possible to make SNAT with IPv4 on the router

The user must set a peer_ip setting in gateway.meta.peer_ip to get a single ip for peering interfaces.
At ipaddr the user must set a ip that not use in babel (e.g. 192.168.0.1/16) for the clients

With this package the ipaddr address is SNAT to the peer_ip and every router need only one
freifunk ip and can use the same ipaddr on every router.

It is a system like cgnat from big provider

Signed-off-by: Christian Dresel <freifunk@dresel.systems>
---
 src/packages/fff/fff-layer3-ipv4snat/Makefile | 32 ++++++++++
 .../files/etc/layer3.d/33-snat.conf           | 58 +++++++++++++++++++
 src/packages/fff/fff-layer3/Makefile          |  3 +-
 3 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100644 src/packages/fff/fff-layer3-ipv4snat/Makefile
 create mode 100644 src/packages/fff/fff-layer3-ipv4snat/files/etc/layer3.d/33-snat.conf

diff --git a/src/packages/fff/fff-layer3-ipv4snat/Makefile b/src/packages/fff/fff-layer3-ipv4snat/Makefile
new file mode 100644
index 00000000..8f6f89d4
--- /dev/null
+++ b/src/packages/fff/fff-layer3-ipv4snat/Makefile
@@ -0,0 +1,32 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-layer3-ipv4snat
+PKG_RELEASE:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-layer3-ipv4snat
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken layer3 configuration with SNAT
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:= \
+		+iptables-mod-nat-extra \
+		+fff-firewall \
+		+fff-layer3-config 
+
+endef
+
+define Package/fff-layer3-ipv4snat/description
+	With this package it is possible to make SNAT with IPv4 on the router
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-layer3-ipv4snat/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-layer3-ipv4snat))
diff --git a/src/packages/fff/fff-layer3-ipv4snat/files/etc/layer3.d/33-snat.conf b/src/packages/fff/fff-layer3-ipv4snat/files/etc/layer3.d/33-snat.conf
new file mode 100644
index 00000000..fdab6abd
--- /dev/null
+++ b/src/packages/fff/fff-layer3-ipv4snat/files/etc/layer3.d/33-snat.conf
@@ -0,0 +1,58 @@
+# configure-layer3 -c do nothing
+
+# Check if NAT is set
+# If NAT is set
+if uci -q get gateway.@client[0].nat; then
+	if ! peer_ip=$(uci get gateway.meta.peer_ip); then
+		echo "WARNING: No peer_ip set! For NAT you must set a peer_ip"
+	fi
+
+	# read ipaddr but we need no warning
+	# the warning come from 30-network-client if this not set
+	ipaddr=$(uci get gateway.@client[0].ipaddr)
+
+	# configure-layer3 -t - reload set the iptables rule not rebootsafe
+	reload() {
+		# first we flush the table
+		iptables -t nat --flush
+		# and load the new settings
+		for ip in $ipaddr; do
+			iptables -t nat -A POSTROUTING -s $ip -j SNAT --to-source $peer_ip
+		done
+	}
+	
+	# configure-layer3 -a  - apply write iptables rule to firewall and set rule again 
+	# because it is possible that the rule is not set here but we need it here                                                                                                                                                                                                                                                                   
+	apply() {
+		iptables -t nat --flush
+		rm -rf /usr/lib/firewall.d/30-NAT
+		for ip in $ipaddr; do
+			iptables -t nat -A POSTROUTING -s $ip -j SNAT --to-source $peer_ip
+			echo "iptables -t nat -A POSTROUTING -s $ip -j SNAT --to-source $peer_ip" >> /usr/lib/firewall.d/30-NAT
+		done
+	}
+# If NAT is not set
+else
+	# configure-layer3 -t - reload flush the iptables 
+	reload() {
+		# we only flush the table
+		iptables -t nat --flush
+	}
+
+	# configure-layer3 -a  - apply flush iptables rule and delete firewall rule                                                                                                                                                                                                                                                                     
+	apply() {
+		# we flush the table
+		iptables -t nat --flush
+		# and delete the firewall
+		rm -rf /usr/lib/firewall.d/30-NAT
+		# nobody need NAT we win! \o/
+	}
+fi
+
+# revert is the same whether NAT set or not
+revert() {
+	# first we flush the table
+	iptables -t nat --flush
+	# and load the old settings
+	. /usr/lib/firewall.d/30-NAT
+}
diff --git a/src/packages/fff/fff-layer3/Makefile b/src/packages/fff/fff-layer3/Makefile
index 9dd76ab5..e9532589 100644
--- a/src/packages/fff/fff-layer3/Makefile
+++ b/src/packages/fff/fff-layer3/Makefile
@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-layer3
-PKG_RELEASE:=7
+PKG_RELEASE:=8
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-layer3
 
@@ -17,6 +17,7 @@ define Package/fff-layer3
 	         +fff-boardname \
 	         +fff-dhcp \
 	         +fff-layer3-config \
+                 +fff-layer3-ipv4snat \
 	         +fff-network \
 	         +fff-ra \
 	         +fff-wireguard \