From 93106ff9d6e30316744db2a567f4cd3ce591f1a3 Mon Sep 17 00:00:00 2001 From: Christian Dresel Date: Thu, 28 Jan 2021 09:46:33 +0100 Subject: [PATCH 1/2] fff-firewall: Flush nat und mangle iptables table We should flush all tables and not only filter to reset the complete firewall Signed-off-by: Christian Dresel --- src/packages/fff/fff-firewall/Makefile | 2 +- .../fff/fff-firewall/files/usr/lib/firewall.d/00-prepare | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile index 6a58cabc..3bf49c35 100644 --- a/src/packages/fff/fff-firewall/Makefile +++ b/src/packages/fff/fff-firewall/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-firewall -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME) diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare index 5a1b9aaf..d3f3da28 100644 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare @@ -5,5 +5,11 @@ ebtables -X iptables -F iptables -X +iptables -F -t nat +iptables -X -t nat + +iptables -F -t mangle +iptables -X -t mangle + ip6tables -F ip6tables -X From 0b585e52735de411f3edd3ccdb0a69d74d739f97 Mon Sep 17 00:00:00 2001 From: Christian Dresel Date: Thu, 24 Dec 2020 09:57:25 +0100 Subject: [PATCH 2/2] Add package fff-layer3-ipv4snat With this package it is possible to make SNAT with IPv4 on the router The user must set a peer_ip setting in gateway.meta.peer_ip to get a single ip for peering interfaces. At ipaddr the user must set a ip that not use in babel (e.g. 192.168.0.1/16) for the clients With this package the ipaddr address is SNAT to the peer_ip and every router need only one freifunk ip and can use the same ipaddr on every router. It is a system like cgnat from big provider Signed-off-by: Christian Dresel --- src/packages/fff/fff-layer3-ipv4snat/Makefile | 32 +++++++++++++++++++ .../files/etc/layer3.d/33-snat.conf | 31 ++++++++++++++++++ .../files/usr/lib/firewall.d/30-SNAT | 7 ++++ src/packages/fff/fff-layer3/Makefile | 3 +- 4 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 src/packages/fff/fff-layer3-ipv4snat/Makefile create mode 100644 src/packages/fff/fff-layer3-ipv4snat/files/etc/layer3.d/33-snat.conf create mode 100644 src/packages/fff/fff-layer3-ipv4snat/files/usr/lib/firewall.d/30-SNAT diff --git a/src/packages/fff/fff-layer3-ipv4snat/Makefile b/src/packages/fff/fff-layer3-ipv4snat/Makefile new file mode 100644 index 00000000..d01cdf33 --- /dev/null +++ b/src/packages/fff/fff-layer3-ipv4snat/Makefile @@ -0,0 +1,32 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=fff-layer3-ipv4snat +PKG_RELEASE:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/fff-layer3-ipv4snat + SECTION:=base + CATEGORY:=Freifunk + TITLE:=Freifunk-Franken layer3 configuration with SNAT + URL:=https://www.freifunk-franken.de + DEPENDS:= \ + +iptables-mod-nat-extra \ + +fff-firewall \ + +fff-layer3-config + +endef + +define Package/fff-layer3-ipv4snat/description + With this package it is possible to make SNAT with IPv4 on the router +endef + +define Build/Compile + # nothing +endef + +define Package/fff-layer3-ipv4snat/install + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,fff-layer3-ipv4snat)) diff --git a/src/packages/fff/fff-layer3-ipv4snat/files/etc/layer3.d/33-snat.conf b/src/packages/fff/fff-layer3-ipv4snat/files/etc/layer3.d/33-snat.conf new file mode 100644 index 00000000..b2f6eed4 --- /dev/null +++ b/src/packages/fff/fff-layer3-ipv4snat/files/etc/layer3.d/33-snat.conf @@ -0,0 +1,31 @@ +configure() { + # first we delete the snat config + uci -q del network.client.nat + if [ "$(uci -q get gateway.@client[0].nat)" = '1' ]; then + + # first check the config is plausible + if ! peer_ip=$(uci get gateway.meta.peer_ip); then + echo "ERROR: No peer_ip set! For SNAT use you must set a peer_ip" + return 1 + fi + if ! ipaddr=$(uci get gateway.@client[0].ipaddr); then + echo "ERROR: No ipaddr set! For SNAT use you must set ipaddr" + return 1 + fi + + # We set the snat config + uci set network.client.nat=1 + fi +} + +reload() { + /etc/init.d/fff-firewall start +} + +apply() { + uci commit network +} + +revert() { + uci revert network +} diff --git a/src/packages/fff/fff-layer3-ipv4snat/files/usr/lib/firewall.d/30-SNAT b/src/packages/fff/fff-layer3-ipv4snat/files/usr/lib/firewall.d/30-SNAT new file mode 100644 index 00000000..89bcbceb --- /dev/null +++ b/src/packages/fff/fff-layer3-ipv4snat/files/usr/lib/firewall.d/30-SNAT @@ -0,0 +1,7 @@ +if [ "$(uci -q get gateway.@client[0].nat)" = '1' ]; then + peer_ip=$(uci get gateway.meta.peer_ip) + ipaddr=$(uci get gateway.@client[0].ipaddr) + for ip in $ipaddr; do + iptables -t nat -A POSTROUTING -s $ip -j SNAT --to-source $peer_ip + done +fi diff --git a/src/packages/fff/fff-layer3/Makefile b/src/packages/fff/fff-layer3/Makefile index 9dd76ab5..e9532589 100644 --- a/src/packages/fff/fff-layer3/Makefile +++ b/src/packages/fff/fff-layer3/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-layer3 -PKG_RELEASE:=7 +PKG_RELEASE:=8 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-layer3 @@ -17,6 +17,7 @@ define Package/fff-layer3 +fff-boardname \ +fff-dhcp \ +fff-layer3-config \ + +fff-layer3-ipv4snat \ +fff-network \ +fff-ra \ +fff-wireguard \