fff: advertise fdff:0::/64 to access web interface

This patch adds a prefix advertisment for each node. Every node get also the IPs * $prefix::MAC * $prefix::link-local * $prefix::1 ::1 is duplicated so we need filtering to not forward data into the network for ::1. Signed-off-by: Tim Niemeyer <tim.niemeyer@mastersword.de> Reviewed-by: Jan Kraus <mayosemmel@gmail.com Reviewed-by: Tobias Klaus <tk+ff@meskal.net>
2016-01-30 11:59:46 +01:00 · 2016-01-30 11:59:46 +01:00 · d8eccf57e3
parent afc9fe3c93
commit d8eccf57e3
3 changed files with 61 additions and 2 deletions
--- a/bsp/default/root_file_system/etc/firewall.user
+++ b/bsp/default/root_file_system/etc/firewall.user
@ -59,6 +59,14 @@ ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
 ######## INPUT ############
 ebtables -P INPUT ACCEPT

+# Erlaube router solicitation von client zu knoten
+ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
+ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
+
+# No input from/to local node ip from batman
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+
 # Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
 ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
 # Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
@ -71,6 +79,10 @@ ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-s
 ######## FORWARD ############
 ebtables -P FORWARD ACCEPT

+# Do not forward local node ip
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+
 # Erlaube nur DHCP Request von CLIENT -> BATMAN
 ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
 # Erlaube nur DHCP Antworten von BATMAN -> CLIENT
@ -89,6 +101,13 @@ ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
 ######## OUTPUT ############
 ebtables -P OUTPUT ACCEPT

+# Erlaube router advertisment von knoten zu client
+ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
+
+# Do not output local node ip to batman
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+
 # Erlaube nur DHCP Request von KNOTEN -> BATMAN
 ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
 # Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
--- a/bsp/default/root_file_system/etc/network.sh
+++ b/bsp/default/root_file_system/etc/network.sh
@ -113,3 +113,43 @@ if [[ -n "$ETH0MAC" ]]; then
        ifconfig eth0 up
        /etc/init.d/network restart
 fi
+
+if uci get network.mesh.ip6addr
+then
+    echo "IPv6 for mesh is set already"
+else
+    # Some time needed :(
+    sleep 5
+
+    for ip in $(ip -6 addr show br-mesh | awk '/fdff/{ print $2 }'); do
+        ip -6 addr del $ip dev br-mesh
+    done
+
+    prefix="fdff:0::/64"
+    # Set $prefix::MAC as IP
+    suffix=$(awk -F: '{ print $1$2":"$3$4":"$5$6 }' /sys/class/net/br-mesh/address)
+    addr=$(echo $prefix | sed -e 's/\//'$suffix'\//')
+    ip -6 addr add $addr dev br-mesh
+
+    uci -q del network.globals
+    uci -q set network.globals=globals
+    uci -q set network.globals.ula_prefix=$prefix
+    uci -q add_list network.mesh.ip6addr=$addr
+    uci -q set network.mesh.proto=static
+
+    # Set $prefix::1 as IP
+    suffix="1"
+    addr=$(echo $prefix | sed -e 's/\//'$suffix'\//')
+    ip -6 addr add $addr dev br-mesh
+    uci -q add_list network.mesh.ip6addr=$addr
+
+    # Set $prefix::link-local as IP
+    suffix=$(awk -F: '{ printf("%02x%s:%sff:fe%s:%s%s\n", xor(("0x"$1),2), $2, $3, $4, $5, $6) }' /sys/class/net/br-mesh/address)
+    addr=$(echo $prefix | sed -e 's/\//'$suffix'\//')
+    ip -6 addr add $addr dev br-mesh
+    uci -q add_list network.mesh.ip6addr=$addr
+
+    uci -q commit network
+
+    /etc/init.d/fff-uradvd restart
+fi
--- a/src/packages/fff/fff/Makefile
+++ b/src/packages/fff/fff/Makefile
@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=fff
 PKG_VERSION:=0.0.1
-PKG_RELEASE:=4
+PKG_RELEASE:=5

 PKG_BUILD_DIR:=$(BUILD_DIR)/fff

@ -14,7 +14,7 @@ define Package/fff-base
    DEFAULT:=y
    TITLE:= Freifunk-Franken Base
    URL:=http://www.freifunk-franken.de
-    DEPENDS:=+micrond +fff-nodewatcher +fff-web
+    DEPENDS:=+micrond +fff-nodewatcher +fff-web +fff-uradvd
 endef

 define Package/fff-base/description