Add package fff-layer3-snat

With this new package it is possible to do SNAT for client IPv4. The user must set a router_ip in gateway.meta.router_ip, so an ip address is available for peering interfaces and reachability. Currently, no extra filtering is done, so the client interface should only use ip ranges, which are already filtered from being announced (e.g. 192.168.0.0/16). Using NAT for IPv4 significantly reduces the need for big Freifunk-global IP range allocations. Signed-off-by: Christian Dresel <freifunk@dresel.systems> Co-authored-by: Fabian Bläse <fabian@blaese.de> Signed-off-by: Fabian Bläse <fabian@blaese.de> Tested-by: Christian Dresel <freifunk@dresel.systems>
2020-12-24 09:57:25 +01:00 · 2020-12-24 09:57:25 +01:00 · 825d760bd8
parent 51ec3648cf
commit 825d760bd8
4 changed files with 70 additions and 0 deletions
--- a/src/packages/fff/fff-layer3-snat/Makefile
+++ b/src/packages/fff/fff-layer3-snat/Makefile
@ -0,0 +1,31 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-layer3-snat
+PKG_RELEASE:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-layer3-snat
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken layer3 configuration with SNAT
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:= \
+		+fff-firewall \
+		+fff-layer3-config \
+		+kmod-ipt-nat
+endef
+
+define Package/fff-layer3-snat/description
+	With this package it is possible to make SNAT with IPv4 on the router
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-layer3-snat/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-layer3-snat))
--- a/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf
+++ b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf
@ -0,0 +1,34 @@
+configure() {
+	# first we delete the snat config
+	uci -q del network.client.fff_snat
+	uci -q del network.client.fff_snat_sourceip
+	if [ "$(uci -q get gateway.@client[0].snat)" = '1' ]; then
+
+		# first check the config is plausible
+		if ! routerip=$(uci -q get gateway.meta.router_ip); then
+			echo "ERROR: No router_ip set, which is required for SNAT!"
+			return 1
+		fi
+		if ! uci -q get gateway.@client[0].ipaddr >/dev/null; then
+			echo "ERROR: No ipaddr set, which is required for SNAT!"
+			return 1
+		fi
+
+		# keep only the first IP
+		routerip=${routerip%% *}
+		# keep only the IP without the CIDR
+		routerip=${routerip%%/*}
+
+		# We set the snat config
+		uci set network.client.fff_snat=1
+		uci set network.client.fff_snat_sourceip=$routerip
+	fi
+}
+
+apply() {
+	uci commit network
+}
+
+revert() {
+	uci revert network
+}
--- a/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat
+++ b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat
@ -0,0 +1,4 @@
+if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then
+	iptables -t mangle -A PREROUTING -i br-client -j MARK --set-mark 0x736e6174
+	iptables -t nat -A POSTROUTING -m mark --mark 0x736e6174 -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip)
+fi
--- a/src/packages/fff/fff-layer3/Makefile
+++ b/src/packages/fff/fff-layer3/Makefile
@ -15,6 +15,7 @@ define Package/fff-layer3
 	         +fff-boardname \
 	         +fff-dhcp \
 	         +fff-layer3-config \
+	         +fff-layer3-snat \
 	         +fff-mqtt-monitoring \
 	         +fff-network \
 	         +fff-ra \