From 825d760bd817d87d7baf34218859d92a6732e9e0 Mon Sep 17 00:00:00 2001
From: Christian Dresel <freifunk@dresel.systems>
Date: Thu, 24 Dec 2020 09:57:25 +0100
Subject: [PATCH] Add package fff-layer3-snat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With this new package it is possible to do SNAT for client IPv4.

The user must set a router_ip in gateway.meta.router_ip, so an ip
address is available for peering interfaces and reachability.

Currently, no extra filtering is done, so the client interface should
only use ip ranges, which are already filtered from being announced
(e.g. 192.168.0.0/16).

Using NAT for IPv4 significantly reduces the need for big
Freifunk-global IP range allocations.

Signed-off-by: Christian Dresel <freifunk@dresel.systems>
Co-authored-by: Fabian Bläse <fabian@blaese.de>
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Tested-by: Christian Dresel <freifunk@dresel.systems>
---
 src/packages/fff/fff-layer3-snat/Makefile     | 31 +++++++++++++++++
 .../files/etc/layer3.d/33-snat.conf           | 34 +++++++++++++++++++
 .../files/usr/lib/firewall.d/30-snat          |  4 +++
 src/packages/fff/fff-layer3/Makefile          |  1 +
 4 files changed, 70 insertions(+)
 create mode 100644 src/packages/fff/fff-layer3-snat/Makefile
 create mode 100644 src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf
 create mode 100644 src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat

diff --git a/src/packages/fff/fff-layer3-snat/Makefile b/src/packages/fff/fff-layer3-snat/Makefile
new file mode 100644
index 00000000..0e82310a
--- /dev/null
+++ b/src/packages/fff/fff-layer3-snat/Makefile
@@ -0,0 +1,31 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-layer3-snat
+PKG_RELEASE:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-layer3-snat
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken layer3 configuration with SNAT
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:= \
+		+fff-firewall \
+		+fff-layer3-config \
+		+kmod-ipt-nat
+endef
+
+define Package/fff-layer3-snat/description
+	With this package it is possible to make SNAT with IPv4 on the router
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-layer3-snat/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-layer3-snat))
diff --git a/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf
new file mode 100644
index 00000000..b7454847
--- /dev/null
+++ b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf
@@ -0,0 +1,34 @@
+configure() {
+	# first we delete the snat config
+	uci -q del network.client.fff_snat
+	uci -q del network.client.fff_snat_sourceip
+	if [ "$(uci -q get gateway.@client[0].snat)" = '1' ]; then
+
+		# first check the config is plausible
+		if ! routerip=$(uci -q get gateway.meta.router_ip); then
+			echo "ERROR: No router_ip set, which is required for SNAT!"
+			return 1
+		fi
+		if ! uci -q get gateway.@client[0].ipaddr >/dev/null; then
+			echo "ERROR: No ipaddr set, which is required for SNAT!"
+			return 1
+		fi
+
+		# keep only the first IP
+		routerip=${routerip%% *}
+		# keep only the IP without the CIDR
+		routerip=${routerip%%/*}
+
+		# We set the snat config
+		uci set network.client.fff_snat=1
+		uci set network.client.fff_snat_sourceip=$routerip
+	fi
+}
+
+apply() {
+	uci commit network
+}
+
+revert() {
+	uci revert network
+}
diff --git a/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat
new file mode 100644
index 00000000..b4ec9799
--- /dev/null
+++ b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat
@@ -0,0 +1,4 @@
+if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then
+	iptables -t mangle -A PREROUTING -i br-client -j MARK --set-mark 0x736e6174
+	iptables -t nat -A POSTROUTING -m mark --mark 0x736e6174 -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip)
+fi
diff --git a/src/packages/fff/fff-layer3/Makefile b/src/packages/fff/fff-layer3/Makefile
index 8318e25d..2d7de3cc 100644
--- a/src/packages/fff/fff-layer3/Makefile
+++ b/src/packages/fff/fff-layer3/Makefile
@@ -15,6 +15,7 @@ define Package/fff-layer3
 	         +fff-boardname \
 	         +fff-dhcp \
 	         +fff-layer3-config \
+	         +fff-layer3-snat \
 	         +fff-mqtt-monitoring \
 	         +fff-network \
 	         +fff-ra \