fff-babeld: create filter for prefixes used with snat

If a prefix is used for a client interface utilizing snat, it shall
not be publicly reachable, so it can be reused across multiple routers.

To prevent such prefixes from leaking, create appropriate babel filters
if snat is used.

Fixes: #196

Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>

src/packages/fff/fff-babeld/files/etc/layer3.d/40-babel

@@ -90,6 +90,13 @@ configure() {
 	for prefix in $(uci -q get gateway.@client[0].ip6addr); do
 		babel_add_redistribute_filter "$prefix"
 	done
+
+	## add deny filters for client prefixes used with snat
+	if [ "$(uci -q get gateway.@client[0].snat)" = "1" ]; then
+		for prefix in $(uci -q get gateway.@client[0].ipaddr); do
+			babel_add_private_prefix_filter "$prefix"
+		done
+	fi
 }
 
 apply() {

src/packages/fff/fff-babeld/files/lib/functions/fff/babel

@@ -111,6 +111,33 @@ babel_add_redistribute_filter() {
 	return 0
 }
 
+babel_add_private_prefix_filter() {
+	[ "$#" -ne "1" ] && return 1
+
+	local prefix="$1"
+
+	config=$(uci add babeld filter)
+	uci set babeld.$config.type='redistribute'
+	uci set babeld.$config.ip="$prefix"
+	uci set babeld.$config.addedbyautoconfig='true'
+	uci set babeld.$config.action='deny'
+
+	# move to top, so filter rule has precedence over all other rules
+	uci reorder babeld.$config=0
+
+	config=$(uci add babeld filter)
+	uci set babeld.$config.type='redistribute'
+	uci set babeld.$config.ip="$prefix"
+	uci set babeld.$config.addedbyautoconfig='true'
+	uci set babeld.$config.local='true'
+	uci set babeld.$config.action='deny'
+
+	# move to top, so filter rule has precedence over all other rules
+	uci reorder babeld.$config=0
+
+	return 0
+}
+
 babel_remove_custom_redistribute_filters() {
 	[ "$#" -ne "0" ] && return 1