From 9a3b499caef6470df33a419710a8ea684c8bda77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
Date: Sun, 6 Mar 2022 10:26:11 +0100
Subject: [PATCH] fff-babeld: create filter for prefixes used with snat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a prefix is used for a client interface utilizing snat, it shall
not be publicly reachable, so it can be reused across multiple routers.

To prevent such prefixes from leaking, create appropriate babel filters
if snat is used.

Fixes: #196

Signed-off-by: Fabian Bläse <fabian@blaese.de>
Reviewed-by: Christian Dresel <freifunk@dresel.systems>
---
 .../fff-babeld/files/etc/layer3.d/40-babel    |  7 +++++
 .../fff-babeld/files/lib/functions/fff/babel  | 27 +++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/src/packages/fff/fff-babeld/files/etc/layer3.d/40-babel b/src/packages/fff/fff-babeld/files/etc/layer3.d/40-babel
index c238cc16..04b17c91 100644
--- a/src/packages/fff/fff-babeld/files/etc/layer3.d/40-babel
+++ b/src/packages/fff/fff-babeld/files/etc/layer3.d/40-babel
@@ -90,6 +90,13 @@ configure() {
 	for prefix in $(uci -q get gateway.@client[0].ip6addr); do
 		babel_add_redistribute_filter "$prefix"
 	done
+
+	## add deny filters for client prefixes used with snat
+	if [ "$(uci -q get gateway.@client[0].snat)" = "1" ]; then
+		for prefix in $(uci -q get gateway.@client[0].ipaddr); do
+			babel_add_private_prefix_filter "$prefix"
+		done
+	fi
 }
 
 apply() {
diff --git a/src/packages/fff/fff-babeld/files/lib/functions/fff/babel b/src/packages/fff/fff-babeld/files/lib/functions/fff/babel
index 83c3a58c..fa4e7e9c 100644
--- a/src/packages/fff/fff-babeld/files/lib/functions/fff/babel
+++ b/src/packages/fff/fff-babeld/files/lib/functions/fff/babel
@@ -111,6 +111,33 @@ babel_add_redistribute_filter() {
 	return 0
 }
 
+babel_add_private_prefix_filter() {
+	[ "$#" -ne "1" ] && return 1
+
+	local prefix="$1"
+
+	config=$(uci add babeld filter)
+	uci set babeld.$config.type='redistribute'
+	uci set babeld.$config.ip="$prefix"
+	uci set babeld.$config.addedbyautoconfig='true'
+	uci set babeld.$config.action='deny'
+
+	# move to top, so filter rule has precedence over all other rules
+	uci reorder babeld.$config=0
+
+	config=$(uci add babeld filter)
+	uci set babeld.$config.type='redistribute'
+	uci set babeld.$config.ip="$prefix"
+	uci set babeld.$config.addedbyautoconfig='true'
+	uci set babeld.$config.local='true'
+	uci set babeld.$config.action='deny'
+
+	# move to top, so filter rule has precedence over all other rules
+	uci reorder babeld.$config=0
+
+	return 0
+}
+
 babel_remove_custom_redistribute_filters() {
 	[ "$#" -ne "0" ] && return 1