fff-babeld: create filter for prefixes used with snat
If a prefix is used for a client interface utilizing snat, it shall not be publicly reachable, so it can be reused across multiple routers. To prevent such prefixes from leaking, create appropriate babel filters if snat is used. Fixes: #196 Signed-off-by: Fabian Bläse <fabian@blaese.de>
This commit is contained in:
parent
27baecaf37
commit
9c11cc7296
|
@ -90,6 +90,13 @@ configure() {
|
|||
for prefix in $(uci -q get gateway.@client[0].ip6addr); do
|
||||
babel_add_redistribute_filter "$prefix"
|
||||
done
|
||||
|
||||
## add deny filters for client prefixes used with snat
|
||||
if [ "$(uci -q get gateway.@client[0].snat)" = "1" ]; then
|
||||
for prefix in $(uci -q get gateway.@client[0].ipaddr); do
|
||||
babel_add_private_prefix_filter "$prefix"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
apply() {
|
||||
|
|
|
@ -111,6 +111,33 @@ babel_add_redistribute_filter() {
|
|||
return 0
|
||||
}
|
||||
|
||||
babel_add_private_prefix_filter() {
|
||||
[ "$#" -ne "1" ] && return 1
|
||||
|
||||
local prefix="$1"
|
||||
|
||||
config=$(uci add babeld filter)
|
||||
uci set babeld.$config.type='redistribute'
|
||||
uci set babeld.$config.ip="$prefix"
|
||||
uci set babeld.$config.addedbyautoconfig='true'
|
||||
uci set babeld.$config.action='deny'
|
||||
|
||||
# move to top, so filter rule has precedence over all other rules
|
||||
uci reorder babeld.$config=0
|
||||
|
||||
config=$(uci add babeld filter)
|
||||
uci set babeld.$config.type='redistribute'
|
||||
uci set babeld.$config.ip="$prefix"
|
||||
uci set babeld.$config.addedbyautoconfig='true'
|
||||
uci set babeld.$config.local='true'
|
||||
uci set babeld.$config.action='deny'
|
||||
|
||||
# move to top, so filter rule has precedence over all other rules
|
||||
uci reorder babeld.$config=0
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
babel_remove_custom_redistribute_filters() {
|
||||
[ "$#" -ne "0" ] && return 1
|
||||
|
||||
|
|
Loading…
Reference in New Issue