Add package fff-layer3-snat

With this package it is possible to make SNAT with IPv4 on the router

The user must set a routerip setting in gateway.meta.routerip to get a single ip for peering interfaces.
At ipaddr the user must set a ip that not use in babel (e.g. 192.168.0.1/16) for the clients

With this package the ipaddr address is SNAT to the routerip and every router need only one
freifunk ip and can use the same ipaddr on every router.

It is a system like cgnat from big provider

Signed-off-by: Christian Dresel <freifunk@dresel.systems>

src/packages/fff/fff-firewall/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-firewall
-PKG_RELEASE:=7
+PKG_RELEASE:=8
 
 include $(INCLUDE_DIR)/package.mk
 

src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare

@@ -5,5 +5,17 @@ ebtables -X
 iptables -F
 iptables -X
 
+iptables -F -t nat
+iptables -X -t nat
+
+iptables -F -t mangle
+iptables -X -t mangle
+
 ip6tables -F
 ip6tables -X
+
+ip6tables -F -t nat
+ip6tables -X -t nat
+
+ip6tables -F -t mangle
+ip6tables -X -t mangle

src/packages/fff/fff-layer3-snat/Makefile

@@ -0,0 +1,32 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=fff-layer3-snat
+PKG_RELEASE:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/fff-layer3-snat
+	SECTION:=base
+	CATEGORY:=Freifunk
+	TITLE:=Freifunk-Franken layer3 configuration with SNAT
+	URL:=https://www.freifunk-franken.de
+	DEPENDS:= \
+		+iptables-mod-nat-extra \
+		+fff-firewall \
+		+fff-layer3-config
+
+endef
+
+define Package/fff-layer3-snat/description
+	With this package it is possible to make SNAT with IPv4 on the router
+endef
+
+define Build/Compile
+	# nothing
+endef
+
+define Package/fff-layer3-snat/install
+	$(CP) ./files/* $(1)/
+endef
+
+$(eval $(call BuildPackage,fff-layer3-snat))

src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf

@@ -0,0 +1,36 @@
+configure() {
+	# first we delete the snat config
+	uci -q del network.client.fff_snat
+	uci -q del network.client.fff_snat_routerip
+	if [ "$(uci -q get gateway.@client[0].snat)" = '1' ]; then
+
+		# first check the config is plausible
+                routerip=$(uci -q get gateway.meta.routerip)
+		
+		if ! $routerip; then
+			echo "ERROR: No routerip set, which is required for SNAT!"
+			return 1
+		fi
+		if ! uci -q get gateway.@client[0].ipaddr; then
+			echo "ERROR: No ipaddr set, which is required for SNAT!"
+			return 1
+		fi
+
+		# keep only the first IP
+                routerip=${routerip%% *}
+		# keep only the IP without the CIDR
+                routerip=${routerip%%/*}
+
+		# We set the snat config
+		uci set network.client.fff_snat=1
+		uci set network.client.fff_snat_sourceip=$routerip
+	fi
+}
+
+apply() {
+	uci commit network
+}
+
+revert() {
+	uci revert network
+}

src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat

@@ -0,0 +1,3 @@
+if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then
+	iptables -t nat -A POSTROUTING -i br-client -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip)
+fi

src/packages/fff/fff-layer3/Makefile

@@ -15,6 +15,7 @@ define Package/fff-layer3
 	         +fff-boardname \
 	         +fff-dhcp \
 	         +fff-layer3-config \
+                 +fff-layer3-snat \
 	         +fff-network \
 	         +fff-ra \
 	         +fff-wireguard \