From 9c11cc729698b3986133fe83666fb03aa7e6592e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabian=20Bl=C3=A4se?= <fabian@blaese.de>
Date: Sun, 6 Mar 2022 10:26:11 +0100
Subject: [PATCH] fff-babeld: create filter for prefixes used with snat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If a prefix is used for a client interface utilizing snat, it shall
not be publicly reachable, so it can be reused across multiple routers.

To prevent such prefixes from leaking, create appropriate babel filters
if snat is used.

Fixes: #196

Signed-off-by: Fabian Bläse <fabian@blaese.de>
---
 .../fff-babeld/files/etc/layer3.d/40-babel    |  7 +++++
 .../fff-babeld/files/lib/functions/fff/babel  | 27 +++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/src/packages/fff/fff-babeld/files/etc/layer3.d/40-babel b/src/packages/fff/fff-babeld/files/etc/layer3.d/40-babel
index c238cc16..04b17c91 100644
--- a/src/packages/fff/fff-babeld/files/etc/layer3.d/40-babel
+++ b/src/packages/fff/fff-babeld/files/etc/layer3.d/40-babel
@@ -90,6 +90,13 @@ configure() {
 	for prefix in $(uci -q get gateway.@client[0].ip6addr); do
 		babel_add_redistribute_filter "$prefix"
 	done
+
+	## add deny filters for client prefixes used with snat
+	if [ "$(uci -q get gateway.@client[0].snat)" = "1" ]; then
+		for prefix in $(uci -q get gateway.@client[0].ipaddr); do
+			babel_add_private_prefix_filter "$prefix"
+		done
+	fi
 }
 
 apply() {
diff --git a/src/packages/fff/fff-babeld/files/lib/functions/fff/babel b/src/packages/fff/fff-babeld/files/lib/functions/fff/babel
index 83c3a58c..fa4e7e9c 100644
--- a/src/packages/fff/fff-babeld/files/lib/functions/fff/babel
+++ b/src/packages/fff/fff-babeld/files/lib/functions/fff/babel
@@ -111,6 +111,33 @@ babel_add_redistribute_filter() {
 	return 0
 }
 
+babel_add_private_prefix_filter() {
+	[ "$#" -ne "1" ] && return 1
+
+	local prefix="$1"
+
+	config=$(uci add babeld filter)
+	uci set babeld.$config.type='redistribute'
+	uci set babeld.$config.ip="$prefix"
+	uci set babeld.$config.addedbyautoconfig='true'
+	uci set babeld.$config.action='deny'
+
+	# move to top, so filter rule has precedence over all other rules
+	uci reorder babeld.$config=0
+
+	config=$(uci add babeld filter)
+	uci set babeld.$config.type='redistribute'
+	uci set babeld.$config.ip="$prefix"
+	uci set babeld.$config.addedbyautoconfig='true'
+	uci set babeld.$config.local='true'
+	uci set babeld.$config.action='deny'
+
+	# move to top, so filter rule has precedence over all other rules
+	uci reorder babeld.$config=0
+
+	return 0
+}
+
 babel_remove_custom_redistribute_filters() {
 	[ "$#" -ne "0" ] && return 1
 
-- 
2.39.2