diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile index 6384a899..42a5b31f 100644 --- a/src/packages/fff/fff-firewall/Makefile +++ b/src/packages/fff/fff-firewall/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-firewall -PKG_RELEASE:=7 +PKG_RELEASE:=8 include $(INCLUDE_DIR)/package.mk diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare index 5a1b9aaf..f3899c90 100644 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare @@ -5,5 +5,17 @@ ebtables -X iptables -F iptables -X +iptables -F -t nat +iptables -X -t nat + +iptables -F -t mangle +iptables -X -t mangle + ip6tables -F ip6tables -X + +ip6tables -F -t nat +ip6tables -X -t nat + +ip6tables -F -t mangle +ip6tables -X -t mangle diff --git a/src/packages/fff/fff-layer3-snat/Makefile b/src/packages/fff/fff-layer3-snat/Makefile new file mode 100644 index 00000000..da65b76c --- /dev/null +++ b/src/packages/fff/fff-layer3-snat/Makefile @@ -0,0 +1,32 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=fff-layer3-snat +PKG_RELEASE:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/fff-layer3-snat + SECTION:=base + CATEGORY:=Freifunk + TITLE:=Freifunk-Franken layer3 configuration with SNAT + URL:=https://www.freifunk-franken.de + DEPENDS:= \ + +iptables-mod-nat-extra \ + +fff-firewall \ + +fff-layer3-config + +endef + +define Package/fff-layer3-snat/description + With this package it is possible to make SNAT with IPv4 on the router +endef + +define Build/Compile + # nothing +endef + +define Package/fff-layer3-snat/install + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,fff-layer3-snat)) diff --git a/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf new file mode 100644 index 00000000..66305f7c --- /dev/null +++ b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf @@ -0,0 +1,36 @@ +configure() { + # first we delete the snat config + uci -q del network.client.fff_snat + uci -q del network.client.fff_snat_routerip + if [ "$(uci -q get gateway.@client[0].snat)" = '1' ]; then + + # first check the config is plausible + routerip=$(uci -q get gateway.meta.routerip) + + if ! $routerip; then + echo "ERROR: No routerip set, which is required for SNAT!" + return 1 + fi + if ! uci -q get gateway.@client[0].ipaddr; then + echo "ERROR: No ipaddr set, which is required for SNAT!" + return 1 + fi + + # keep only the first IP + routerip=${routerip%% *} + # keep only the IP without the CIDR + routerip=${routerip%%/*} + + # We set the snat config + uci set network.client.fff_snat=1 + uci set network.client.fff_snat_sourceip=$routerip + fi +} + +apply() { + uci commit network +} + +revert() { + uci revert network +} diff --git a/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat new file mode 100644 index 00000000..d77844be --- /dev/null +++ b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat @@ -0,0 +1,3 @@ +if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then + iptables -t nat -A POSTROUTING -i br-client -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip) +fi diff --git a/src/packages/fff/fff-layer3/Makefile b/src/packages/fff/fff-layer3/Makefile index ce3d2002..f0069b36 100644 --- a/src/packages/fff/fff-layer3/Makefile +++ b/src/packages/fff/fff-layer3/Makefile @@ -15,6 +15,7 @@ define Package/fff-layer3 +fff-boardname \ +fff-dhcp \ +fff-layer3-config \ + +fff-layer3-snat \ +fff-network \ +fff-ra \ +fff-wireguard \