From 50132381669e578bedac942d0c86ce5176fec282 Mon Sep 17 00:00:00 2001 From: Christian Dresel Date: Thu, 28 Jan 2021 09:46:33 +0100 Subject: [PATCH 1/2] fff-firewall: Flush nat und mangle iptables table We should flush all tables and not only filter to reset the complete firewall Signed-off-by: Christian Dresel --- src/packages/fff/fff-firewall/Makefile | 2 +- .../fff-firewall/files/usr/lib/firewall.d/00-prepare | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile index 6384a899..42a5b31f 100644 --- a/src/packages/fff/fff-firewall/Makefile +++ b/src/packages/fff/fff-firewall/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fff-firewall -PKG_RELEASE:=7 +PKG_RELEASE:=8 include $(INCLUDE_DIR)/package.mk diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare index 5a1b9aaf..f3899c90 100644 --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/00-prepare @@ -5,5 +5,17 @@ ebtables -X iptables -F iptables -X +iptables -F -t nat +iptables -X -t nat + +iptables -F -t mangle +iptables -X -t mangle + ip6tables -F ip6tables -X + +ip6tables -F -t nat +ip6tables -X -t nat + +ip6tables -F -t mangle +ip6tables -X -t mangle -- 2.39.2 From 6d1c5aaa82a41c10e6232ad9d3b15bdfe7fd3463 Mon Sep 17 00:00:00 2001 From: Christian Dresel Date: Thu, 24 Dec 2020 09:57:25 +0100 Subject: [PATCH 2/2] Add package fff-layer3-snat With this package it is possible to make SNAT with IPv4 on the router The user must set a routerip setting in gateway.meta.routerip to get a single ip for peering interfaces. At ipaddr the user must set a ip that not use in babel (e.g. 192.168.0.1/16) for the clients With this package the ipaddr address is SNAT to the routerip and every router need only one freifunk ip and can use the same ipaddr on every router. It is a system like cgnat from big provider Signed-off-by: Christian Dresel --- src/packages/fff/fff-layer3-snat/Makefile | 32 +++++++++++++++++ .../files/etc/layer3.d/33-snat.conf | 36 +++++++++++++++++++ .../files/usr/lib/firewall.d/30-snat | 3 ++ src/packages/fff/fff-layer3/Makefile | 1 + 4 files changed, 72 insertions(+) create mode 100644 src/packages/fff/fff-layer3-snat/Makefile create mode 100644 src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf create mode 100644 src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat diff --git a/src/packages/fff/fff-layer3-snat/Makefile b/src/packages/fff/fff-layer3-snat/Makefile new file mode 100644 index 00000000..da65b76c --- /dev/null +++ b/src/packages/fff/fff-layer3-snat/Makefile @@ -0,0 +1,32 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=fff-layer3-snat +PKG_RELEASE:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/fff-layer3-snat + SECTION:=base + CATEGORY:=Freifunk + TITLE:=Freifunk-Franken layer3 configuration with SNAT + URL:=https://www.freifunk-franken.de + DEPENDS:= \ + +iptables-mod-nat-extra \ + +fff-firewall \ + +fff-layer3-config + +endef + +define Package/fff-layer3-snat/description + With this package it is possible to make SNAT with IPv4 on the router +endef + +define Build/Compile + # nothing +endef + +define Package/fff-layer3-snat/install + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,fff-layer3-snat)) diff --git a/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf new file mode 100644 index 00000000..66305f7c --- /dev/null +++ b/src/packages/fff/fff-layer3-snat/files/etc/layer3.d/33-snat.conf @@ -0,0 +1,36 @@ +configure() { + # first we delete the snat config + uci -q del network.client.fff_snat + uci -q del network.client.fff_snat_routerip + if [ "$(uci -q get gateway.@client[0].snat)" = '1' ]; then + + # first check the config is plausible + routerip=$(uci -q get gateway.meta.routerip) + + if ! $routerip; then + echo "ERROR: No routerip set, which is required for SNAT!" + return 1 + fi + if ! uci -q get gateway.@client[0].ipaddr; then + echo "ERROR: No ipaddr set, which is required for SNAT!" + return 1 + fi + + # keep only the first IP + routerip=${routerip%% *} + # keep only the IP without the CIDR + routerip=${routerip%%/*} + + # We set the snat config + uci set network.client.fff_snat=1 + uci set network.client.fff_snat_sourceip=$routerip + fi +} + +apply() { + uci commit network +} + +revert() { + uci revert network +} diff --git a/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat new file mode 100644 index 00000000..d77844be --- /dev/null +++ b/src/packages/fff/fff-layer3-snat/files/usr/lib/firewall.d/30-snat @@ -0,0 +1,3 @@ +if [ "$(uci -q get network.client.fff_snat)" = '1' ]; then + iptables -t nat -A POSTROUTING -i br-client -j SNAT --to-source $(uci -q get network.client.fff_snat_sourceip) +fi diff --git a/src/packages/fff/fff-layer3/Makefile b/src/packages/fff/fff-layer3/Makefile index ce3d2002..f0069b36 100644 --- a/src/packages/fff/fff-layer3/Makefile +++ b/src/packages/fff/fff-layer3/Makefile @@ -15,6 +15,7 @@ define Package/fff-layer3 +fff-boardname \ +fff-dhcp \ +fff-layer3-config \ + +fff-layer3-snat \ +fff-network \ +fff-ra \ +fff-wireguard \ -- 2.39.2