forked from freifunk-franken/firmware
fff-babeld: create filter for prefixes used with snat
If a prefix is used for a client interface utilizing snat, it shall not be publicly reachable, so it can be reused across multiple routers. To prevent such prefixes from leaking, create appropriate babel filters if snat is used. Fixes: #196 Signed-off-by: Fabian Bläse <fabian@blaese.de> Reviewed-by: Christian Dresel <freifunk@dresel.systems>
This commit is contained in:
parent
87d923c1ef
commit
9a3b499cae
|
@ -90,6 +90,13 @@ configure() {
|
||||||
for prefix in $(uci -q get gateway.@client[0].ip6addr); do
|
for prefix in $(uci -q get gateway.@client[0].ip6addr); do
|
||||||
babel_add_redistribute_filter "$prefix"
|
babel_add_redistribute_filter "$prefix"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
## add deny filters for client prefixes used with snat
|
||||||
|
if [ "$(uci -q get gateway.@client[0].snat)" = "1" ]; then
|
||||||
|
for prefix in $(uci -q get gateway.@client[0].ipaddr); do
|
||||||
|
babel_add_private_prefix_filter "$prefix"
|
||||||
|
done
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
apply() {
|
apply() {
|
||||||
|
|
|
@ -111,6 +111,33 @@ babel_add_redistribute_filter() {
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
babel_add_private_prefix_filter() {
|
||||||
|
[ "$#" -ne "1" ] && return 1
|
||||||
|
|
||||||
|
local prefix="$1"
|
||||||
|
|
||||||
|
config=$(uci add babeld filter)
|
||||||
|
uci set babeld.$config.type='redistribute'
|
||||||
|
uci set babeld.$config.ip="$prefix"
|
||||||
|
uci set babeld.$config.addedbyautoconfig='true'
|
||||||
|
uci set babeld.$config.action='deny'
|
||||||
|
|
||||||
|
# move to top, so filter rule has precedence over all other rules
|
||||||
|
uci reorder babeld.$config=0
|
||||||
|
|
||||||
|
config=$(uci add babeld filter)
|
||||||
|
uci set babeld.$config.type='redistribute'
|
||||||
|
uci set babeld.$config.ip="$prefix"
|
||||||
|
uci set babeld.$config.addedbyautoconfig='true'
|
||||||
|
uci set babeld.$config.local='true'
|
||||||
|
uci set babeld.$config.action='deny'
|
||||||
|
|
||||||
|
# move to top, so filter rule has precedence over all other rules
|
||||||
|
uci reorder babeld.$config=0
|
||||||
|
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
babel_remove_custom_redistribute_filters() {
|
babel_remove_custom_redistribute_filters() {
|
||||||
[ "$#" -ne "0" ] && return 1
|
[ "$#" -ne "0" ] && return 1
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user