[PATCH 1/7] fff: advertise fdff:0::/64 to access web interface

Christian Dresel fff at chrisi01.de
Mo Feb 8 17:13:22 CET 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

auch wenn das Patch schon durch ist, will ich nochmal kurz was
anmerken und nachfragen:

Am 06.01.2016 um 18:39 schrieb Tim Niemeyer:
> This patch adds a prefix advertisment for each node. Every node get
> also the IPs * $prefix::MAC * $prefix::link-local * $prefix::1
> 
> ::1 is duplicated so we need filtering to not forward data into
> the network for ::1.
> 
> Signed-off-by: Tim Niemeyer <tim.niemeyer at mastersword.de> ---
> 
> bsp/default/root_file_system/etc/firewall.user     | 21
> ++++++++++++ bsp/default/root_file_system/etc/network.sh        |
> 38 ++++++++++++++++++++++ src/packages/fff/fff/Makefile
> |  4 +-- .../fff/fff/files/etc/uci-defaults/localdhcp       | 18
> ++++++++++ 4 files changed, 79 insertions(+), 2 deletions(-) create
> mode 100644 src/packages/fff/fff/files/etc/uci-defaults/localdhcp
> 
> diff --git a/bsp/default/root_file_system/etc/firewall.user
> b/bsp/default/root_file_system/etc/firewall.user index
> 1af101c..7bcf82d 100755 ---
> a/bsp/default/root_file_system/etc/firewall.user +++
> b/bsp/default/root_file_system/etc/firewall.user @@ -59,6 +59,15 @@
> ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN 
> ######## INPUT ############ ebtables -P INPUT ACCEPT
> 
> +# Erlaube dhcpv6 request / router solicitation von client zu
> knoten +ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto udp
> --ip6-dport 547 -j ACCEPT +ebtables -A INPUT -p IPv6 -i ! bat0
> --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j
> ACCEPT +ebtables -A INPUT -d Multicast --logical-in br-mesh -i !
> bat0 -j ACCEPT + +# No input from/to local node ip from batman 
> +ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6
> --ip6-source fdff::1/128 -j DROP +ebtables -A INPUT --logical-in
> br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP

könnte man hier evtl. /120 nehmen? Dann kann man Lokal mit ffdf::2 bis
fdff::255 arbeiten (z.b. einen Laptop manuell geben) um auf das WebUI
zu kommen ohne das man sich mit anderen in die Quere kommt.

Ich bin mit IPv6 nicht sonderlich fit, falls es andere Nachteile hat
und nicht gut ist, würde ich mich über ne Erklärung freuen :)

mfg

Christian

> + # Erlaube nur DHCP Antworten von BATMAN -> KNOTEN ebtables -A
> INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY # Erlaube nur
> DHCPv6 Antworten von BATMAN -> KNOTEN @@ -71,6 +80,10 @@ ebtables
> -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type
> router-s ######## FORWARD ############ ebtables -P FORWARD ACCEPT
> 
> +# Do not forward local node ip +ebtables -A FORWARD --logical-out
> br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP 
> +ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6
> --ip6-source fdff::1/128 -j DROP + # Erlaube nur DHCP Request von
> CLIENT -> BATMAN ebtables -A FORWARD -p IPv4 --ip-proto udp
> --ip-dport 67 -j OUT_ONLY # Erlaube nur DHCP Antworten von BATMAN
> -> CLIENT @@ -89,6 +102,14 @@ ebtables -A FORWARD -d Multicast
> --logical-out br-mesh -o bat0 -j MULTICAST_OUT ######## OUTPUT
> ############ ebtables -P OUTPUT ACCEPT
> 
> +# Erlaube dhcpv6 reply / router advertisment von knoten zu client 
> +ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto udp --ip6-dport
> 546 -j ACCEPT +ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto
> ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT + +# Do
> not output local node ip to batman +ebtables -A OUTPUT
> --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128
> -j DROP +ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6
> --ip6-source fdff::1/128 -j DROP + # Erlaube nur DHCP Request von
> KNOTEN -> BATMAN ebtables -A OUTPUT -p IPv4 --ip-proto udp
> --ip-dport 67 -j OUT_ONLY # Erlaube nur DHCPv6 Request von KNOTEN
> -> BATMAN diff --git a/bsp/default/root_file_system/etc/network.sh
> b/bsp/default/root_file_system/etc/network.sh index
> 6c64083..8c99305 100644 ---
> a/bsp/default/root_file_system/etc/network.sh +++
> b/bsp/default/root_file_system/etc/network.sh @@ -113,3 +113,41 @@
> if [[ -n "$ETH0MAC" ]]; then ifconfig eth0 up /etc/init.d/network
> restart fi + +if uci get network.mesh.ip6addr +then +    echo "IPv6
> for mesh is set already" +else +    # Some time needed :( +
> sleep 5 + +    for ip in $(ip -6 addr show br-mesh | awk '/fdff/{
> print $2 }'); do +        ip -6 addr del $ip dev br-mesh +    done 
> + +    prefix="fdff:0::/64" +    # Set $prefix::MAC as IP +
> suffix=$(awk -F: '{ print $1$2":"$3$4":"$5$6 }'
> /sys/class/net/br-mesh/address) +    addr=$(echo $prefix | sed -e
> 's/\//'$suffix'\//') +    ip -6 addr add $addr dev br-mesh + +
> uci -q del network.globals +    uci -q set network.globals=globals 
> +    uci -q set network.globals.ula_prefix=$prefix +    uci -q
> add_list network.mesh.ip6addr=$addr +    uci -q set
> network.mesh.proto=static + +    # Set $prefix::1 as IP +
> suffix="1" +    addr=$(echo $prefix | sed -e 's/\//'$suffix'\//') +
> ip -6 addr add $addr dev br-mesh +    uci -q add_list
> network.mesh.ip6addr=$addr + +    # Set $prefix::link-local as IP +
> suffix=$(awk -F: '{ printf("%02x%s:%sff:fe%s:%s%s\n",
> xor(("0x"$1),2), $2, $3, $4, $5, $6) }'
> /sys/class/net/br-mesh/address) +    addr=$(echo $prefix | sed -e
> 's/\//'$suffix'\//') +    ip -6 addr add $addr dev br-mesh +    uci
> -q add_list network.mesh.ip6addr=$addr + +    uci -q commit
> network +fi diff --git a/src/packages/fff/fff/Makefile
> b/src/packages/fff/fff/Makefile index e29713f..d92da91 100644 ---
> a/src/packages/fff/fff/Makefile +++
> b/src/packages/fff/fff/Makefile @@ -2,7 +2,7 @@ include
> $(TOPDIR)/rules.mk
> 
> PKG_NAME:=fff PKG_VERSION:=0.0.1 -PKG_RELEASE:=4 +PKG_RELEASE:=5
> 
> PKG_BUILD_DIR:=$(BUILD_DIR)/fff
> 
> @@ -14,7 +14,7 @@ define Package/fff-base DEFAULT:=y TITLE:=
> Freifunk-Franken Base URL:=http://www.freifunk-franken.de -
> DEPENDS:=+micrond +fff-nodewatcher +fff-web +    DEPENDS:=+micrond
> +fff-nodewatcher +fff-web +odhcpd endef
> 
> define Package/fff-base/description diff --git
> a/src/packages/fff/fff/files/etc/uci-defaults/localdhcp
> b/src/packages/fff/fff/files/etc/uci-defaults/localdhcp new file
> mode 100644 index 0000000..d9fdb6d --- /dev/null +++
> b/src/packages/fff/fff/files/etc/uci-defaults/localdhcp @@ -0,0
> +1,18 @@ +#!/bin/sh +>/etc/config/dhcp + +uci batch <<EOF +set
> dhcp.odhcpd=odhcpd +set dhcp.odhcpd.maindhcp=0 +set
> dhcp.odhcpd.leasefile=/tmp/hosts/odhcpd +set
> dhcp.odhcpd.leasetrigger=/usr/sbin/odhcpd-update +set
> dhcp.local=dhcp +set dhcp.local.interface=mesh +set
> dhcp.local.ra=server +set dhcp.local.dhcpv6=server +set
> dhcp.local.dhcpv4=disabled +set dhcp.local.ndp=disabled +set
> dhcp.local.ra_default=0 +set dhcp.local.ra_preference=low +commit
> dhcp +EOF
> 


- -- 
Kontaktmöglichkeiten ChristianD (Christian Dresel):
Jabber: ChristianD at jabber.community
E-Mail: fff at chrisi01.de
Facebook: https://www.facebook.com/christian.chili
Handy/Whatsapp & Festnetz: auf Nachfrage
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWuL6iAAoJEOID5jPgWNLii38QALhsgU1H2iie2M5QLiGawVwK
t1/LxQwup/2aSbcaVC0nzOFf7EAODX8rx8IjVV8blpQOn7GEblFCKXDb0w9Ji7v4
5n2z9LI9y50T0vUvtB20YRD3oPCua1KlQ1MB2YYn9NMjyzWXB05mpntccjT7VxFx
2uoY7G/VH5OaT0rShXVfvunAQP+gyuWA0wFdfypgSHcPVKRMS7Zs4kkS4YW7yPO5
8UuzCcV38mLkWiuh0UYkkN+nDOy7d7J/Tf/dcilYa3zBvz1mhPxvc0eBletIu1KS
RITGTcHrK6iLzrK26GTStuxbtIO6+9lX2XWNpMB+6wMxJmvjypHkAIhbOvGIf9Mk
/ww0reHlCMShnx+e+57/+f7ySE4VXpsio+nGcwWt8FvCODr/e4s7iUYIP3D1xHtG
k6aq+/8UFWX26zW1EQqwGJj+uM7Y7dXju0KZZmrsvT90FN/u/wPbbEa286gNQ+YS
cA3n+YXWo6fEAfWYbc5PLPM24TPOPIXEJoKw/eTphDvJCZpQfd2eIIihZZr6AUco
iNelJ+i56pLIYLFED5vbUG+sKEZjVH/QcaqKk2tJ4q5aN6JAQ0tneob4/UPKrm8o
DUQZeLipZCiaZE0Ly41ANW9S0yFRhiDUyDzVInOWNprkttM6UEwxlV7oed0SL8QC
gYKgOWXIMfQ5qyM3GAEK
=hiIq
-----END PGP SIGNATURE-----

Mehr Informationen über die Mailingliste franken-dev