[PATCH 1/7] fff: advertise fdff:0::/64 to access web interface
Tim Niemeyer
tim.niemeyer at mastersword.de
Mi Jan 6 18:39:16 CET 2016
This patch adds a prefix advertisment for each node. Every node get also
the IPs
* $prefix::MAC
* $prefix::link-local
* $prefix::1
::1 is duplicated so we need filtering to not forward data into the
network for ::1.
Signed-off-by: Tim Niemeyer <tim.niemeyer at mastersword.de>
---
bsp/default/root_file_system/etc/firewall.user | 21 ++++++++++++
bsp/default/root_file_system/etc/network.sh | 38 ++++++++++++++++++++++
src/packages/fff/fff/Makefile | 4 +--
.../fff/fff/files/etc/uci-defaults/localdhcp | 18 ++++++++++
4 files changed, 79 insertions(+), 2 deletions(-)
create mode 100644 src/packages/fff/fff/files/etc/uci-defaults/localdhcp
diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user
index 1af101c..7bcf82d 100755
--- a/bsp/default/root_file_system/etc/firewall.user
+++ b/bsp/default/root_file_system/etc/firewall.user
@@ -59,6 +59,15 @@ ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
######## INPUT ############
ebtables -P INPUT ACCEPT
+# Erlaube dhcpv6 request / router solicitation von client zu knoten
+ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto udp --ip6-dport 547 -j ACCEPT
+ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
+ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
+
+# No input from/to local node ip from batman
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+
# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
@@ -71,6 +80,10 @@ ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-s
######## FORWARD ############
ebtables -P FORWARD ACCEPT
+# Do not forward local node ip
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+
# Erlaube nur DHCP Request von CLIENT -> BATMAN
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
@@ -89,6 +102,14 @@ ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
######## OUTPUT ############
ebtables -P OUTPUT ACCEPT
+# Erlaube dhcpv6 reply / router advertisment von knoten zu client
+ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto udp --ip6-dport 546 -j ACCEPT
+ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
+
+# Do not output local node ip to batman
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+
# Erlaube nur DHCP Request von KNOTEN -> BATMAN
ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
diff --git a/bsp/default/root_file_system/etc/network.sh b/bsp/default/root_file_system/etc/network.sh
index 6c64083..8c99305 100644
--- a/bsp/default/root_file_system/etc/network.sh
+++ b/bsp/default/root_file_system/etc/network.sh
@@ -113,3 +113,41 @@ if [[ -n "$ETH0MAC" ]]; then
ifconfig eth0 up
/etc/init.d/network restart
fi
+
+if uci get network.mesh.ip6addr
+then
+ echo "IPv6 for mesh is set already"
+else
+ # Some time needed :(
+ sleep 5
+
+ for ip in $(ip -6 addr show br-mesh | awk '/fdff/{ print $2 }'); do
+ ip -6 addr del $ip dev br-mesh
+ done
+
+ prefix="fdff:0::/64"
+ # Set $prefix::MAC as IP
+ suffix=$(awk -F: '{ print $1$2":"$3$4":"$5$6 }' /sys/class/net/br-mesh/address)
+ addr=$(echo $prefix | sed -e 's/\//'$suffix'\//')
+ ip -6 addr add $addr dev br-mesh
+
+ uci -q del network.globals
+ uci -q set network.globals=globals
+ uci -q set network.globals.ula_prefix=$prefix
+ uci -q add_list network.mesh.ip6addr=$addr
+ uci -q set network.mesh.proto=static
+
+ # Set $prefix::1 as IP
+ suffix="1"
+ addr=$(echo $prefix | sed -e 's/\//'$suffix'\//')
+ ip -6 addr add $addr dev br-mesh
+ uci -q add_list network.mesh.ip6addr=$addr
+
+ # Set $prefix::link-local as IP
+ suffix=$(awk -F: '{ printf("%02x%s:%sff:fe%s:%s%s\n", xor(("0x"$1),2), $2, $3, $4, $5, $6) }' /sys/class/net/br-mesh/address)
+ addr=$(echo $prefix | sed -e 's/\//'$suffix'\//')
+ ip -6 addr add $addr dev br-mesh
+ uci -q add_list network.mesh.ip6addr=$addr
+
+ uci -q commit network
+fi
diff --git a/src/packages/fff/fff/Makefile b/src/packages/fff/fff/Makefile
index e29713f..d92da91 100644
--- a/src/packages/fff/fff/Makefile
+++ b/src/packages/fff/fff/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=fff
PKG_VERSION:=0.0.1
-PKG_RELEASE:=4
+PKG_RELEASE:=5
PKG_BUILD_DIR:=$(BUILD_DIR)/fff
@@ -14,7 +14,7 @@ define Package/fff-base
DEFAULT:=y
TITLE:= Freifunk-Franken Base
URL:=http://www.freifunk-franken.de
- DEPENDS:=+micrond +fff-nodewatcher +fff-web
+ DEPENDS:=+micrond +fff-nodewatcher +fff-web +odhcpd
endef
define Package/fff-base/description
diff --git a/src/packages/fff/fff/files/etc/uci-defaults/localdhcp b/src/packages/fff/fff/files/etc/uci-defaults/localdhcp
new file mode 100644
index 0000000..d9fdb6d
--- /dev/null
+++ b/src/packages/fff/fff/files/etc/uci-defaults/localdhcp
@@ -0,0 +1,18 @@
+#!/bin/sh
+>/etc/config/dhcp
+
+uci batch <<EOF
+set dhcp.odhcpd=odhcpd
+set dhcp.odhcpd.maindhcp=0
+set dhcp.odhcpd.leasefile=/tmp/hosts/odhcpd
+set dhcp.odhcpd.leasetrigger=/usr/sbin/odhcpd-update
+set dhcp.local=dhcp
+set dhcp.local.interface=mesh
+set dhcp.local.ra=server
+set dhcp.local.dhcpv6=server
+set dhcp.local.dhcpv4=disabled
+set dhcp.local.ndp=disabled
+set dhcp.local.ra_default=0
+set dhcp.local.ra_preference=low
+commit dhcp
+EOF
--
2.1.4
Mehr Informationen über die Mailingliste franken-dev