[PATCH v2 2/2] fff: advertise fdff:0::/64 to access web interface
Tim Niemeyer
tim.niemeyer at mastersword.de
Sa Jan 30 11:59:46 CET 2016
This patch adds a prefix advertisment for each node. Every node get also
the IPs
* $prefix::MAC
* $prefix::link-local
* $prefix::1
::1 is duplicated so we need filtering to not forward data into the
network for ::1.
Signed-off-by: Tim Niemeyer <tim.niemeyer at mastersword.de>
---
Changes in v2:
- added a restart of uradvd
- fff now depends on fff-uradvd (instead of odhcpd)
- removed dhcpv6 rules from firewall
bsp/default/root_file_system/etc/firewall.user | 19 ++++++++++++
bsp/default/root_file_system/etc/network.sh | 40 ++++++++++++++++++++++++++
src/packages/fff/fff/Makefile | 4 +--
3 files changed, 61 insertions(+), 2 deletions(-)
diff --git a/bsp/default/root_file_system/etc/firewall.user b/bsp/default/root_file_system/etc/firewall.user
index 1af101c..8ae48dc 100755
--- a/bsp/default/root_file_system/etc/firewall.user
+++ b/bsp/default/root_file_system/etc/firewall.user
@@ -59,6 +59,14 @@ ebtables -A MULTICAST_OUT -p IPv4 --ip-proto igmp -j RETURN
######## INPUT ############
ebtables -P INPUT ACCEPT
+# Erlaube router solicitation von client zu knoten
+ebtables -A INPUT -p IPv6 -i ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-solicitation -j ACCEPT
+ebtables -A INPUT -d Multicast --logical-in br-mesh -i ! bat0 -j ACCEPT
+
+# No input from/to local node ip from batman
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+ebtables -A INPUT --logical-in br-mesh -i bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+
# Erlaube nur DHCP Antworten von BATMAN -> KNOTEN
ebtables -A INPUT -p IPv4 --ip-proto udp --ip-dport 68 -j IN_ONLY
# Erlaube nur DHCPv6 Antworten von BATMAN -> KNOTEN
@@ -71,6 +79,10 @@ ebtables -A INPUT -p IPv6 -i bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-s
######## FORWARD ############
ebtables -P FORWARD ACCEPT
+# Do not forward local node ip
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A FORWARD --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+
# Erlaube nur DHCP Request von CLIENT -> BATMAN
ebtables -A FORWARD -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
# Erlaube nur DHCP Antworten von BATMAN -> CLIENT
@@ -89,6 +101,13 @@ ebtables -A FORWARD -d Multicast --logical-out br-mesh -o bat0 -j MULTICAST_OUT
######## OUTPUT ############
ebtables -P OUTPUT ACCEPT
+# Erlaube router advertisment von knoten zu client
+ebtables -A OUTPUT -p IPv6 -o ! bat0 --ip6-proto ipv6-icmp --ip6-icmp-type router-advertisement -j ACCEPT
+
+# Do not output local node ip to batman
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-destination fdff::1/128 -j DROP
+ebtables -A OUTPUT --logical-out br-mesh -o bat0 -p IPv6 --ip6-source fdff::1/128 -j DROP
+
# Erlaube nur DHCP Request von KNOTEN -> BATMAN
ebtables -A OUTPUT -p IPv4 --ip-proto udp --ip-dport 67 -j OUT_ONLY
# Erlaube nur DHCPv6 Request von KNOTEN -> BATMAN
diff --git a/bsp/default/root_file_system/etc/network.sh b/bsp/default/root_file_system/etc/network.sh
index 836cb62..1a595a5 100644
--- a/bsp/default/root_file_system/etc/network.sh
+++ b/bsp/default/root_file_system/etc/network.sh
@@ -113,3 +113,43 @@ if [[ -n "$ETH0MAC" ]]; then
ifconfig eth0 up
/etc/init.d/network restart
fi
+
+if uci get network.mesh.ip6addr
+then
+ echo "IPv6 for mesh is set already"
+else
+ # Some time needed :(
+ sleep 5
+
+ for ip in $(ip -6 addr show br-mesh | awk '/fdff/{ print $2 }'); do
+ ip -6 addr del $ip dev br-mesh
+ done
+
+ prefix="fdff:0::/64"
+ # Set $prefix::MAC as IP
+ suffix=$(awk -F: '{ print $1$2":"$3$4":"$5$6 }' /sys/class/net/br-mesh/address)
+ addr=$(echo $prefix | sed -e 's/\//'$suffix'\//')
+ ip -6 addr add $addr dev br-mesh
+
+ uci -q del network.globals
+ uci -q set network.globals=globals
+ uci -q set network.globals.ula_prefix=$prefix
+ uci -q add_list network.mesh.ip6addr=$addr
+ uci -q set network.mesh.proto=static
+
+ # Set $prefix::1 as IP
+ suffix="1"
+ addr=$(echo $prefix | sed -e 's/\//'$suffix'\//')
+ ip -6 addr add $addr dev br-mesh
+ uci -q add_list network.mesh.ip6addr=$addr
+
+ # Set $prefix::link-local as IP
+ suffix=$(awk -F: '{ printf("%02x%s:%sff:fe%s:%s%s\n", xor(("0x"$1),2), $2, $3, $4, $5, $6) }' /sys/class/net/br-mesh/address)
+ addr=$(echo $prefix | sed -e 's/\//'$suffix'\//')
+ ip -6 addr add $addr dev br-mesh
+ uci -q add_list network.mesh.ip6addr=$addr
+
+ uci -q commit network
+
+ /etc/init.d/fff-uradvd restart
+fi
diff --git a/src/packages/fff/fff/Makefile b/src/packages/fff/fff/Makefile
index e29713f..f480031 100644
--- a/src/packages/fff/fff/Makefile
+++ b/src/packages/fff/fff/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=fff
PKG_VERSION:=0.0.1
-PKG_RELEASE:=4
+PKG_RELEASE:=5
PKG_BUILD_DIR:=$(BUILD_DIR)/fff
@@ -14,7 +14,7 @@ define Package/fff-base
DEFAULT:=y
TITLE:= Freifunk-Franken Base
URL:=http://www.freifunk-franken.de
- DEPENDS:=+micrond +fff-nodewatcher +fff-web
+ DEPENDS:=+micrond +fff-nodewatcher +fff-web +fff-uradvd
endef
define Package/fff-base/description
--
2.1.4
Mehr Informationen über die Mailingliste franken-dev