[RFC PATCH 1/1] fff-gateway: Add option to set NAT for IPv4

Robert Langhammer rlanghammer at web.de
Mo Apr 6 12:20:17 CEST 2020 

Hallo Christian,

ich find v4NAT als Option zu haben eigentlich recht gut. Man muss es ja
nicht an machen, hätte aber die Möglichkeit ohne Bastelei so ein Setup
zu realisieren.

Über die Umsetzung sollte man nochmal nachdenken ;-)

Viele Grüße
Robert

Am 05.04.20 um 18:10 schrieb Christian Dresel:
> With this patch it is possible to activate NAT for IPv4 Clients
>
> The documentation for the options is here:
> https://wiki.freifunk-franken.de/w/Layer3Firmware_Config/nat#client
>
> This is a RFC patch i hope for many comments
>
> Signed-off-by: Christian Dresel <fff at chrisi01.de>
> ---
>  .../fff/fff-gateway/files/etc/gateway.d/33-nat     | 54 ++++++++++++++++++++++
>  1 file changed, 54 insertions(+)
>  create mode 100644 src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat
>
> diff --git a/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat b/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat
> new file mode 100644
> index 0000000..ad3082c
> --- /dev/null
> +++ b/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat
> @@ -0,0 +1,54 @@
> +# First read IP adresses
> +if ! peer_ip=$(uci get gateway.meta.peer_ip); then
> +	echo "WARNING: No peer_ip set!"
> +fi
> +if ! ipaddr=$(uci get gateway. at client[0].ipaddr); then
> +	echo "WARNING: No ipaddr set!"
> +fi
> +
> +# configuregateway -c do nothing
> +
> +# Check if NAT is set
> +if uci -q get gateway. at client[0].nat; then
> +	# configuregateway -t - reload set the iptables rule not rebootsafe
> +	reload() {
> +		# first we flush the table
> +		iptables -t nat --flush
> +		# and load the new settings
> +		iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip
> +	}
> +	
> +	# configuregateway -a  - apply write iptables rule to firewall and set rule again                                                                                                                                                                                                                                                                     
> +	apply() {
> +		echo "iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip" > /usr/lib/firewall.d/30-NAT
> +		iptables -t nat --flush
> +		iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip 
> +	}
> +
> +	# timeout configuregateway -t - flush the table 
> +# if NAT is not set
> +else
> +	# configuregateway -t - reload set the iptables rule not rebootsafe
> +	reload() {
> +		# we only flush the table
> +		iptables -t nat --flush
> +	}
> +
> +	# configuregateway -a  - apply flush iptables rule and delete firewall rule                                                                                                                                                                                                                                                                     
> +	apply() {
> +		# we flush the table
> +		iptables -t nat --flush
> +		# and delete the firewall
> +		rm /usr/lib/firewall.d/30-NAT
> +		# nobody need NAT we win! \o/
> +	}
> +fi
> +
> +# revert is the same whether NAT set or not
> +# timeout configuregateway -t - flush the table 
> +revert() {
> +	# first we flush the table
> +	iptables -t nat --flush
> +	# and load the old settings
> +	. /usr/lib/firewall.d/30-NAT
> +}
> \ No newline at end of file

Mehr Informationen über die Mailingliste franken-dev