Mirrors
/
aredn
mirror of https://github.com/aredn/aredn.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rebuild the NAT version of the firewall (#1243) 

* New fireware configuration for NATed LAN.

* Fix ip rule
This commit is contained in:
Tim Wilkinson 2024-06-17 15:24:57 -07:00 committed by GitHub
parent 5d8a240c8f
commit 8d4eadee53
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 23 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
files/etc/config.mesh/firewall
View File

@ -26,7 +26,6 @@ config zone
option input REJECT option input REJECT
option output ACCEPT option output ACCEPT
option forward REJECT option forward REJECT
option masq 1
option mtu_fix 1 option mtu_fix 1
config zone config zone

17
files/etc/firewall.natmode
View File

@ -1,17 +0,0 @@
# This script is run when the node is in NAT mode to
# setup addtional firewall rules needed for nat.
# allowing all other traffic to transport as is.
dtdlinkip=`uci -q get network.dtdlink.ipaddr`
wifiip=`uci -q get network.wifi.ipaddr`
ip rule del pref 20010 fwmark 0x15 lookup 29 > /dev/null 2>&1
ip rule add pref 20010 fwmark 0x15 lookup 29
#tag traffic for use later in iprule's
nft insert rule ip fw4 mangle_prerouting ip daddr $wifiip meta mark set 0x15
nft insert rule ip fw4 mangle_prerouting ip daddr $dtdlinkip meta mark set 0x15
# Mark and masq local traffic going out the dtdlink interface.
nft add rule ip fw4 helper_lan meta mark set 0xe
nft add rule ip fw4 srcnat mark 0xe mark 0xe masquerade

4
files/etc/hotplug.d/iface/11-meshrouting
View File

@ -51,9 +51,7 @@ if [ "$ACTION" = "ifup" ] ; then
echo "Setting routing rules." echo "Setting routing rules."
if [ "$INTERFACE" == "wifi" ] || [ "$INTERFACE" == "dtdlink" ] || [ "${INTERFACE:0:3}" = "tun" ] || [ "${INTERFACE:0:2}" = "wg" ] || [ "$xlink" != "" ]; then if [ "$INTERFACE" == "wifi" ] || [ "$INTERFACE" == "dtdlink" ] || [ "${INTERFACE:0:3}" = "tun" ] || [ "${INTERFACE:0:2}" = "wg" ] || [ "$xlink" != "" ]; then
if [ "$(/sbin/uci -q get aredn.@dmz[0].mode)" != "0" ] ; then ip rule add pref 20010 iif $DEVICE lookup 29
ip rule add pref 20010 iif $DEVICE lookup 29
fi
ip rule add pref 20020 iif $DEVICE lookup 30 ip rule add pref 20020 iif $DEVICE lookup 30
ip rule add pref 20080 iif $DEVICE lookup 31 ip rule add pref 20080 iif $DEVICE lookup 31
if [ $is_olsrgw -eq 1 ] ; then if [ $is_olsrgw -eq 1 ] ; then

37
files/usr/local/bin/node-setup
View File

@ -51,6 +51,9 @@ function is_null(v)
return false return false
end end
end end
function is_notnull(v)
return not is_null(v)
end
local function h2s(hex) local function h2s(hex)
local s = "" local s = ""
@ -225,7 +228,7 @@ if cfg.wan_proto == "dhcp" then
deleteme.wan_gw = true deleteme.wan_gw = true
deleteme.wan_mask = true deleteme.wan_mask = true
end end
if not is_null(cfg.dmz_mode) or cfg.wan_proto ~= "disabled" then if is_notnull(cfg.dmz_mode) or cfg.wan_proto ~= "disabled" then
deleteme.lan_gw = true deleteme.lan_gw = true
end end
@ -282,7 +285,7 @@ if is_null(cfg.dmz_mode) then
end end
-- switch to dmz values if needed -- switch to dmz values if needed
if not is_null(cfg.dmz_mode) then if is_notnull(cfg.dmz_mode) then
cfg.lan_ip = cfg.dmz_lan_ip cfg.lan_ip = cfg.dmz_lan_ip
cfg.lan_mask = cfg.dmz_lan_mask cfg.lan_mask = cfg.dmz_lan_mask
cfg.dhcp_start = cfg.dmz_dhcp_start cfg.dhcp_start = cfg.dmz_dhcp_start
@ -647,18 +650,14 @@ write_all("/tmp/new_config/vtun", expand_vars("<tun_network_config>"))
local nc = uci.cursor("/tmp/new_config") local nc = uci.cursor("/tmp/new_config")
-- append to firewall -- append to firewall
local add_masq = false
local fw = io.open("/tmp/new_config/firewall", "a") local fw = io.open("/tmp/new_config/firewall", "a")
if fw then if fw then
if not is_null(cfg.dmz_mode) then if is_notnull(cfg.dmz_mode) then
fw:write("\nconfig forwarding\n option src wifi\n option dest lan\n") fw:write("\nconfig forwarding\n option src wifi\n option dest lan\n")
fw:write("\nconfig forwarding\n option src dtdlink\n option dest lan\n") fw:write("\nconfig forwarding\n option src dtdlink\n option dest lan\n")
if vpnzone then if vpnzone then
fw:write("\nconfig forwarding\n option src vpn\n option dest lan\n") fw:write("\nconfig forwarding\n option src vpn\n option dest lan\n")
end end
add_masq = true
else
fw:write("\nconfig 'include'\n option 'path' '/etc/firewall.natmode'\n option 'reload' '1'\n")
end end
if nc:get("aredn", "@wan[0]", "olsrd_gw") == "1" then if nc:get("aredn", "@wan[0]", "olsrd_gw") == "1" then
@ -692,7 +691,7 @@ if fw then
if not oport:match("-") then if not oport:match("-") then
host = host .. " option dest_port " .. iport .. "\n" host = host .. " option dest_port " .. iport .. "\n"
end end
if not is_null(cfg.dmz_mode) and intf == "both" then if is_notnull(cfg.dmz_mode) and intf == "both" then
intf = "wan" intf = "wan"
end end
if intf == "both" then if intf == "both" then
@ -720,8 +719,16 @@ if fw then
fw:close(); fw:close();
end end
if add_masq then
nc:set("firewall", "@zone[2]", "masq", "0") -- setup nat
if is_null(cfg.dmz_mode) then
-- zone[0] = lan, zone[1] = wan, zone[2] = wifi, zone[3] = dtdlink, zone[4] = vpn
local masq_src = cfg.lan_ip .. "/" .. netmask_to_cidr(cfg.lan_mask)
for z = 2, 4
do
nc:set("firewall", "@zone[" .. z .. "]", "masq", "1")
nc:set("firewall", "@zone[" .. z .. "]", "masq_src", masq_src)
end
nc:commit("firewall") nc:commit("firewall")
end end
@ -983,13 +990,13 @@ if h and e then
h:write("# automatically generated file - do not edit\n") h:write("# automatically generated file - do not edit\n")
h:write("# use /etc/hosts.user for custom entries\n") h:write("# use /etc/hosts.user for custom entries\n")
h:write("127.0.0.1\tlocalhost\n") h:write("127.0.0.1\tlocalhost\n")
if not is_null(cfg.wifi_ip) then if is_notnull(cfg.wifi_ip) then
h:write(cfg.lan_ip .. "\tlocalnode\n") h:write(cfg.lan_ip .. "\tlocalnode\n")
h:write(cfg.wifi_ip .. "\t" .. node .. " " .. tactical .. "\n") h:write(cfg.wifi_ip .. "\t" .. node .. " " .. tactical .. "\n")
else else
h:write(cfg.lan_ip .. "\tlocalnode " .. node .. " " .. tactical .. "\n") h:write(cfg.lan_ip .. "\tlocalnode " .. node .. " " .. tactical .. "\n")
end end
if not is_null(cfg.dtdlink_ip) then if is_notnull(cfg.dtdlink_ip) then
h:write(cfg.dtdlink_ip .. "\tdtdlink." .. node .. ".local.mesh dtdlink." .. node .."\n") h:write(cfg.dtdlink_ip .. "\tdtdlink." .. node .. ".local.mesh dtdlink." .. node .."\n")
end end
if is_null(cfg.dmz_mode) then if is_null(cfg.dmz_mode) then
@ -1077,12 +1084,12 @@ if nixio.fs.access("/etc/config.mesh/olsrd", "r") then
of:write(line .. "\n") of:write(line .. "\n")
end end
if not is_null(cfg.dmz_mode) then if is_notnull(cfg.dmz_mode) then
local a, b, c, d = cfg.dmz_lan_ip:match("(.*)%.(.*)%.(.*)%.(.*)") local a, b, c, d = cfg.dmz_lan_ip:match("(.*)%.(.*)%.(.*)%.(.*)")
of:write(string.format("\nconfig Hna4\n\toption netaddr %s.%s.%s.%d\n\toption netmask 255.255.255.%d\n\n", a, b, c, d - 1, nixio.bit.band(255 * 2 ^ cfg.dmz_mode, 255))) of:write(string.format("\nconfig Hna4\n\toption netaddr %s.%s.%s.%d\n\toption netmask 255.255.255.%d\n\n", a, b, c, d - 1, nixio.bit.band(255 * 2 ^ cfg.dmz_mode, 255)))
end end
if cfg.wifi_enable ~= "1" and not is_null(cfg.wifi_ip) then if cfg.wifi_enable ~= "1" and is_notnull(cfg.wifi_ip) then
of:write(string.format("config Hna4\n\toption netaddr %s\n\toption netmask 255.255.255.255\n\n", cfg.wifi_ip)) of:write(string.format("config Hna4\n\toption netaddr %s\n\toption netmask 255.255.255.255\n\n", cfg.wifi_ip))
end end
@ -1216,7 +1223,7 @@ if sf then
if cfg.wifi_enable == "1" then if cfg.wifi_enable == "1" then
sf:write("/usr/sbin/iw dev " .. cfg.wifi_intf .. " set txpower fixed " .. cfg.wifi_txpower .. "00\n") sf:write("/usr/sbin/iw dev " .. cfg.wifi_intf .. " set txpower fixed " .. cfg.wifi_txpower .. "00\n")
end end
if not is_null(cfg.aprs_lat) and not is_null(cfg.aprs_lon) then if is_notnull(cfg.aprs_lat) and is_notnull(cfg.aprs_lon) then
nc:set("aredn", "@location[0]", "lat", cfg.aprs_lat) nc:set("aredn", "@location[0]", "lat", cfg.aprs_lat)
nc:set("aredn", "@location[0]", "lon", cfg.aprs_lon) nc:set("aredn", "@location[0]", "lon", cfg.aprs_lon)
nc:commit("aredn") nc:commit("aredn")