| Message ID | 20200405161050.24878-1-fff@chrisi01.de |
|---|---|
| State | Superseded |
| Headers | show |
diff --git a/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat b/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat new file mode 100644 index 0000000..ad3082c --- /dev/null +++ b/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat @@ -0,0 +1,54 @@ +# First read IP adresses +if ! peer_ip=$(uci get gateway.meta.peer_ip); then + echo "WARNING: No peer_ip set!" +fi +if ! ipaddr=$(uci get gateway.@client[0].ipaddr); then + echo "WARNING: No ipaddr set!" +fi + +# configuregateway -c do nothing + +# Check if NAT is set +if uci -q get gateway.@client[0].nat; then + # configuregateway -t - reload set the iptables rule not rebootsafe + reload() { + # first we flush the table + iptables -t nat --flush + # and load the new settings + iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip + } + + # configuregateway -a - apply write iptables rule to firewall and set rule again + apply() { + echo "iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip" > /usr/lib/firewall.d/30-NAT + iptables -t nat --flush + iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip + } + + # timeout configuregateway -t - flush the table +# if NAT is not set +else + # configuregateway -t - reload set the iptables rule not rebootsafe + reload() { + # we only flush the table + iptables -t nat --flush + } + + # configuregateway -a - apply flush iptables rule and delete firewall rule + apply() { + # we flush the table + iptables -t nat --flush + # and delete the firewall + rm /usr/lib/firewall.d/30-NAT + # nobody need NAT we win! \o/ + } +fi + +# revert is the same whether NAT set or not +# timeout configuregateway -t - flush the table +revert() { + # first we flush the table + iptables -t nat --flush + # and load the old settings + . /usr/lib/firewall.d/30-NAT +} \ No newline at end of file
Hallo Christian, ich find v4NAT als Option zu haben eigentlich recht gut. Man muss es ja nicht an machen, hätte aber die Möglichkeit ohne Bastelei so ein Setup zu realisieren. Über die Umsetzung sollte man nochmal nachdenken ;-) Viele Grüße Robert Am 05.04.20 um 18:10 schrieb Christian Dresel: > With this patch it is possible to activate NAT for IPv4 Clients > > The documentation for the options is here: > https://wiki.freifunk-franken.de/w/Layer3Firmware_Config/nat#client > > This is a RFC patch i hope for many comments > > Signed-off-by: Christian Dresel <fff@chrisi01.de> > --- > .../fff/fff-gateway/files/etc/gateway.d/33-nat | 54 ++++++++++++++++++++++ > 1 file changed, 54 insertions(+) > create mode 100644 src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat > > diff --git a/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat b/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat > new file mode 100644 > index 0000000..ad3082c > --- /dev/null > +++ b/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat > @@ -0,0 +1,54 @@ > +# First read IP adresses > +if ! peer_ip=$(uci get gateway.meta.peer_ip); then > + echo "WARNING: No peer_ip set!" > +fi > +if ! ipaddr=$(uci get gateway.@client[0].ipaddr); then > + echo "WARNING: No ipaddr set!" > +fi > + > +# configuregateway -c do nothing > + > +# Check if NAT is set > +if uci -q get gateway.@client[0].nat; then > + # configuregateway -t - reload set the iptables rule not rebootsafe > + reload() { > + # first we flush the table > + iptables -t nat --flush > + # and load the new settings > + iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip > + } > + > + # configuregateway -a - apply write iptables rule to firewall and set rule again > + apply() { > + echo "iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip" > /usr/lib/firewall.d/30-NAT > + iptables -t nat --flush > + iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip > + } > + > + # timeout configuregateway -t - flush the table > +# if NAT is not set > +else > + # configuregateway -t - reload set the iptables rule not rebootsafe > + reload() { > + # we only flush the table > + iptables -t nat --flush > + } > + > + # configuregateway -a - apply flush iptables rule and delete firewall rule > + apply() { > + # we flush the table > + iptables -t nat --flush > + # and delete the firewall > + rm /usr/lib/firewall.d/30-NAT > + # nobody need NAT we win! \o/ > + } > +fi > + > +# revert is the same whether NAT set or not > +# timeout configuregateway -t - flush the table > +revert() { > + # first we flush the table > + iptables -t nat --flush > + # and load the old settings > + . /usr/lib/firewall.d/30-NAT > +} > \ No newline at end of file
With this patch it is possible to activate NAT for IPv4 Clients The documentation for the options is here: https://wiki.freifunk-franken.de/w/Layer3Firmware_Config/nat#client This is a RFC patch i hope for many comments Signed-off-by: Christian Dresel <fff@chrisi01.de> --- .../fff/fff-gateway/files/etc/gateway.d/33-nat | 54 ++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat