From patchwork Sun Apr  5 16:10:50 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [RFC,1/1] fff-gateway: Add option to set NAT for IPv4
From: Christian Dresel <fff@chrisi01.de>
X-Patchwork-Id: 1332
Message-Id: <20200405161050.24878-1-fff@chrisi01.de>
To: franken-dev@freifunk.net
Date: Sun,  5 Apr 2020 18:10:50 +0200

With this patch it is possible to activate NAT for IPv4 Clients

The documentation for the options is here:
https://wiki.freifunk-franken.de/w/Layer3Firmware_Config/nat#client

This is a RFC patch i hope for many comments

Signed-off-by: Christian Dresel <fff@chrisi01.de>
---
 .../fff/fff-gateway/files/etc/gateway.d/33-nat     | 54 ++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat

diff --git a/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat b/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat
new file mode 100644
index 0000000..ad3082c
--- /dev/null
+++ b/src/packages/fff/fff-gateway/files/etc/gateway.d/33-nat
@@ -0,0 +1,54 @@
+# First read IP adresses
+if ! peer_ip=$(uci get gateway.meta.peer_ip); then
+	echo "WARNING: No peer_ip set!"
+fi
+if ! ipaddr=$(uci get gateway.@client[0].ipaddr); then
+	echo "WARNING: No ipaddr set!"
+fi
+
+# configuregateway -c do nothing
+
+# Check if NAT is set
+if uci -q get gateway.@client[0].nat; then
+	# configuregateway -t - reload set the iptables rule not rebootsafe
+	reload() {
+		# first we flush the table
+		iptables -t nat --flush
+		# and load the new settings
+		iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip
+	}
+	
+	# configuregateway -a  - apply write iptables rule to firewall and set rule again                                                                                                                                                                                                                                                                     
+	apply() {
+		echo "iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip" > /usr/lib/firewall.d/30-NAT
+		iptables -t nat --flush
+		iptables -t nat -A POSTROUTING -s $ipaddr -j SNAT --to-source $peer_ip 
+	}
+
+	# timeout configuregateway -t - flush the table 
+# if NAT is not set
+else
+	# configuregateway -t - reload set the iptables rule not rebootsafe
+	reload() {
+		# we only flush the table
+		iptables -t nat --flush
+	}
+
+	# configuregateway -a  - apply flush iptables rule and delete firewall rule                                                                                                                                                                                                                                                                     
+	apply() {
+		# we flush the table
+		iptables -t nat --flush
+		# and delete the firewall
+		rm /usr/lib/firewall.d/30-NAT
+		# nobody need NAT we win! \o/
+	}
+fi
+
+# revert is the same whether NAT set or not
+# timeout configuregateway -t - flush the table 
+revert() {
+	# first we flush the table
+	iptables -t nat --flush
+	# and load the old settings
+	. /usr/lib/firewall.d/30-NAT
+}
\ No newline at end of file