gluon-alt-esc: add client + provider package

The client package allows to create a new wifi interface with direct access
to the local Freifunk network but with alternative exit gateways for internet
connectivity. A custom ESSID can be chosen.

The provider package is the counterpart to the client package and
configures the firewall of the selected Gluon node to grant permission to
route packets between the client and wan zone.

Note that the Gluon Alt-ESC provider package is not mandatory for the
Gluon Alt-ESC client package. In fact, any client device in the mesh network
can be chosen and configured to provide internet access for the Alt-ESC
client package.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>

docs/package/gluon-alt-esc-client.rst

@@ -0,0 +1,41 @@
+gluon-alt-esc-client
+====================
+
+The *gluon-alt-esc-client* package allows to create an additional wifi interface
+with an alternative default gateway.
+
+Accessibility
+-------------
+
+The alternative default gateway is configured by its MAC address in the config
+mode. This host with its MAC needs to be a accessible directly within the mesh
+network (client zone).
+
+An easy way is to use the *gluon-alt-esc-provider* package and copy the
+MAC address it presents in the config mode and paste it into the client
+side configuration. However, the provider package is not mandatory - in fact
+any host in the mesh network can potentially be chosen as an alternative default
+gateway (as long as it allows routing, of course).
+
+Only Off-link subnets are rerouted to the alternative exit. On-link subnets are
+excluded. They are currently determined via *prefix4*, *prefix6*, *extra_prefixes4*
+and *extra_prefixes6* from the site.conf.
+
+Naming / ESSID
+--------------
+
+The name (so called ESSID) for the newly created wifi interface can be
+freely chosen. However the author suggests to not use the word "Freifunk"
+in it (for quite a while the internet is not a free/libre network anymore).
+
+The following two hash tags are automatically appended:
+
+*Zone-ID*: It prevents potential roaming conflicts. (Technically, it is generated
+by taking the first four bytes of the hexadecimal form of an md5sum over
+"<ipv4-gw-MAC>,<ipv6-gw-MAC>,<essid>")
+
+*Site Code*: The communities site code is appended. To Freifunk enthusiasts it
+signalizes:
+
+- free and unaltered access to the Freifunk intranet of the local community
+- that this node contributes to the local Freifunk community as a mesh node

docs/package/gluon-alt-esc-provider.rst

@@ -0,0 +1,17 @@
+gluon-alt-esc-provider
+======================
+
+The *gluon-alt-esc-provider* package is the counterpart to the *gluon-alt-esc-client*
+package. It configures the firewall of the according Gluon node to grant permission
+to route packets between the client (mesh clients) and wan zone (private network
+behind the WAN port).
+
+Packets from the client to the wan zone are NAT'ed both for IPv4 and IPv6.
+
+Two notes: Beware of the security implications for routers and hosts in your wan
+zone (yes, your 192.168.x.x devices will be accessible from the mesh).
+
+Secondly, note that the Gluon Alt-ESC provider package is not mandatory for the
+Gluon Alt-ESC client package. In fact, any client device in the mesh network
+can be chosen and configured to provide internet access for the Alt-ESC
+client package.

package/gluon-alt-esc-client/Makefile

@@ -0,0 +1,14 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-alt-esc-client
+PKG_VERSION:=1
+PKG_RELEASE:=1
+
+include ../gluon.mk
+
+define Package/gluon-alt-esc-client
+  DEPENDS:=+gluon-web-admin
+  TITLE:=Gluon Alternative Exit Service Collaborator - Client
+endef
+
+$(eval $(call BuildPackageGluon,gluon-alt-esc-client))

package/gluon-alt-esc-client/files/etc/config/gluon-alt-esc-client

@@ -0,0 +1,5 @@
+config client
+	option disabled '1'
+	option exit4 ''
+	option exit6 ''
+	option altesc_on_lan '0'

package/gluon-alt-esc-client/files/etc/init.d/gluon-alt-esc-client

@@ -0,0 +1,86 @@
+#!/bin/sh /etc/rc.common
+
+. $IPKG_INSTROOT/usr/share/libubox/jshn.sh
+
+START=60
+sitejson="/lib/gluon/site.json"
+
+
+__get_ifnames() {
+	local lanif
+	local altesc_on_lan=`uci get gluon-alt-esc-client.@client[0].altesc_on_lan`
+
+	for wifi in `uci show wireless | grep "wireless.altesc_radio.*\.ifname" | sed "s/\.ifname=.*//"`; do
+		[ "`uci get $wifi.disabled`" = 0 ] && \
+			uci get $wifi.ifname
+	done
+
+	[ "$altesc_on_lan" = "1" ] && cat /lib/gluon/core/sysconfig/lan_ifname
+}
+
+get_ifnames() {
+	ifnames=`__get_ifnames | sort`
+}
+
+setup_onlink_prefixes() {
+	json_load "$(cat /lib/gluon/site.json)"
+	json_get_var prefix4 prefix4
+	json_get_var prefix6 prefix6
+	json_get_values extra_prefixes4 extra_prefixes4
+	json_get_values extra_prefixes6 extra_prefixes6
+
+	if [ -n "$1" ]; then
+		M="$1"
+		OUT="2> /dev/null"
+	else
+		M="-I"
+		OUT=""
+	fi
+
+	for p4 in $prefix4 $extra_prefixes4; do
+		eval ebtables-tiny -t nat "$M" ALT_ESC_OFFLINK -p IPv4 --ip-dst $p4 -j RETURN $OUT
+	done
+	for p6 in $prefix6 $extra_prefixes6; do
+		eval ebtables-tiny -t nat "$M" ALT_ESC_OFFLINK -p IPv6 --ip6-dst $p6 -j RETURN $OUT
+	done
+}
+
+start() {
+	local exit4="`uci get gluon-alt-esc-client.@client[0].exit4 2> /dev/null | tr 'A-Z' 'a-z'`"
+	local exit6="`uci get gluon-alt-esc-client.@client[0].exit6 2> /dev/null | tr 'A-Z' 'a-z'`"
+	local ownmac="`uci get network.client.macaddr 2> /dev/null | tr 'A-Z' 'a-z'`"
+	local disabled="`uci get gluon-alt-esc-client.@client[0].disabled 2> /dev/null`"
+
+	get_ifnames
+	stop
+	[ ! "$disabled" = "0" ] && exit 0
+
+	for i in $ifnames; do
+		ebtables-tiny -t nat -A ALT_ESC -i $i --logical-in br-client -j ALT_ESC_OFFLINK
+	done
+
+	setup_onlink_prefixes
+
+
+	[ -n "$exit4" ] && {
+		if [ "$ownmac" = "$exit4" ]; then
+			ebtables-tiny -t nat -A ALT_ESC_DNAT -p IPv4 -j redirect --redirect-target ACCEPT
+		else
+			ebtables-tiny -t nat -A ALT_ESC_DNAT -p IPv4 -j dnat --to-dst "$exit4" --dnat-target ACCEPT
+		fi
+	}
+
+	[ -n "$exit6" ] && {
+		if [ "$ownmac" = "$exit6" ]; then
+			ebtables-tiny -t nat -A ALT_ESC_DNAT -p IPv6 -j redirect --redirect-target ACCEPT
+		else
+			ebtables-tiny -t nat -A ALT_ESC_DNAT -p IPv6 -j dnat --to-dst "$exit6" --dnat-target ACCEPT
+		fi
+	}
+}
+
+stop() {
+	ebtables-tiny -t nat -F ALT_ESC_DNAT
+	ebtables-tiny -t nat -F ALT_ESC
+	setup_onlink_prefixes "-D"
+}

package/gluon-alt-esc-client/files/lib/gluon/ebtables/100-alt-esc-chains

@@ -0,0 +1,4 @@
+chain('ALT_ESC', 'ACCEPT', 'nat')
+chain('ALT_ESC_OFFLINK', 'ACCEPT', 'nat')
+chain('ALT_ESC_STDGW', 'RETURN', 'nat')
+chain('ALT_ESC_DNAT', 'RETURN', 'nat')

package/gluon-alt-esc-client/files/lib/gluon/ebtables/120-alt-esc-rules

@@ -0,0 +1,5 @@
+rule ('PREROUTING -d Unicast -j ALT_ESC', 'nat')
+
+rule ('ALT_ESC_OFFLINK -p IPv6 --ip6-src fe80::/ffc0:: -j RETURN', 'nat')
+rule ('ALT_ESC_OFFLINK -p IPv4 --ip-dst 0.0.0.0 -j RETURN', 'nat')
+rule ('ALT_ESC_OFFLINK -j ALT_ESC_STDGW', 'nat')

package/gluon-alt-esc-client/files/usr/lib/micron.d/gluon-alt-esc

@@ -0,0 +1 @@
+* * * * * nice /usr/sbin/altesc-update

package/gluon-alt-esc-client/files/usr/sbin/altesc-update

@@ -0,0 +1,34 @@
+#!/bin/sh
+
+disabled=`uci get gluon-alt-esc-client.@client[0].disabled`
+
+if [ ! "$disabled" = "0" ]; then
+	ebtables-tiny -t nat -F ALT_ESC_STDGW
+	exit 0
+fi
+
+
+get_gw_hosts() {
+	for gw in `batctl gwl -n -H | sed "s/.* \(..:..:..:..:..:..\) (.*/\1/"`; do
+		batctl tg -n -H | grep ".* ..:..:..:..:..:.. .* $gw"
+	done | sed "s/^.* \(..:..:..:..:..:..\) .* ..:..:..:..:..:.. .*/\1/" | sort
+}
+
+gwhosts="`get_gw_hosts`"
+gwhostssum="`echo "$gwhosts" | md5sum`"
+oldgwhosts="`cat /var/run/gluon-alt-esc.hosts 2> /dev/null`"
+oldgwhostssum="`cat /var/run/gluon-alt-esc.hosts.md5sum 2> /dev/null`"
+
+if [ "$gwhostssum" = "$oldgwhostssum" ]; then
+	echo "Stayed the same"
+	exit 0
+fi
+
+ebtables-tiny -t nat -F ALT_ESC_STDGW
+
+for host in $gwhosts; do
+	ebtables-tiny -t nat -A ALT_ESC_STDGW -d "$host" -j ALT_ESC_DNAT
+done
+
+echo "$gwhosts" > /var/run/gluon-alt-esc.hosts
+echo "$gwhostssum" > /var/run/gluon-alt-esc.hosts.md5sum

package/gluon-alt-esc-client/i18n/de.po

@@ -0,0 +1,58 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: PACKAGE VERSION\n"
+"PO-Revision-Date: 2017-11-13 08:00+0200\n"
+"Last-Translator:  Linus Lüssing <linus.luessing@c0d3.blue>\n"
+"Language-Team: German\n"
+"Language: de\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+
+msgid ""
+"Here you can add a WiFi interface with an alternative gateway for its "
+"Internet connectivity. Usually, you connect to a node which has the "
+"Alt-ESC-Provider package activated (although other systems can "
+"provide access too)."
+msgstr ""
+"Hier kannst du ein WiFi Interface mit einem alternativen Gateway für "
+"dessen Internetzugang hinzufügen. Normalerweise verbindest du dich mit "
+"einem Knoten, welcher das Alt-ESC-Provider Paket aktiviert hat (wobei "
+"auch andere Systeme Zugang bieten können)."
+
+msgid "Name (SSID)"
+msgstr "Name (SSID)"
+
+msgid "Example: \"Lisa's Garden Gate\""
+msgstr "Beispiel: \"Lisas Gartentor\""
+
+msgid "Enable IPv4 redirection"
+msgstr "Umleitung für IPv4 aktivieren"
+
+msgid "Exit ID for IPv4"
+msgstr "Exit ID für IPv4"
+
+msgid "E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv4 internet"
+msgstr "Z.B. die MAC-Adresse eines Knoten, der als Alt-ESC-Provider für das IPv4 Internet dient"
+
+msgid "Enable IPv6 redirection"
+msgstr "Umleitung für IPv6 aktivieren"
+
+msgid "Exit ID for IPv6"
+msgstr "Exit ID für IPv6"
+
+msgid "E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv6 internet"
+msgstr "Z.B. die MAC-Adresse eines Knoten, der als Alt-ESC-Provider für das IPv6 Internet dient"
+
+msgid "Enable redirection on LAN ports"
+msgstr "Umleitung auf LAN-Ports aktivieren"
+
+msgid "Enable Password"
+msgstr "Passwort aktivieren"
+
+msgid "Password"
+msgstr "Passwort"
+
+msgid "8-63 characters. Note: No strict enforcement (yet)"
+msgstr "8-63 Zeichen. Hinweis: (Bisweilen) keine strikte Durchsetzung"

package/gluon-alt-esc-client/i18n/gluon-alt-esc-client.pot

@@ -0,0 +1,45 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+
+msgid ""
+"Here you can add a WiFi interface with an alternative gateway for its "
+"Internet connectivity. Usually, you connect to a node which has the "
+"Alt-ESC-Provider package activated (although other systems can "
+"provide access too)."
+msgstr ""
+
+msgid "Name (SSID)"
+msgstr ""
+
+msgid "Example: \"Lisa's Garden Gate\""
+msgstr ""
+
+msgid "Enable IPv4 redirection"
+msgstr ""
+
+msgid "Exit ID for IPv4"
+msgstr ""
+
+msgid "E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv4 internet"
+msgstr ""
+
+msgid "Enable IPv6 redirection"
+msgstr ""
+
+msgid "Exit ID for IPv6"
+msgstr ""
+
+msgid "E.g. MAC address of the node serving as Alt-ESC-Provider for the IPv6 internet"
+msgstr ""
+
+msgid "Enable redirection on LAN ports"
+msgstr ""
+
+msgid "Enable Password"
+msgstr ""
+
+msgid "Password"
+msgstr ""
+
+msgid "8-63 characters. Note: No strict enforcement (yet)"
+msgstr ""

package/gluon-alt-esc-client/luasrc/lib/gluon/config-mode/controller/admin/altesc-client.lua

@@ -0,0 +1 @@
+entry({"admin", "altesc-client"}, model("admin/altesc-client"), _("Alt-ESC Client"), 61)