From c61771faec8677f725713a060336b261e04093fb Mon Sep 17 00:00:00 2001
From: Christof Schulze <christof@buildhost.christofschulze.com>
Date: Tue, 12 Apr 2016 19:30:05 +0200
Subject: [PATCH] add package mesh-vpn-fastd-babel

---
 package/gluon-mesh-vpn-fastd-babel/Makefile   |  32 ++++
 .../gluon-mesh-vpn-fastd-babel/check_site.lua |  37 +++++
 .../lib/gluon/mesh-vpn-fastd/iptables.rules   |   3 +
 .../lib/gluon/upgrade/400-mesh-vpn-fastd      | 150 ++++++++++++++++++
 .../410-mesh-vpn-fastd-generate-secret        |  12 ++
 .../upgrade/420-mesh-vpn-fastd-simple-tc      |  31 ++++
 6 files changed, 265 insertions(+)
 create mode 100644 package/gluon-mesh-vpn-fastd-babel/Makefile
 create mode 100644 package/gluon-mesh-vpn-fastd-babel/check_site.lua
 create mode 100644 package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/mesh-vpn-fastd/iptables.rules
 create mode 100755 package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/400-mesh-vpn-fastd
 create mode 100755 package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/410-mesh-vpn-fastd-generate-secret
 create mode 100755 package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/420-mesh-vpn-fastd-simple-tc

diff --git a/package/gluon-mesh-vpn-fastd-babel/Makefile b/package/gluon-mesh-vpn-fastd-babel/Makefile
new file mode 100644
index 00000000..d2f9d860
--- /dev/null
+++ b/package/gluon-mesh-vpn-fastd-babel/Makefile
@@ -0,0 +1,32 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=gluon-mesh-vpn-fastd-babel
+PKG_VERSION:=3
+
+PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
+
+include $(GLUONDIR)/include/package.mk
+
+define Package/gluon-mesh-vpn-fastd-babel
+  SECTION:=gluon
+  CATEGORY:=Gluon
+  TITLE:=Support for connecting babel meshes via fastd
+  DEPENDS:=+gluon-core +libgluonutil +babeld +gluon-wan-dnsmasq +fastd +iptables-mod-extra +simple-tc
+endef
+
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+	$(CP) ./src/* $(PKG_BUILD_DIR)/
+endef
+
+define Package/gluon-mesh-vpn-fastd/install
+	$(CP) ./files/* $(1)/
+
+endef
+
+define Package/gluon-mesh-vpn-fastd/postinst
+#!/bin/sh
+$(call GluonCheckSite,check_site.lua)
+endef
+
+$(eval $(call BuildPackage,gluon-mesh-vpn-fastd))
diff --git a/package/gluon-mesh-vpn-fastd-babel/check_site.lua b/package/gluon-mesh-vpn-fastd-babel/check_site.lua
new file mode 100644
index 00000000..30cca11d
--- /dev/null
+++ b/package/gluon-mesh-vpn-fastd-babel/check_site.lua
@@ -0,0 +1,37 @@
+need_string_array('fastd_mesh_vpn.methods')
+need_number('fastd_mesh_vpn.mtu')
+need_boolean('fastd_mesh_vpn.enabled', false)
+need_boolean('fastd_mesh_vpn.configurable', false)
+
+
+local function check_peer(prefix)
+  return function(k, _)
+    assert_uci_name(k)
+
+    local table = string.format('%s[%q].', prefix, k)
+
+    need_string(table .. 'key')
+    need_string_array(table .. 'remotes')
+  end
+end
+
+local function check_group(prefix)
+  return function(k, _)
+    assert_uci_name(k)
+
+    local table = string.format('%s[%q].', prefix, k)
+
+    need_number(table .. 'limit', false)
+    need_table(table .. 'peers', check_peer(table .. 'peers'), false)
+    need_table(table .. 'groups', check_group(table .. 'groups'), false)
+  end
+end
+
+need_table('fastd_mesh_vpn.groups', check_group('fastd_mesh_vpn.groups'))
+
+
+if need_table('fastd_mesh_vpn.bandwidth_limit', nil, false) then
+  need_boolean('fastd_mesh_vpn.bandwidth_limit.enabled', false)
+  need_number('fastd_mesh_vpn.bandwidth_limit.ingress', false)
+  need_number('fastd_mesh_vpn.bandwidth_limit.egress', false)
+end
diff --git a/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/mesh-vpn-fastd/iptables.rules b/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/mesh-vpn-fastd/iptables.rules
new file mode 100644
index 00000000..c1a16ee1
--- /dev/null
+++ b/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/mesh-vpn-fastd/iptables.rules
@@ -0,0 +1,3 @@
+*nat
+-I OUTPUT -m owner --gid-owner gluon-fastd -o lo -d 127.0.0.1 -p udp --dport 53 -j DNAT --to-destination :54
+COMMIT
diff --git a/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/400-mesh-vpn-fastd b/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/400-mesh-vpn-fastd
new file mode 100755
index 00000000..d9651e85
--- /dev/null
+++ b/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/400-mesh-vpn-fastd
@@ -0,0 +1,150 @@
+#!/usr/bin/lua
+
+local site = require 'gluon.site_config'
+local users = require 'gluon.users'
+local util = require 'gluon.util'
+
+local uci = require('luci.model.uci').cursor()
+local lutil = require 'luci.util'
+
+
+-- The previously used user is removed, we need root privileges to use the packet_mark option
+users.remove_user('gluon-fastd')
+
+-- Group for iptables rule
+users.add_group('gluon-fastd', 800)
+
+
+local enabled = uci:get('fastd', 'mesh_vpn', 'enabled')
+if not enabled then
+  enabled = site.fastd_mesh_vpn.enabled and 1 or 0
+end
+
+
+local methods
+
+if site.fastd_mesh_vpn.configurable then
+  local has_null = lutil.contains(site.fastd_mesh_vpn.methods, 'null')
+
+  local old_methods = uci:get('fastd', 'mesh_vpn', 'method')
+  if old_methods then
+    has_null = lutil.contains(old_methods, 'null')
+  end
+
+
+  methods = {}
+  if has_null then
+    table.insert(methods, 'null')
+  end
+
+  for _, method in ipairs(site.fastd_mesh_vpn.methods) do
+    if method ~= 'null' then
+      table.insert(methods, method)
+    end
+  end
+
+else
+  methods = site.fastd_mesh_vpn.methods
+end
+
+
+uci:section('fastd', 'fastd', 'mesh_vpn',
+	  {
+		  enabled = enabled,
+		  group = 'gluon-fastd',
+		  syslog_level = 'verbose',
+		  interface = 'mesh-vpn',
+		  mode = 'tap',
+		  mtu = site.fastd_mesh_vpn.mtu,
+		  secure_handshakes = 1,
+		  method = methods,
+		  packet_mark = 1,
+		  status_socket = '/var/run/fastd.mesh_vpn.socket',
+	  }
+)
+uci:delete('fastd', 'mesh_vpn', 'user')
+
+
+local add_groups
+
+local function add_peer(group, name, config)
+  uci:section('fastd', 'peer', group .. '_peer_' .. name,
+    {
+      enabled = 1,
+      net = 'mesh_vpn',
+      group = group,
+      key = config.key,
+      remote = config.remotes,
+    }
+  )
+end
+
+local function add_group(name, config, parent)
+  uci:delete('fastd', name)
+  uci:delete_all('fastd', 'peer',
+    function(peer)
+      return (peer.net == 'mesh_vpn' and peer.group == name)
+    end
+  )
+
+
+  uci:section('fastd', 'peer_group', name,
+    {
+      enabled = 1,
+      net = 'mesh_vpn',
+      parent = parent,
+      peer_limit = config.limit,
+    }
+  )
+
+  if config.peers then
+    for peername, peerconfig in pairs(config.peers) do
+      add_peer(name, peername, peerconfig)
+    end
+  end
+
+  add_groups(name, config.groups, name)
+end
+
+-- declared local above
+function add_groups(prefix, groups, parent)
+  if groups then
+    for name, group in pairs(groups) do
+      add_group(prefix .. '_' .. name, group, parent)
+    end
+  end
+end
+
+add_groups('mesh_vpn', site.fastd_mesh_vpn.groups)
+
+
+uci:save('fastd')
+
+-- 
+--uci:section('network', 'interface', 'mesh_vpn',
+--	  {
+--		  ifname = 'mesh-vpn',
+--		  proto = 'batadv',
+--		  mesh = 'bat0',
+--		  mesh_no_rebroadcast = 1,
+--		  macaddr = util.generate_mac(4, 0),
+--	  }
+)
+uci:section('network', 'interface', 'mesh_vpn',
+{
+ifname = 'mesh-vpn',
+proto = 'static',
+macaddr = util.generate_mac(4, 0),
+}
+uci:save('network')
+
+
+uci:section('firewall', 'include', 'mesh_vpn_dns',
+	  {
+	    type = 'restore',
+	    path = '/lib/gluon/mesh-vpn-fastd/iptables.rules',
+	    family = 'ipv4',
+	  }
+)
+
+uci:save('firewall')
diff --git a/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/410-mesh-vpn-fastd-generate-secret b/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/410-mesh-vpn-fastd-generate-secret
new file mode 100755
index 00000000..e581dea8
--- /dev/null
+++ b/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/410-mesh-vpn-fastd-generate-secret
@@ -0,0 +1,12 @@
+#!/usr/bin/lua
+
+local uci = require 'luci.model.uci'
+
+local c = uci.cursor()
+
+local secret = c:get("fastd", "mesh_vpn", "secret")
+
+if not secret or not secret:match(("%x"):rep(64)) then
+  c:set("fastd", "mesh_vpn", "secret", "generate")
+  c:save("fastd")
+end
diff --git a/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/420-mesh-vpn-fastd-simple-tc b/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/420-mesh-vpn-fastd-simple-tc
new file mode 100755
index 00000000..3c3e10a4
--- /dev/null
+++ b/package/gluon-mesh-vpn-fastd-babel/files/lib/gluon/upgrade/420-mesh-vpn-fastd-simple-tc
@@ -0,0 +1,31 @@
+#!/usr/bin/lua
+
+local site = require 'gluon.site_config'
+local uci = require('luci.model.uci').cursor()
+local fs = require 'nixio.fs'
+
+
+if fs.access('/etc/config/gluon-simple-tc') then
+  os.rename('/etc/config/gluon-simple-tc', '/etc/config/simple-tc')
+end
+
+
+if not uci:get('simple-tc', 'mesh_vpn') then
+  local config = {
+    ifname = 'mesh-vpn',
+    enabled = 0,
+  }
+
+
+  if site.fastd_mesh_vpn.bandwidth_limit then
+    if site.fastd_mesh_vpn.bandwidth_limit.enabled then
+      config.enabled = 1
+    end
+
+    config.limit_ingress = site.fastd_mesh_vpn.bandwidth_limit.ingress
+    config.limit_egress = site.fastd_mesh_vpn.bandwidth_limit.egress
+  end
+
+  uci:section('simple-tc', 'interface', 'mesh_vpn', config)
+  uci:save('simple-tc')
+end