From b1b5b63683db1752c1aad3da155127a7c841708f Mon Sep 17 00:00:00 2001
From: Marius Wehrmann <marius.wehrmann@freifunk-aachen.de>
Date: Tue, 2 Jul 2024 00:15:14 +0200
Subject: [PATCH] add ffac-private-wan-dhcp

---
 ffac-private-wan-dhcp/LICENSE                 | 24 +++++++++
 ffac-private-wan-dhcp/Makefile                | 25 +++++++++
 .../etc/hotplug.d/iface/40-update-radvd       | 53 +++++++++++++++++++
 .../lib/gluon/upgrade/400-ipv4-dhcp-nat       | 43 +++++++++++++++
 4 files changed, 145 insertions(+)
 create mode 100644 ffac-private-wan-dhcp/LICENSE
 create mode 100644 ffac-private-wan-dhcp/Makefile
 create mode 100644 ffac-private-wan-dhcp/luasrc/etc/hotplug.d/iface/40-update-radvd
 create mode 100644 ffac-private-wan-dhcp/luasrc/lib/gluon/upgrade/400-ipv4-dhcp-nat

diff --git a/ffac-private-wan-dhcp/LICENSE b/ffac-private-wan-dhcp/LICENSE
new file mode 100644
index 0000000..0fef07f
--- /dev/null
+++ b/ffac-private-wan-dhcp/LICENSE
@@ -0,0 +1,24 @@
+BSD 2-Clause License
+
+Copyright (c) 2024, Marius Wehrmann
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
\ No newline at end of file
diff --git a/ffac-private-wan-dhcp/Makefile b/ffac-private-wan-dhcp/Makefile
new file mode 100644
index 0000000..d954e51
--- /dev/null
+++ b/ffac-private-wan-dhcp/Makefile
@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2024 Marius Wehrmann
+# SPDX-License-Identifier: BSD-2-Clause
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=ffac-private-wan-dhcp
+PKG_VERSION:=1.0
+PKG_RELEASE:=1
+
+PKG_LICENSE:=BSD-2-Clause
+
+include $(TOPDIR)/../package/gluon.mk
+
+define Package/$(PKG_NAME)
+  TITLE:=bypass FF-Offloading for Direct Network Access for LTE/DSL via Private WAN-Socket
+  DEPENDS:=+uradvd
+endef
+
+define Package/$(PKG_NAME)/description
+  The functionality of this package allows devices connected to a private WAN WiFi to utilize the LTE WAN 
+  connection directly, without the typical redirection or offloading to local network resources. This is 
+  achieved by dynamically managing network routing and gateway settings to ensure that all traffic is 
+  directed through the LTE connection, providing an uninterrupted and low-latency internet experience.
+endef
+
+$(eval $(call BuildPackageGluon,$(PKG_NAME)))
diff --git a/ffac-private-wan-dhcp/luasrc/etc/hotplug.d/iface/40-update-radvd b/ffac-private-wan-dhcp/luasrc/etc/hotplug.d/iface/40-update-radvd
new file mode 100644
index 0000000..f82fd10
--- /dev/null
+++ b/ffac-private-wan-dhcp/luasrc/etc/hotplug.d/iface/40-update-radvd
@@ -0,0 +1,53 @@
+#!/usr/bin/lua
+
+local uci = require('simple-uci').cursor()
+
+-- Funktion zum Ausführen von Shell-Befehlen und Erfassen der Ausgabe
+local function shell(cmd)
+    local f = io.popen(cmd)
+    local result = f:read("*a")
+    f:close()
+    return result
+end
+
+-- Aktuelles IPv6-Präfix von wwan0 abrufen, doppelte Einträge entfernen
+local ipv6_prefix_cmd = "ip -6 addr show dev wwan0 | "
+                     .. "grep 'global' | "
+                     .. "grep -v 'temporary' | "
+                     .. "awk '{print $2}' | "
+                     .. "cut -f1,2,3,4 -d':' | "
+                     .. "sed 's/$/::\\/64/' | "
+                     .. "sort | "
+                     .. "uniq"
+local ipv6_prefix = shell(ipv6_prefix_cmd):match("%S+")
+print(ipv6_prefix)
+
+-- Schauen ob Prefix gefunden, falls nein kein IPv6
+if not ipv6_prefix or ipv6_prefix == "" then
+    os.exit(1)
+end
+
+-- Prüfen, ob eine vorhandene Konfiguration für das Interface 'br-wan' existiert
+local br_wan_section = nil
+uci:foreach('uradvd', 'interface', function(s)
+    if s.ifname == 'br-wan' then
+        br_wan_section = s['.name']
+        return false
+    end
+end)
+
+-- Wenn keine Konfiguration für 'br-wan' existiert, eine neue Sektion anlegen
+if not br_wan_section then
+    br_wan_section = uci:add('uradvd', 'interface')
+end
+
+-- Konfiguration für 'br-wan' aktualisieren
+uci:set('uradvd', br_wan_section, 'enabled', '1')
+uci:set('uradvd', br_wan_section, 'ifname', 'br-wan')
+uci:set('uradvd', br_wan_section, 'default_lifetime', '1800')
+uci:set_list('uradvd', br_wan_section, 'prefix_on_link', {ipv6_prefix})
+uci:set_list('uradvd', br_wan_section, 'dns', {'2620:fe::fe'})
+uci:commit('uradvd')
+
+-- uradvd neu starten
+os.execute("/etc/init.d/uradvd restart")
diff --git a/ffac-private-wan-dhcp/luasrc/lib/gluon/upgrade/400-ipv4-dhcp-nat b/ffac-private-wan-dhcp/luasrc/lib/gluon/upgrade/400-ipv4-dhcp-nat
new file mode 100644
index 0000000..afaeb30
--- /dev/null
+++ b/ffac-private-wan-dhcp/luasrc/lib/gluon/upgrade/400-ipv4-dhcp-nat
@@ -0,0 +1,43 @@
+#!/usr/bin/lua
+
+local uci = require('simple-uci').cursor()
+
+-- IPv4 für DHCP vergeben auf WAN-Interface
+uci:set('network', 'wan', 'proto', 'static')
+uci:set('network', 'wan', 'ipaddr', '192.168.222.1')
+uci:set('network', 'wan', 'netmask', '255.255.255.0')
+uci:commit('network')
+
+-- Forwarding über das wwan-Interface erlauben
+uci:set('firewall', '@zone[1]', 'forward', 'ACCEPT')
+
+-- DHCP in Firewall auf WAN erlauben
+uci:add('firewall', 'rule')
+uci:set('firewall', '@rule[-1]', 'name', 'Allow-DHCP-WAN')
+uci:set('firewall', '@rule[-1]', 'src', 'wan')
+uci:set('firewall', '@rule[-1]', 'proto', 'udp')
+uci:set('firewall', '@rule[-1]', 'src_port', '67 68')
+uci:set('firewall', '@rule[-1]', 'dest_port', '67 68')
+uci:set('firewall', '@rule[-1]', 'target', 'ACCEPT')
+
+-- DNS in Firewall auf WAN erlauben
+uci:add('firewall', 'rule')
+uci:set('firewall', '@rule[-1]', 'name', 'Allow-DNS-WAN')
+uci:set('firewall', '@rule[-1]', 'src', 'wan')
+uci:set('firewall', '@rule[-1]', 'proto', 'tcp udp')
+uci:set('firewall', '@rule[-1]', 'dest_port', '53')
+uci:set('firewall', '@rule[-1]', 'target', 'ACCEPT')
+
+-- NAT von wan auf wwan einrichten
+uci:add('firewall', 'forwarding')
+uci:set('firewall', '@forwarding[-1]', 'src', 'wan')
+uci:set('firewall', '@forwarding[-1]', 'dest', 'wwan')
+uci:commit('firewall')
+
+-- DHCP-Server einstellen für wan
+uci:set('dhcp', 'wan', 'start', '100')
+uci:set('dhcp', 'wan', 'limit', '150')
+uci:set('dhcp', 'wan', 'leasetime', '12h')
+uci:set('dhcp', 'wan', 'force', '1')
+uci:set('dhcp', 'wan', 'dhcp_option', '6,9.9.9.9')
+uci:commit('dhcp')
\ No newline at end of file