map-agent: traffic_separation: only handle layer3 if controller is on same device

map-agent: traffic_separation: wip - layer3ts teardown
2026-01-13 16:13:47 +08:00 · 2022-12-08 13:35:30 +01:00 · 2022-12-08 12:02:47 +01:00 · 2022-12-08 10:12:23 +01:00 · 2022-12-07 16:15:48 +01:00 · 2022-12-07 16:15:48 +01:00
1 changed files with 235 additions and 8 deletions
--- a/map-agent/files/lib/wifi/traffic_separation
+++ b/map-agent/files/lib/wifi/traffic_separation
@@ -23,12 +23,117 @@ EOF
 	}

 	ts_create() {
+		_dhcp_setup() {
+			local name=$1
+
+			[ -n "$(uci -q get dhcp.${name})" ] && return
+
+			uci -q set dhcp.${name}=dhcp
+			uci -q set dhcp.${name}.interface="${name}"
+			uci -q set dhcp.${name}.start="100"
+			uci -q set dhcp.${name}.limit="150"
+			uci -q set dhcp.${name}.leasetime="1h"
+			uci -q set dhcp.${name}.dhcpv4="server"
+			uci -q set dhcp.${name}.dhcpv6="server"
+			uci -q set dhcp.${name}.ra="server"
+			uci -q set dhcp.${name}.ra_slaac="1"
+			uci -q add_list dhcp.${name}.ra_flags="managed-config"
+			uci -q add_list dhcp.${name}.ra_flags="other-config"
+
+			uci -q commit dhcp
+		}
+
+		_firewall_setup() {
+			local name=$1
+			local network=$1
+			local vid=$2
+			local zone_exist=0
+
+			config_load firewall
+
+			_process_zone() {
+				local section=$1
+				local new_name=$2
+				local name
+
+				config_get name $section name
+
+				[ "$name" == "$new_name" ] && zone_exist=1
+			}
+
+			config_foreach _process_zone zone $name
+
+			[ "$zone_exist" != "0" ] && return
+
+			uci -q add firewall zone
+			uci -q set firewall.@zone[-1].name="$name"
+			uci -q add_list firewall.@zone[-1].network="$network"
+			uci -q set firewall.@zone[-1].input='ACCEPT'
+			uci -q set firewall.@zone[-1].output='ACCEPT'
+			uci -q set firewall.@zone[-1].forward='ACCEPT'
+
+			uci -q add firewall forwarding
+			uci -q set firewall.@forwarding[-1].src="$name"
+			uci -q set firewall.@forwarding[-1].dest="wan"
+
+			uci -q commit firewall
+		}
+
+		_guest_net_setup() {
+			local vid=$1
+			local name="guest${vid}"
+			local dev="guest_dev${vid}"
+			local br_guest="br-guest${vid}"
+			local peer="guest_peer${vid}"
+			local ip_addr="192.168.${vid}.1"
+			local br_dev="${AL_BRIDGE/-/_}"
+
+			[ "${vid}" = "${PRIMARY_VID}" ] && return
+
+			ip link show $dev 2> /dev/null || {
+				ip link add $dev type veth peer name $peer
+			}
+
+			ip link set $dev up
+			ip link set $port_dev up
+
+			[ -z "$(uci -q get network.${name})" ] || return
+
+			uci -q set network.${name}="interface"
+			uci -q set network.${name}.device="${br_guest}"
+			uci -q set network.${name}.is_lan="1"
+			uci -q set network.${name}.proto="static"
+			uci -q set network.${name}.ipaddr="${ip_addr}"
+			uci -q set network.${name}.netmask="255.255.255.0"
+			uci -q set network.${name}.ip6assign '60'
+
+			uci -q set network.br_${name}="device"
+			uci -q set network.br_${name}.name="${br_guest}"
+			uci -q set network.br_${name}.type="bridge"
+
+			if [ -z $(uci -q get network.${br_dev}.ports | grep -w ${dev}) ]; then
+				uci -q add_list network.${br_dev}.ports="${dev}"
+			fi
+
+			if [ -z $(uci -q get network.br_${name}.ports | grep -w ${peer}) ]; then
+				uci -q add_list network.br_${name}.ports="${peer}"
+			fi
+
+			if [ -z $(uci -q get network.vlan${vid}.ports | grep -w ${dev}) ]; then
+				uci -q add_list network.vlan${vid}.ports="${dev}:*"
+			fi
+
+			uci -q commit network
+		}
+
 		_net_setup() {
 			local vid=$1
+			local layer3=$2
 			local name="vlan${vid}"
 			local br_dev="${AL_BRIDGE/-/_}"
 			local tag=":t"
 			local self_flags="untagged"
+			local brvid_local="1"

 			[ -z "$(uci -q get network.${name})" ] || return

@@ -37,21 +142,27 @@ EOF
 			uci -q set network.${name}.device="$AL_BRIDGE"
 			uci -q set network.${name}.vlan="$vid"

-			[ "${vid}" = "${PRIMARY_VID}" ] && {
+			if [ "${vid}" = "${PRIMARY_VID}" ]; then
 				self_flags="untagged pvid"
 				tag=":*"
-			}
+			elif [ -x "/usr/sbin/mapcontroller" -a "$layer3" = "1" ]; then
+				brvid_local="0"
+			fi

 			uci -q set network.${name}.flags="${self_flags}"
-			uci -q set network.${name}.local='1'
+			uci -q set network.${name}.local="${brvid_local}"

 			for port in $(uci -q get network.${br_dev}.ports) ; do
+				if [ -x "/usr/sbin/mapcontroller" -a "$layer3" = "1" ]; then
+					echo $port | grep "guest" && continue
+				fi
 				uci -q get network.${name}.ports | grep -q "${port}${tag}" && continue
 				uci -q add_list network.${name}.ports="${port}${tag}"
 			done

 			uci -q commit network
 		}
+		local layer3=$(uci -q get mapagent.agent.layer3_ts)

 		vid=$1

@@ -62,8 +173,15 @@ EOF
 			exit 1
 		}

+		_net_setup ${vid} ${layer3}
+
                logger -t vlan "setup ts vid $vid"
-                _net_setup ${vid}
+		[ -x "/usr/sbin/mapcontroller" -a "$layer3" = "1" ] && {
+			_dhcp_setup guest${vid}
+			_firewall_setup guest${vid} ${vid}
+			_guest_net_setup ${vid}
+
+		}

                # Disable pktfwd here and flush FlowCache rules
                echo 0 > /proc/pktfwd_dhd/enable
@@ -122,15 +240,32 @@ EOF
 	# maintain VIDs passed as args in network config, remove rest
 	ts_keep() {
 		local al_bridge=$(uci -q get mapagent.agent.al_bridge)
+		local layer3="$(uci -q get mapagent.agent.layer3_ts)"
 		restart=""

 		[ "$al_bridge" = "" ] && al_bridge="br-lan"

+
+		guest_teardown() {
+			local section=$1
+			local config=$2
+			local bridge=$3
+			local option=$4
+
+			config_get name "$section" "$option"
+
+			[ "$bridge" != "$name" ] && continue
+
+			uci -q delete ${config}.${section}
+		}
+
 		bridge_vlan_teardown() {
 			local section=$1
 			shift
 			local bridge=$1
 			shift
+			local layer3=$1
+			shift
 			local keep="$@"

 			config_get device "$section" device
@@ -145,15 +280,39 @@ EOF
 				fi
 			done

+			#if layer3ts enabled
+			if [ -x "/usr/sbin/mapcontroller" -a "$layer3" = "1" ]; then
+				local br_guest="br-guest${vlan}"
+
+				config_load network
+				config_foreach guest_teardown device "network" $br_guest "name" $@ # could easier be replaced by uci ubus api and using match field
+				config_foreach guest_teardown interface "network" $br_guest "device" $@ # could easier be replaced by uci ubus api and using match field
+
+				config_load dhcp
+				[ -n "$(uci -q get dhcp.guest${vlan})" ] && {
+					uci -q delete dhcp.guest${vlan}
+					restart="1"
+				}
+				config_load firewall
+				config_foreach guest_teardown zone "firewall" guest${vlan} "name" $@ #delete firewall section with name = guest${vlan}
+				config_foreach guest_teardown forwarding "firewall" guest${vlan} "src" $@ #delete firewall section with name = guest${vlan}
+			fi
+
+
+			#endif
 			uci -q delete network.$section
 			restart="1"
 		}

 		config_load network
-		config_foreach bridge_vlan_teardown bridge-vlan $al_bridge $@
+		(config_foreach bridge_vlan_teardown bridge-vlan $al_bridge $layer3 $@)

 		if [ "$restart" = "1" ]; then
 			uci commit network
+			if [ -x "/usr/sbin/mapcontroller" -a "$layer3" = "1" ]; then
+				uci commit firewall
+				uci commit dhcp
+			fi
 			dbg "trigger network restart"
 			/etc/init.d/network restart
 		fi
@@ -161,6 +320,7 @@ EOF

 	ts_cleanup() {
 		local al_bridge=$(uci -q get mapagent.agent.al_bridge)
+		local layer3="$(uci -q get mapagent.agent.layer3_ts)"
 		restart=""

 		[ "$al_bridge" = "" ] && al_bridge="br-lan"
@@ -168,19 +328,86 @@ EOF
 		bridge_device_teardown() {
 			local section=$1
 			local bridge=$2
+			local layer3=$3
+			local br_dev="${AL_BRIDGE/-/_}"
+			local dev
+			local br_guest
+			local peer
+
 			config_get device "$section" device
+			config_get vlan "$section" vlan
+
+			dev="guest_dev${vlan}"

 			[ "$bridge" != "$device" ] && continue

 			uci -q delete network.$section
-			restart="1"
+
+			echo "restart"
+
+			[ -x "/usr/sbin/mapcontroller" -a "$layer3" = "1" ] || continue
+
+			####
+			# layer3 specific teardown
+			####
+
+			guest_teardown() {
+				local section=$1
+				local config=$2
+				local bridge=$3
+				local option=$4
+
+				config_get name "$section" "$option"
+
+				[ "$bridge" != "$name" ] && continue
+
+				echo "$bridge=$name" > /dev/console
+
+				uci -q delete ${config}.${section}
+				echo "uci -q delete ${config}.${section}" > /dev/console
+			}
+
+			br_guest="br-guest${vlan}"
+
+			# network config guest teardown
+			config_load network
+			config_foreach guest_teardown device "network" $br_guest "name"
+			config_foreach guest_teardown interface "network" $br_guest "device"
+
+			if [ -n "$(uci -q get network.${br_dev}.ports | grep -w ${dev})" ]; then
+				uci -q del_list network.${br_dev}.ports="${dev}"
+			fi
+
+			peer="guest_peer${vlan}"
+
+			ip link show $dev 2> /dev/null && {
+				ip link del $dev
+			}
+
+			ip link show $peer 2> /dev/null && {
+				ip link del $peer
+			}
+
+			# dhcp config guest teardown
+			[ -n "$(uci -q get dhcp.guest${vlan})" ] && {
+				uci -q delete dhcp.guest${vlan}
+			}
+
+			# firewall config guest teardown
+			config_load firewall
+			config_foreach guest_teardown zone "firewall" guest${vlan} "name"
+			config_foreach guest_teardown forwarding "firewall" guest${vlan} "src"
 		}

 		config_load network
-		config_foreach bridge_device_teardown bridge-vlan $al_bridge
+		restart="$(config_foreach bridge_device_teardown bridge-vlan $al_bridge $layer3)"

-		if [ "$restart" = "1" ]; then
+		if [ -n "$restart" ]; then
 			uci commit network
+			if [ -x "/usr/sbin/mapcontroller" -a "$layer3" = "1" ]; then
+				uci commit firewall
+				uci commit dhcp
+			fi
 			dbg "trigger network restart"
 			/etc/init.d/network restart
 		fi
Author	SHA1	Message	Date
Jakob Olsson	fefbcdf9b3	map-agent: traffic_separation: only handle layer3 if controller is on same device	2022-12-08 13:35:30 +01:00
Jakob Olsson	d2ac9d5684	map-agent: traffic_separation: wip - layer3ts teardown	2022-12-08 12:02:47 +01:00
Jakob Olsson	8d4293b22d	map-agent: traffic_separation: wip - layer3ts teardown	2022-12-08 10:12:23 +01:00
Jakob Olsson	2c05fcc08a	map-agent: traffic_separation: wip - layer3ts teardown	2022-12-07 16:15:48 +01:00
Jakob Olsson	14344b452c	map-agent: traffic_separation: add forwarding section	2022-12-07 16:15:48 +01:00
Jakob Olsson	c3ac2d0b04	map-agent: traffic_separation: layer 3 traffic separation first draft	2022-12-07 16:15:48 +01:00