contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting

   1 if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
   2         pr=`uci get freifunk-policyrouting.pr.enable`
   3         strict=`uci get freifunk-policyrouting.pr.strict`
   4         zones=`uci get freifunk-policyrouting.pr.zones`
   5
   6         if [ $pr = "1" ]; then
   7
   8                 # The wan device name
   9                 if  [ -n "`uci -p /var/state get network.wan.ifname`" ]; then
  10                         wandev=`uci -p /var/state get network.wan.ifname`
  11                 else
  12                         wandev=`uci -p /var/state get network.wan.device`
  13                 fi
  14
  15                 iptables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
  16                 iptables -t mangle -F prerouting_policy > /dev/null 2>&1
  17                 iptables -t mangle -N prerouting_policy > /dev/null 2>&1
  18                 iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
  19
  20                 # If no route is in table olsr-default, then usually the hosts local default route is used.
  21                 # If set to strict then we add a filter which prevents this
  22                 if [ "$strict" == "1" ]; then
  23                         ln=$(( `iptables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
  24                         if [ ! $ln -gt 0 ]; then
  25                                 ln=1
  26                         fi
  27                         if [ -z "`iptables -L |grep 'Chain forward_policy'`" ]; then
  28                                 iptables -N forward_policy
  29                         fi
  30                         if [ -z "`iptables -L FORWARD -v |grep forward_policy`" ]; then
  31                                 iptables -I FORWARD $ln -m mark --mark 1 -j forward_policy
  32                         fi
  33                         iptables -F forward_policy
  34                         iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited
  35                 fi
  36
  37                 # set mark 1 for all packets coming in via enabled zones
  38                 for i in $zones; do
  39                         # find out which interfaces belong to this zone
  40                         zone=`uci show firewall |grep "name=$i" |awk {' FS="."; print $1"."$2 '}`
  41                         interfaces=`uci get $zone.network`
  42                         if [ "$interfaces" == "" ]; then
  43                                 interfaces=$i
  44                         fi
  45                         for int in $interfaces; do
  46                                 if [ "`uci -q get network.$int.type`" == "bridge" ]; then
  47                                         dev="br-$int"
  48                                 else
  49                                         if  [ -n "`uci -p /var/state get network.$int.ifname`" ]; then
  50                                                 dev=`uci -p /var/state get network.$int.ifname`
  51                                         else
  52                                                 dev=`uci -p /var/state get network.$int.device`
  53                                         fi
  54                                 fi
  55                                 logger -t policyrouting "Add mark 1 to packages coming in via interface $dev"
  56                                 iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
  57                         done
  58                 done
  59         else
  60                 # Cleanup policy routing stuff that might be lingering around
  61                 if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then
  62                         logger -t policyrouting "Delete prerouting_policy chain in table mangle"
  63                         iptables -t mangle -D PREROUTING -j prerouting_policy
  64                         iptables -t mangle -F prerouting_policy
  65                         iptables -t mangle -X prerouting_policy
  66                 fi
  67                 if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then
  68                         logger -t policyrouting "Delete strict forwarding rules"
  69                         iptables -D FORWARD -m mark --mark 1 -j forward_policy
  70                         iptables -F forward_policy
  71                         iptables -X forward_policy
  72                 fi
  73                 logger -t policyrouting "All firewall rules for policyrouting removed."
  74         fi
  75 fi
  76