--- /dev/null
+#!/bin/sh
+
+clear_restricted_gw()
+{
+       local state="$1"
+       local iface
+       local ifname
+       local ipaddr
+       local netmask
+       local gateway
+
+       config_get iface "$state" iface
+
+       if [ "$iface" = "$INTERFACE" ]; then
+               config_get ifname "$state" ifname
+               config_get ipaddr "$state" ipaddr
+               config_get netmask "$state" netmask
+               config_get gateway "$state" gateway
+
+               logger -t firewall.freifunk "removing local restriction to $iface($gateway)"
+               iptables -D "zone_${INTERFACE}_ACCEPT" -i ! $ifname -o $ifname -d $ipaddr/$netmask -j REJECT
+               iptables -D "zone_${INTERFACE}_ACCEPT" -i ! $ifname -o $ifname -d $gateway -j ACCEPT
+
+               uci_revert_state firewall "$state"
+       fi
+}
+
+get_enabled()
+{
+       local name
+       config_get name "$1" name
+
+       if [ "$name" = "$ZONE" ]; then
+               config_get_bool local_restrict "$1" local_restrict
+       fi
+}
+
+if [ "$ACTION" = add ]; then
+       local enabled
+       local ipaddr
+       local netmask
+       local gateway
+
+       include /lib/network
+       scan_interfaces
+
+       config_get ipaddr "$INTERFACE" ipaddr
+       config_get netmask "$INTERFACE" netmask
+       config_get gateway "$INTERFACE" gateway
+
+       if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then
+               config_load firewall
+
+               local_restrict=0
+               config_foreach get_enabled zone
+
+               if [ "$local_restrict" = 1 ]; then
+                       logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)"
+                       iptables -I "zone_${INTERFACE}_ACCEPT" -i ! $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT
+                       iptables -I "zone_${INTERFACE}_ACCEPT" -i ! $DEVICE -o $DEVICE -d $gateway -j ACCEPT
+
+                       local state="restricted_gw_${INTERFACE}"
+                       uci_set_state firewall "$state" "" restricted_gw_state
+                       uci_set_state firewall "$state" iface "$INTERFACE"
+                       uci_set_state firewall "$state" ifname "$DEVICE"
+                       uci_set_state firewall "$state" ipaddr "$ipaddr"
+                       uci_set_state firewall "$state" netmask "$netmask"
+                       uci_set_state firewall "$state" gateway "$gateway"
+               fi
+       fi
+
+elif [ "$ACTION" = remove ]; then
+       config_load firewall
+       config_foreach clear_restricted_gw restricted_gw_state   
+fi
+