From 27b7784cddaf4d001375b267dfe4c3f739565b2c Mon Sep 17 00:00:00 2001 From: Manuel Munz Date: Tue, 5 Jun 2012 22:23:40 +0000 Subject: [PATCH] contrib/freifunk-policyrouting: Almost works now. There is still the problem that localhost cannot use his own ipv6 gateway, this needs more investigation --- .../files/etc/hotplug.d/firewall/24-policyrouting | 46 ++++++++++++++++++++-- .../files/etc/hotplug.d/iface/30-policyrouting | 15 +++++-- 2 files changed, 55 insertions(+), 6 deletions(-) diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting index 014803a7d..786c5e4ce 100644 --- a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting +++ b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting @@ -2,7 +2,7 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then pr=`uci get freifunk-policyrouting.pr.enable` strict=`uci get freifunk-policyrouting.pr.strict` zones=`uci get freifunk-policyrouting.pr.zones` - + [ -f /proc/net/ipv6_route ] && has_ipv6=1 if [ $pr = "1" ]; then # The wan device name @@ -16,6 +16,12 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then iptables -t mangle -F prerouting_policy > /dev/null 2>&1 iptables -t mangle -N prerouting_policy > /dev/null 2>&1 iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1 + if [ "$has_ipv6" = 1 ]; then + ip6tables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1 + ip6tables -t mangle -F prerouting_policy > /dev/null 2>&1 + ip6tables -t mangle -N prerouting_policy > /dev/null 2>&1 + ip6tables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1 + fi # If no route is in table olsr-default, then usually the hosts local default route is used. # If set to strict then we add a filter which prevents this @@ -32,6 +38,22 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then fi iptables -F forward_policy iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited + + + if [ "$has_ipv6" = 1 ]; then + ln=$(( `ip6tables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 )) + if [ ! $ln -gt 0 ]; then + ln=1 + fi + if [ -z "`ip6tables -L |grep 'Chain forward_policy'`" ]; then + ip6tables -N forward_policy + fi + if [ -z "`ip6tables -L FORWARD -v |grep forward_policy`" ]; then + ip6tables -I FORWARD $ln -m mark --mark 1 -j forward_policy + fi + ip6tables -F forward_policy + ip6tables -I forward_policy -o $wandev -j REJECT + fi fi # set mark 1 for all packets coming in via enabled zones @@ -54,22 +76,40 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then fi logger -t policyrouting "Add mark 1 to packages coming in via interface $dev" iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1 + if [ "$has_ipv6" = 1 ]; then + ip6tables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1 + fi done done else # Cleanup policy routing stuff that might be lingering around if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then - logger -t policyrouting "Delete prerouting_policy chain in table mangle" + logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv4)" iptables -t mangle -D PREROUTING -j prerouting_policy iptables -t mangle -F prerouting_policy iptables -t mangle -X prerouting_policy fi if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then - logger -t policyrouting "Delete strict forwarding rules" + logger -t policyrouting "Delete strict forwarding rules (IPv4)" iptables -D FORWARD -m mark --mark 1 -j forward_policy iptables -F forward_policy iptables -X forward_policy fi + + if [ "$has_ipv6" = 1 ]; then + if [ -n "`ip6tables -t mangle -L PREROUTING |grep _policy`" ]; then + logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv6)" + ip6tables -t mangle -D PREROUTING -j prerouting_policy + ip6tables -t mangle -F prerouting_policy + ip6tables -t mangle -X prerouting_policy + fi + if [ -n "`ip6tables -L FORWARD |grep forward_policy`" ]; then + logger -t policyrouting "Delete strict forwarding rules (IPv6)" + ip6tables -D FORWARD -m mark --mark 1 -j forward_policy + ip6tables -F forward_policy + ip6tables -X forward_policy + fi + fi logger -t policyrouting "All firewall rules for policyrouting removed." fi fi diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting index 68eba11cf..acce98113 100644 --- a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting +++ b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting @@ -58,15 +58,24 @@ case $ACTION in ip route add $NETWORK/$NETMASK dev $device table default ip route add default via $gw dev $device table default + #if [ "$has_ipv6" = 1 ]; then + # local ip6gw=$(ip -6 r |grep default |cut -d " " -f 3) + # test -n "`ip -6 r s t default`" && ip -6 r d default t default + # test -n "`ip -6 r s |grep default`" && ip -6 route del default + # ip -6 r a $ip6gw via $ip6gw dev $dev table default + # ip -6 route add default via $ip6gw dev $device table default + #fi + + ip rule del lookup main ip rule add fwmark 1 lookup olsr-default ip rule add lookup main ip rule add lookup olsr if [ "$has_ipv6" = 1 ]; then ip -6 rule del lookup main - ip -6 rule add fwmark 1 lookup olsr-default - ip -6 rule add lookup main - ip -6 rule add lookup olsr + ip -6 rule add fwmark 1 lookup olsr-default prio 16385 + ip -6 rule add lookup main prio 16383 + ip -6 rule add lookup olsr prio 16380 fi else # Remove custom routing tables from olsrd -- 2.11.0