contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan

   1 #!/bin/sh
   2
   3 clear_restricted_gw()
   4 {
   5         local state="$1"
   6         local iface
   7         local ifname
   8         local ipaddr
   9         local netmask
  10         local gateway
  11
  12         config_get iface "$state" iface
  13
  14         if [ "$iface" = "$INTERFACE" ]; then
  15                 config_get ifname "$state" ifname
  16                 config_get ipaddr "$state" ipaddr
  17                 config_get netmask "$state" netmask
  18                 config_get gateway "$state" gateway
  19
  20                 logger -t firewall.freifunk "removing local restriction to $iface($gateway)"
  21                 iptables -D "zone_${INTERFACE}_ACCEPT" ! -i $ifname -o $ifname -d $ipaddr/$netmask -j REJECT
  22                 iptables -D "zone_${INTERFACE}_ACCEPT" ! -i $ifname -o $ifname -d $gateway -j ACCEPT
  23
  24                 uci_revert_state firewall "$state"
  25         fi
  26 }
  27
  28 get_enabled()
  29 {
  30         local name
  31         config_get name "$1" name
  32
  33         if [ "$name" = "$ZONE" ]; then
  34                 config_get_bool local_restrict "$1" local_restrict
  35         fi
  36 }
  37
  38 if [ "$ACTION" = add ]; then
  39         local enabled
  40         local ipaddr
  41         local netmask
  42         local gateway
  43
  44         include /lib/network
  45         scan_interfaces
  46
  47         config_get ipaddr "$INTERFACE" ipaddr
  48         config_get netmask "$INTERFACE" netmask
  49         config_get gateway "$INTERFACE" gateway
  50
  51         if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then
  52                 config_load firewall
  53
  54                 local_restrict=0
  55                 config_foreach get_enabled zone
  56
  57                 if [ "$local_restrict" = 1 ]; then
  58                         logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)"
  59                         iptables -I "zone_${INTERFACE}_ACCEPT" ! -i $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT
  60                         iptables -I "zone_${INTERFACE}_ACCEPT" ! -i $DEVICE -o $DEVICE -d $gateway -j ACCEPT
  61
  62                         local state="restricted_gw_${INTERFACE}"
  63                         uci_set_state firewall "$state" "" restricted_gw_state
  64                         uci_set_state firewall "$state" iface "$INTERFACE"
  65                         uci_set_state firewall "$state" ifname "$DEVICE"
  66                         uci_set_state firewall "$state" ipaddr "$ipaddr"
  67                         uci_set_state firewall "$state" netmask "$netmask"
  68                         uci_set_state firewall "$state" gateway "$gateway"
  69                 fi
  70         fi
  71
  72 elif [ "$ACTION" = remove ]; then
  73         config_load firewall
  74         config_foreach clear_restricted_gw restricted_gw_state
  75 fi
  76