contrib/package/meshwizard/files/usr/bin/meshwizard/helpers/setup_firewall.sh

   1 #!/bin/sh
   2 # Add "freifunk" firewall zone
   3 # If wan is used for olsr then delete wan zone and all wan rules
   4 # Also setup rules defined in /etc/config/freifunk and /etc/config/profile_<community>
   5
   6 . /etc/functions.sh
   7 . $dir/functions.sh
   8
   9 wan_is_olsr=$(uci -q get meshwizard.netconfig.wan_config)
  10
  11 config_load firewall
  12
  13 # Add local_restrict to wan firewall zone (if wan is not used for olsr)
  14 # If wan is used for olsr then remove the firewall zone wan
  15 handle_zonewan() {
  16         config_get name "$1" name
  17         if [ "$name" == "wan" ]; then
  18                 if  [ "$wan_is_olsr" == 1 ]; then
  19                         uci del firewall.$1 && uci_commitverbose "WAN is used for olsr, delete firewall zone wan" firewall
  20                 else
  21                         uci set firewall.$1.local_restrict=1 && uci_commitverbose "Enable local_restrict for zone wan" firewall
  22                 fi
  23         fi
  24 }
  25 config_foreach handle_zonewan zone
  26
  27 # Rename firewall zone for freifunk if unnamed and delete wan zone if it is used for olsr; else enable local restrict
  28 handle_fwzone() {
  29         config_get name "$1" name
  30         config_get network "$1" network
  31
  32         if [ "$name" == "freifunk" ]; then
  33                 # rename section if unnamed
  34                 if [ -z "${1/cfg[0-9a-fA-F]*/}" ]; then
  35                         section_rename firewall $1 zone_freifunk
  36                 fi
  37         fi
  38
  39         if [ "$name" == "wan" ]; then
  40                 if  [ "$wan_is_olsr" == 1 ]; then
  41                         uci del firewall.$1 && uci_commitverbose "WAN is used for olsr, delete firewall zone wan" firewall
  42                 else
  43                         uci set firewall.$1.local_restrict=1 && uci_commitverbose "Enable local_restrict for zone wan" firewall
  44                 fi
  45         fi
  46 }
  47
  48 config_foreach handle_fwzone zone
  49
  50 uci batch << EOF
  51         set firewall.zone_freifunk="zone"
  52         set firewall.zone_freifunk.name="freifunk"
  53         set firewall.zone_freifunk.input="$zone_freifunk_input"
  54         set firewall.zone_freifunk.forward="$zone_freifunk_forward"
  55         set firewall.zone_freifunk.output="$zone_freifunk_output"
  56 EOF
  57
  58 uci_commitverbose "Setup firewall zones" firewall
  59
  60 # Usually we need to setup masquerading for lan, except lan is an olsr interface or has an olsr hna-entry
  61
  62 handle_interface() {
  63         config_get interface "$1" interface
  64         if [ "$interface" == "lan" ]; then
  65                 no_masq_lan=1
  66         fi
  67 }
  68 config_load olsrd
  69 config_foreach handle_interface Interface
  70
  71 LANIP="$(uci -q get network.lan.ipaddr)"
  72 if [ -n "$LANIP" ]; then
  73         handle_hna() {
  74                 config_get netaddr "$1" netaddr
  75                         if [ "$LANIP" == "$netaddr" ]; then
  76                         no_masq_lan=1
  77                 fi
  78         }
  79         config_foreach handle_hna Hna4
  80 fi
  81
  82 currms=$(uci -q get firewall.zone_freifunk.masq_src)
  83 if [ ! "$no_masq_lan" == "1" ]; then
  84         uci set firewall.zone_freifunk.masq="1"
  85         [ -z "$(echo $currms |grep lan)" ] && uci add_list firewall.zone_freifunk.masq_src="lan"
  86 fi
  87
  88
  89 # Rules, Forwardings, advanced config and includes
  90
  91 for config in freifunk profile_$community; do
  92
  93         config_load $config
  94
  95         for section in advanced include fw_rule fw_forwarding; do
  96                 handle_firewall() {
  97                         local options=$(uci show $config."$1")
  98                         options=$(echo "$options" | sed -e "s/fw_//g" -e "s/^$config/firewall/g")
  99                         for o in $options; do
 100                                 uci set $o
 101                         done
 102                 }
 103                 config_foreach handle_firewall $section
 104         done
 105 done
 106 uci_commitverbose "Setup rules, forwardings, advanced config and includes." firewall
 107
 108 # If wan is used for olsr we need to cleanup old wan (forward) rules
 109
 110 if  [ "$wan_is_olsr" == 1 ]; then
 111         handle_wanrules() {
 112         config_get src "$1" src
 113                 config_get dest "$1" dest
 114                 if [ "$src" == "wan" ] || [ "$dest" == "wan" ]; then
 115                         uci del firewall.$1
 116                 fi
 117         }
 118         for i in rule forwarding; do
 119                 config_load firewall
 120                 config_foreach handle_wanrules $i
 121         done
 122         uci_commitverbose "Wan is used for olsr, delete wan firewall rules and forwardings" firewall
 123 fi
 124