contrib/package: freifunk-firewall: introduce per-zone option "local_restrict" to...

diff --git a/contrib/package/freifunk-firewall/Makefile b/contrib/package/freifunk-firewall/Makefile
index 8399870..eff1c7d 100644 (file)
--- a/contrib/package/freifunk-firewall/Makefile
+++ b/contrib/package/freifunk-firewall/Makefile
@@ -7,7 +7,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=freifunk-firewall
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
 

diff --git a/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan
new file mode 100644 (file)
index 0000000..d0795b6
--- /dev/null
+++ b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+clear_restricted_gw()
+{
+       local state="$1"
+       local iface
+       local ifname
+       local ipaddr
+       local netmask
+       local gateway
+
+       config_get iface "$state" iface
+
+       if [ "$iface" = "$INTERFACE" ]; then
+               config_get ifname "$state" ifname
+               config_get ipaddr "$state" ipaddr
+               config_get netmask "$state" netmask
+               config_get gateway "$state" gateway
+
+               logger -t firewall.freifunk "removing local restriction to $iface($gateway)"
+               iptables -D "zone_${INTERFACE}_ACCEPT" -i ! $ifname -o $ifname -d $ipaddr/$netmask -j REJECT
+               iptables -D "zone_${INTERFACE}_ACCEPT" -i ! $ifname -o $ifname -d $gateway -j ACCEPT
+
+               uci_revert_state firewall "$state"
+       fi
+}
+
+get_enabled()
+{
+       local name
+       config_get name "$1" name
+
+       if [ "$name" = "$ZONE" ]; then
+               config_get_bool local_restrict "$1" local_restrict
+       fi
+}
+
+if [ "$ACTION" = add ]; then
+       local enabled
+       local ipaddr
+       local netmask
+       local gateway
+
+       include /lib/network
+       scan_interfaces
+
+       config_get ipaddr "$INTERFACE" ipaddr
+       config_get netmask "$INTERFACE" netmask
+       config_get gateway "$INTERFACE" gateway
+
+       if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then
+               config_load firewall
+
+               local_restrict=0
+               config_foreach get_enabled zone
+
+               if [ "$local_restrict" = 1 ]; then
+                       logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)"
+                       iptables -I "zone_${INTERFACE}_ACCEPT" -i ! $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT
+                       iptables -I "zone_${INTERFACE}_ACCEPT" -i ! $DEVICE -o $DEVICE -d $gateway -j ACCEPT
+
+                       local state="restricted_gw_${INTERFACE}"
+                       uci_set_state firewall "$state" "" restricted_gw_state
+                       uci_set_state firewall "$state" iface "$INTERFACE"
+                       uci_set_state firewall "$state" ifname "$DEVICE"
+                       uci_set_state firewall "$state" ipaddr "$ipaddr"
+                       uci_set_state firewall "$state" netmask "$netmask"
+                       uci_set_state firewall "$state" gateway "$gateway"
+               fi
+       fi
+
+elif [ "$ACTION" = remove ]; then
+       config_load firewall
+       config_foreach clear_restricted_gw restricted_gw_state   
+fi
+