contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan

   1 #!/bin/sh
   2
   3 clear_restricted_gw()
   4 {
   5         local state="$1"
   6         local iface
   7         local ifname
   8         local ipaddr
   9         local netmask
  10         local gateway
  11
  12         config_get iface "$state" iface
  13
  14         if [ "$iface" = "$INTERFACE" ]; then
  15                 config_get ifname "$state" ifname
  16                 config_get ipaddr "$state" ipaddr
  17                 config_get netmask "$state" netmask
  18                 config_get gateway "$state" gateway
  19
  20                 logger -t firewall.freifunk "removing local restriction to $iface($gateway)"
  21                 iptables -D forwarding_rule ! -i $ifname -o $ifname -d $ipaddr/$netmask -j REJECT --reject-with icmp-host-prohibited
  22                 uci_revert_state firewall "$state"
  23         fi
  24 }
  25
  26 get_enabled()
  27 {
  28         local name
  29         config_get name "$1" name
  30
  31         if [ "$name" = "$ZONE" ]; then
  32                 config_get_bool local_restrict "$1" local_restrict
  33         fi
  34 }
  35
  36 if [ "$ACTION" = add ]; then
  37         local enabled
  38         local ipaddr
  39         local netmask
  40         local gateway
  41
  42         include /lib/network
  43         scan_interfaces
  44
  45         config_get ipaddr "$INTERFACE" ipaddr
  46         config_get netmask "$INTERFACE" netmask
  47         config_get gateway "$INTERFACE" gateway
  48
  49         if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then
  50                 config_load firewall
  51
  52                 local_restrict=0
  53                 config_foreach get_enabled zone
  54
  55                 if [ "$local_restrict" = 1 ]; then
  56                         logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)"
  57                         iptables -I forwarding_rule ! -i $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT --reject-with icmp-host-prohibited
  58                         local state="restricted_gw_${INTERFACE}"
  59                         uci_set_state firewall "$state" "" restricted_gw_state
  60                         uci_set_state firewall "$state" iface "$INTERFACE"
  61                         uci_set_state firewall "$state" ifname "$DEVICE"
  62                         uci_set_state firewall "$state" ipaddr "$ipaddr"
  63                         uci_set_state firewall "$state" netmask "$netmask"
  64                         uci_set_state firewall "$state" gateway "$gateway"
  65                 fi
  66         fi
  67
  68 elif [ "$ACTION" = remove ]; then
  69         config_load firewall
  70         config_foreach clear_restricted_gw restricted_gw_state
  71 fi
  72