contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting

   1 if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
   2         pr=`uci get freifunk-policyrouting.pr.enable`
   3         strict=`uci get freifunk-policyrouting.pr.strict`
   4         zones=`uci get freifunk-policyrouting.pr.zones`
   5         [ -f /proc/net/ipv6_route ] && has_ipv6=1
   6         if [ $pr = "1" ]; then
   7
   8                 # The wan device name
   9                 if  [ -n "`uci -p /var/state get network.wan.ifname`" ]; then
  10                         wandev=`uci -p /var/state get network.wan.ifname`
  11                 else
  12                         wandev=`uci -p /var/state get network.wan.device`
  13                 fi
  14
  15                 iptables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
  16                 iptables -t mangle -F prerouting_policy > /dev/null 2>&1
  17                 iptables -t mangle -N prerouting_policy > /dev/null 2>&1
  18                 iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
  19                 if [ "$has_ipv6" = 1 ]; then
  20                         ip6tables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
  21                         ip6tables -t mangle -F prerouting_policy > /dev/null 2>&1
  22                         ip6tables -t mangle -N prerouting_policy > /dev/null 2>&1
  23                         ip6tables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
  24                 fi
  25
  26                 # If no route is in table olsr-default, then usually the hosts local default route is used.
  27                 # If set to strict then we add a filter which prevents this
  28                 if [ "$strict" == "1" ]; then
  29                         ln=$(( `iptables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
  30                         if [ ! $ln -gt 0 ]; then
  31                                 ln=1
  32                         fi
  33                         if [ -z "`iptables -L |grep 'Chain forward_policy'`" ]; then
  34                                 iptables -N forward_policy
  35                         fi
  36                         if [ -z "`iptables -L FORWARD -v |grep forward_policy`" ]; then
  37                                 iptables -I FORWARD $ln -m mark --mark 1 -j forward_policy
  38                         fi
  39                         iptables -F forward_policy
  40                         iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited
  41
  42
  43                         if [ "$has_ipv6" = 1 ]; then
  44                                 ln=$(( `ip6tables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
  45                                 if [ ! $ln -gt 0 ]; then
  46                                         ln=1
  47                                 fi
  48                                 if [ -z "`ip6tables -L |grep 'Chain forward_policy'`" ]; then
  49                                         ip6tables -N forward_policy
  50                                 fi
  51                                 if [ -z "`ip6tables -L FORWARD -v |grep forward_policy`" ]; then
  52                                         ip6tables -I FORWARD $ln -m mark --mark 1 -j forward_policy
  53                                 fi
  54                                 ip6tables -F forward_policy
  55                                 ip6tables -I forward_policy -o $wandev -j REJECT
  56                         fi
  57                 fi
  58
  59                 # set mark 1 for all packets coming in via enabled zones
  60                 for i in $zones; do
  61                         # find out which interfaces belong to this zone
  62                         zone=`uci show firewall |grep "name=$i" |awk {' FS="."; print $1"."$2 '}`
  63                         interfaces=`uci get $zone.network`
  64                         if [ "$interfaces" == "" ]; then
  65                                 interfaces=$i
  66                         fi
  67                         for int in $interfaces; do
  68                                 if [ "`uci -q get network.$int.type`" == "bridge" ]; then
  69                                         dev="br-$int"
  70                                 else
  71                                         if  [ -n "`uci -p /var/state get network.$int.ifname`" ]; then
  72                                                 dev=`uci -p /var/state get network.$int.ifname`
  73                                         else
  74                                                 dev=`uci -p /var/state get network.$int.device`
  75                                         fi
  76                                 fi
  77                                 logger -t policyrouting "Add mark 1 to packages coming in via interface $dev"
  78                                 iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
  79                                 if [ "$has_ipv6" = 1 ]; then
  80                                         ip6tables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
  81                                 fi
  82                         done
  83                 done
  84         else
  85                 # Cleanup policy routing stuff that might be lingering around
  86                 if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then
  87                         logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv4)"
  88                         iptables -t mangle -D PREROUTING -j prerouting_policy
  89                         iptables -t mangle -F prerouting_policy
  90                         iptables -t mangle -X prerouting_policy
  91                 fi
  92                 if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then
  93                         logger -t policyrouting "Delete strict forwarding rules (IPv4)"
  94                         iptables -D FORWARD -m mark --mark 1 -j forward_policy
  95                         iptables -F forward_policy
  96                         iptables -X forward_policy
  97                 fi
  98
  99                 if [ "$has_ipv6" = 1 ]; then
 100                         if [ -n "`ip6tables -t mangle -L PREROUTING |grep _policy`" ]; then
 101                                 logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv6)"
 102                                 ip6tables -t mangle -D PREROUTING -j prerouting_policy
 103                                 ip6tables -t mangle -F prerouting_policy
 104                                 ip6tables -t mangle -X prerouting_policy
 105                         fi
 106                         if [ -n "`ip6tables -L FORWARD |grep forward_policy`" ]; then
 107                                 logger -t policyrouting "Delete strict forwarding rules (IPv6)"
 108                                 ip6tables -D FORWARD -m mark --mark 1 -j forward_policy
 109                                 ip6tables -F forward_policy
 110                                 ip6tables -X forward_policy
 111                         fi
 112                 fi
 113                 logger -t policyrouting "All firewall rules for policyrouting removed."
 114         fi
 115 fi
 116