1 if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
2 pr=`uci get freifunk-policyrouting.pr.enable`
3 strict=`uci get freifunk-policyrouting.pr.strict`
4 zones=`uci get freifunk-policyrouting.pr.zones`
5 [ -f /proc/net/ipv6_route ] && has_ipv6=1
9 if [ -n "`uci -p /var/state get network.wan.ifname`" ]; then
10 wandev=`uci -p /var/state get network.wan.ifname`
12 wandev=`uci -p /var/state get network.wan.device`
15 iptables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
16 iptables -t mangle -F prerouting_policy > /dev/null 2>&1
17 iptables -t mangle -N prerouting_policy > /dev/null 2>&1
18 iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
19 if [ "$has_ipv6" = 1 ]; then
20 ip6tables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
21 ip6tables -t mangle -F prerouting_policy > /dev/null 2>&1
22 ip6tables -t mangle -N prerouting_policy > /dev/null 2>&1
23 ip6tables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
26 # If no route is in table olsr-default, then usually the hosts local default route is used.
27 # If set to strict then we add a filter which prevents this
28 if [ "$strict" == "1" ]; then
29 ln=$(( `iptables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
30 if [ ! $ln -gt 0 ]; then
33 if [ -z "`iptables -L |grep 'Chain forward_policy'`" ]; then
34 iptables -N forward_policy
36 if [ -z "`iptables -L FORWARD -v |grep forward_policy`" ]; then
37 iptables -I FORWARD $ln -m mark --mark 1 -j forward_policy
39 iptables -F forward_policy
40 iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited
43 if [ "$has_ipv6" = 1 ]; then
44 ln=$(( `ip6tables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
45 if [ ! $ln -gt 0 ]; then
48 if [ -z "`ip6tables -L |grep 'Chain forward_policy'`" ]; then
49 ip6tables -N forward_policy
51 if [ -z "`ip6tables -L FORWARD -v |grep forward_policy`" ]; then
52 ip6tables -I FORWARD $ln -m mark --mark 1 -j forward_policy
54 ip6tables -F forward_policy
55 ip6tables -I forward_policy -o $wandev -j REJECT
59 # set mark 1 for all packets coming in via enabled zones
61 # find out which interfaces belong to this zone
62 zone=`uci show firewall |grep "name=$i" |awk {' FS="."; print $1"."$2 '}`
63 interfaces=`uci get $zone.network`
64 if [ "$interfaces" == "" ]; then
67 for int in $interfaces; do
68 if [ "`uci -q get network.$int.type`" == "bridge" ]; then
71 if [ -n "`uci -p /var/state get network.$int.ifname`" ]; then
72 dev=`uci -p /var/state get network.$int.ifname`
74 dev=`uci -p /var/state get network.$int.device`
77 logger -t policyrouting "Add mark 1 to packages coming in via interface $dev"
78 iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
79 if [ "$has_ipv6" = 1 ]; then
80 ip6tables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
85 # Cleanup policy routing stuff that might be lingering around
86 if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then
87 logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv4)"
88 iptables -t mangle -D PREROUTING -j prerouting_policy
89 iptables -t mangle -F prerouting_policy
90 iptables -t mangle -X prerouting_policy
92 if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then
93 logger -t policyrouting "Delete strict forwarding rules (IPv4)"
94 iptables -D FORWARD -m mark --mark 1 -j forward_policy
95 iptables -F forward_policy
96 iptables -X forward_policy
99 if [ "$has_ipv6" = 1 ]; then
100 if [ -n "`ip6tables -t mangle -L PREROUTING |grep _policy`" ]; then
101 logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv6)"
102 ip6tables -t mangle -D PREROUTING -j prerouting_policy
103 ip6tables -t mangle -F prerouting_policy
104 ip6tables -t mangle -X prerouting_policy
106 if [ -n "`ip6tables -L FORWARD |grep forward_policy`" ]; then
107 logger -t policyrouting "Delete strict forwarding rules (IPv6)"
108 ip6tables -D FORWARD -m mark --mark 1 -j forward_policy
109 ip6tables -F forward_policy
110 ip6tables -X forward_policy
113 logger -t policyrouting "All firewall rules for policyrouting removed."