IPT_REPLAY=/var/run/luci_splash.iptlog
LOCK=/var/run/luci_splash.lock
+[ -x /usr/sbin/ip6tables ] && [ -f /proc/net/ipv6_route ] && HAS_IPV6=1
silent() {
"$@" 2>/dev/null
echo iptables -D "$@" >> $IPT_REPLAY
}
+ipt6_log() {
+ [ "$HAS_IPV6" = 1 ] || return
+ ip6tables -I "$@"
+ echo ip6tables -D "$@" >> $IPT_REPLAY
+}
+
+
iface_add() {
local cfg="$1"
config_get netmask "$net" netmask
[ -n "$netmask" ] || return 0
+ config_get ip6addr "$net" ip6addr
+
config_get type "$net" type
parentiface="$(uci -q get network.${net}.ifname)"
eval "$(ipcalc.sh $ipaddr $netmask)"
+ logger -s -p info -t splash "Add $NETWORK/$PREFIX ($ifname) to splashed networks."
+
### Add interface specific chain entry rules
- ipt_log "zone_${zone}_prerouting" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_prerouting -t nat
- ipt_log "zone_${zone}_forward" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_forwarding -t filter
+ ipt_log "prerouting_${zone}_rule" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_prerouting -t nat
+ ipt_log "forwarding_${zone}_rule" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_forwarding -t filter
+
+ if [ "$HAS_IPV6" = 1 ] && [ -n "$ip6addr" ]; then
+ ipt6_log "forwarding_${zone}_rule" -i "${ifname%:*}" -s "$ip6addr" -j luci_splash_forwarding -t filter
+ fi
### Allow traffic to the same subnet
iptables -t nat -I luci_splash_prerouting -d "$ipaddr/${netmask:-32}" -j RETURN
# Clear interface specific rules
[ -s $IPT_REPLAY ] && {
+ logger -s -p info -t splash "Remove $ifname from splashed networks."
grep -- "-i ${ifname%:*}" $IPT_REPLAY | while read ln; do silent $ln; done
sed -ie "/-i ${ifname%:*}/d" $IPT_REPLAY
}
start() {
lock $LOCK
-
+ logger -s -p info -t splash "Starting luci-splash"
include /lib/network
+ . /lib/functions/network.sh
scan_interfaces
config_load luci_splash
iptables -t filter -N luci_splash_forwarding
iptables -t filter -N luci_splash_filter
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t filter -N luci_splash_forwarding
+ ip6tables -t filter -N luci_splash_filter
+ fi
+
### Clear iptables replay log
[ -s $IPT_REPLAY ] && . $IPT_REPLAY
echo -n > $IPT_REPLAY
iptables -t filter -A luci_splash_filter -p tcp -j REJECT --reject-with tcp-reset
iptables -t filter -A luci_splash_filter -j REJECT --reject-with icmp-net-prohibited
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t filter -A luci_splash_forwarding -j luci_splash_filter
+ ip6tables -t filter -A luci_splash_filter -p tcp -j REJECT --reject-with tcp-reset
+ ip6tables -t filter -A luci_splash_filter -j REJECT --reject-with adm-prohibited
+ fi
+
### Add QoS chain
[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
iptables -t mangle -N luci_splash_mark_out
iptables -t mangle -N luci_splash_mark_in
iptables -t mangle -I PREROUTING -j luci_splash_mark_out
iptables -t mangle -I POSTROUTING -j luci_splash_mark_in
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t mangle -N luci_splash_mark_out
+ ip6tables -t mangle -N luci_splash_mark_in
+ ip6tables -t mangle -I PREROUTING -j luci_splash_mark_out
+ ip6tables -t mangle -I POSTROUTING -j luci_splash_mark_in
+ fi
}
### Find active mac addresses
silent iptables -t mangle -D PREROUTING -j luci_splash_mark_out
silent iptables -t mangle -D POSTROUTING -j luci_splash_mark_in
+ if [ "$HAS_IPV6" = 1 ]; then
+ silent ip6tables -t mangle -D PREROUTING -j luci_splash_mark_out
+ silent ip6tables -t mangle -D POSTROUTING -j luci_splash_mark_in
+ fi
+
### Clear subchains
silent iptables -t nat -F luci_splash_prerouting
silent iptables -t nat -F luci_splash_leases
silent iptables -t mangle -F luci_splash_mark_out
silent iptables -t mangle -F luci_splash_mark_in
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t filter -F luci_splash_forwarding
+ ip6tables -t filter -F luci_splash_filter
+ ip6tables -t mangle -F luci_splash_mark_out
+ ip6tables -t mangle -F luci_splash_mark_in
+ fi
+
### Delete subchains
silent iptables -t nat -X luci_splash_prerouting
silent iptables -t nat -X luci_splash_leases
silent iptables -t filter -X luci_splash_filter
silent iptables -t mangle -X luci_splash_mark_out
silent iptables -t mangle -X luci_splash_mark_in
-
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t filter -X luci_splash_forwarding
+ ip6tables -t filter -X luci_splash_filter
+ ip6tables -t mangle -X luci_splash_mark_out
+ ip6tables -t mangle -X luci_splash_mark_in
+ fi
sed -ie '/\/usr\/sbin\/luci-splash sync/d' /var/spool/cron/crontabs/root
lock -u $LOCK