projects / project / luci.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
contrib/freifunk-policyrouting: Almost complete rewrite, use ip only (no firewall...
[project/luci.git] / contrib / package / freifunk-policyrouting / files / etc / hotplug.d / firewall / 24-policyrouting
diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting
deleted file mode 100644 (file)
index 786c5e4..0000000
--- a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting
+++ /dev/null
@@ -1,116 +0,0 @@
-if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
-       pr=`uci get freifunk-policyrouting.pr.enable`
-       strict=`uci get freifunk-policyrouting.pr.strict`
-       zones=`uci get freifunk-policyrouting.pr.zones`
-       [ -f /proc/net/ipv6_route ] && has_ipv6=1
-       if [ $pr = "1" ]; then
-
-               # The wan device name
-               if  [ -n "`uci -p /var/state get network.wan.ifname`" ]; then
-                       wandev=`uci -p /var/state get network.wan.ifname`
-               else
-                       wandev=`uci -p /var/state get network.wan.device`
-               fi
-
-               iptables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
-               iptables -t mangle -F prerouting_policy > /dev/null 2>&1
-               iptables -t mangle -N prerouting_policy > /dev/null 2>&1
-               iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
-               if [ "$has_ipv6" = 1 ]; then
-                       ip6tables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
-                       ip6tables -t mangle -F prerouting_policy > /dev/null 2>&1
-                       ip6tables -t mangle -N prerouting_policy > /dev/null 2>&1
-                       ip6tables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
-               fi
-
-               # If no route is in table olsr-default, then usually the hosts local default route is used.
-               # If set to strict then we add a filter which prevents this
-               if [ "$strict" == "1" ]; then
-                       ln=$(( `iptables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
-                       if [ ! $ln -gt 0 ]; then
-                               ln=1
-                       fi
-                       if [ -z "`iptables -L |grep 'Chain forward_policy'`" ]; then
-                               iptables -N forward_policy
-                       fi
-                       if [ -z "`iptables -L FORWARD -v |grep forward_policy`" ]; then
-                               iptables -I FORWARD $ln -m mark --mark 1 -j forward_policy
-                       fi
-                       iptables -F forward_policy
-                       iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited
-
-
-                       if [ "$has_ipv6" = 1 ]; then
-                               ln=$(( `ip6tables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
-                               if [ ! $ln -gt 0 ]; then
-                                       ln=1
-                               fi
-                               if [ -z "`ip6tables -L |grep 'Chain forward_policy'`" ]; then
-                                       ip6tables -N forward_policy
-                               fi
-                               if [ -z "`ip6tables -L FORWARD -v |grep forward_policy`" ]; then
-                                       ip6tables -I FORWARD $ln -m mark --mark 1 -j forward_policy
-                               fi
-                               ip6tables -F forward_policy
-                               ip6tables -I forward_policy -o $wandev -j REJECT
-                       fi
-               fi
-
-               # set mark 1 for all packets coming in via enabled zones
-               for i in $zones; do
-                       # find out which interfaces belong to this zone
-                       zone=`uci show firewall |grep "name=$i" |awk {' FS="."; print $1"."$2 '}`
-                       interfaces=`uci get $zone.network`
-                       if [ "$interfaces" == "" ]; then
-                               interfaces=$i
-                       fi
-                       for int in $interfaces; do
-                               if [ "`uci -q get network.$int.type`" == "bridge" ]; then 
-                                       dev="br-$int"
-                               else
-                                       if  [ -n "`uci -p /var/state get network.$int.ifname`" ]; then
-                                               dev=`uci -p /var/state get network.$int.ifname`
-                                       else
-                                               dev=`uci -p /var/state get network.$int.device`
-                                       fi
-                               fi
-                               logger -t policyrouting "Add mark 1 to packages coming in via interface $dev"
-                               iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
-                               if [ "$has_ipv6" = 1 ]; then
-                                       ip6tables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
-                               fi      
-                       done
-               done
-       else
-               # Cleanup policy routing stuff that might be lingering around
-               if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then
-                       logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv4)"
-                       iptables -t mangle -D PREROUTING -j prerouting_policy
-                       iptables -t mangle -F prerouting_policy
-                       iptables -t mangle -X prerouting_policy
-               fi
-               if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then
-                       logger -t policyrouting "Delete strict forwarding rules (IPv4)"
-                       iptables -D FORWARD -m mark --mark 1 -j forward_policy
-                       iptables -F forward_policy
-                       iptables -X forward_policy
-               fi
-
-               if [ "$has_ipv6" = 1 ]; then
-                       if [ -n "`ip6tables -t mangle -L PREROUTING |grep _policy`" ]; then
-                               logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv6)"
-                               ip6tables -t mangle -D PREROUTING -j prerouting_policy
-                               ip6tables -t mangle -F prerouting_policy
-                               ip6tables -t mangle -X prerouting_policy
-                       fi
-                       if [ -n "`ip6tables -L FORWARD |grep forward_policy`" ]; then
-                               logger -t policyrouting "Delete strict forwarding rules (IPv6)"
-                               ip6tables -D FORWARD -m mark --mark 1 -j forward_policy
-                               ip6tables -F forward_policy
-                               ip6tables -X forward_policy
-                       fi
-               fi
-               logger -t policyrouting "All firewall rules for policyrouting removed."
-       fi
-fi
-
Lua Configuration Interface (mirror)