diff options
author | Manuel Munz <freifunk@somakoma.de> | 2013-06-02 16:29:29 +0000 |
---|---|---|
committer | Manuel Munz <freifunk@somakoma.de> | 2013-06-02 16:29:29 +0000 |
commit | 61a94b2329a8b0c94251c605f5775473d3f1beb7 (patch) | |
tree | bd670ebe1fe6b475d85616d02fb87906e66e2f61 /contrib/package/freifunk-firewall/files/etc/hotplug.d | |
parent | 6c3a86cb77e7b058ceefc4efb9cc9246fa2c54e8 (diff) |
contrib/freifunk-firewall: Make it work with firewall3
Diffstat (limited to 'contrib/package/freifunk-firewall/files/etc/hotplug.d')
-rw-r--r-- | contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan | 39 |
1 files changed, 16 insertions, 23 deletions
diff --git a/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan index d6f94ea901..e71c852dfd 100644 --- a/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan +++ b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan @@ -5,20 +5,16 @@ clear_restricted_gw() local state="$1" local iface local ifname - local ipaddr - local netmask - local gateway + local subnet config_get iface "$state" iface if [ "$iface" = "$INTERFACE" ]; then config_get ifname "$state" ifname - config_get ipaddr "$state" ipaddr - config_get netmask "$state" netmask - config_get gateway "$state" gateway + config_get subnet "$state" subnet - logger -t firewall.freifunk "removing local restriction to $iface($gateway)" - iptables -D forwarding_rule ! -i $ifname -o $ifname -d $ipaddr/$netmask -j REJECT --reject-with icmp-host-prohibited + logger -t firewall.freifunk "removing local restriction to the network connected to $ifname ($iface)" + iptables -D forwarding_freifunk_rule -o $ifname -d $subnet -j REJECT --reject-with icmp-host-prohibited uci_revert_state firewall "$state" fi } @@ -35,33 +31,30 @@ get_enabled() if [ "$ACTION" = add ]; then local enabled - local ipaddr - local netmask - local gateway + local subnet - include /lib/network - scan_interfaces + . /lib/functions/network.sh - config_get ipaddr "$INTERFACE" ipaddr - config_get netmask "$INTERFACE" netmask - config_get gateway "$INTERFACE" gateway + network_find_wan wan - if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then + [ "$INTERFACE" = "$wan" ] || return 0 + + network_get_subnet subnet $INTERFACE + + if [ -n "$subnet" ]; then config_load firewall local_restrict=0 config_foreach get_enabled zone - + if [ "$local_restrict" = 1 ]; then - logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)" - iptables -I forwarding_rule ! -i $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT --reject-with icmp-host-prohibited + logger -t firewall.freifunk "restricting local access to the network connected to $INTERFACE ($DEVICE)" + iptables -I forwarding_freifunk_rule -o $DEVICE -d $subnet -j REJECT --reject-with icmp-host-prohibited local state="restricted_gw_${INTERFACE}" uci_set_state firewall "$state" "" restricted_gw_state uci_set_state firewall "$state" iface "$INTERFACE" uci_set_state firewall "$state" ifname "$DEVICE" - uci_set_state firewall "$state" ipaddr "$ipaddr" - uci_set_state firewall "$state" netmask "$netmask" - uci_set_state firewall "$state" gateway "$gateway" + uci_set_state firewall "$state" subnet "$subnet" fi fi |