diff options
| author | Jo-Philipp Wich <jow@openwrt.org> | 2009-08-27 00:05:11 +0000 |
|---|---|---|
| committer | Jo-Philipp Wich <jow@openwrt.org> | 2009-08-27 00:05:11 +0000 |
| commit | 2c46f1058da3021ed8b07a7936f6c469d31b65a8 (patch) | |
| tree | a7faf7d4537fb7d70c482dc6f4154e1169049700 /contrib/package/freifunk-firewall/files | |
| parent | e66ab6bd2ca3bf51f6951e9b293b7742cd1a86a1 (diff) | |
contrib/package: freifunk-firewall: introduce per-zone option "local_restrict" to only grant access to the default gateway in this zone while rejecting other hosts in the target subnet
Diffstat (limited to 'contrib/package/freifunk-firewall/files')
| -rw-r--r-- | contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan new file mode 100644 index 000000000..d0795b629 --- /dev/null +++ b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan @@ -0,0 +1,76 @@ +#!/bin/sh + +clear_restricted_gw() +{ + local state="$1" + local iface + local ifname + local ipaddr + local netmask + local gateway + + config_get iface "$state" iface + + if [ "$iface" = "$INTERFACE" ]; then + config_get ifname "$state" ifname + config_get ipaddr "$state" ipaddr + config_get netmask "$state" netmask + config_get gateway "$state" gateway + + logger -t firewall.freifunk "removing local restriction to $iface($gateway)" + iptables -D "zone_${INTERFACE}_ACCEPT" -i ! $ifname -o $ifname -d $ipaddr/$netmask -j REJECT + iptables -D "zone_${INTERFACE}_ACCEPT" -i ! $ifname -o $ifname -d $gateway -j ACCEPT + + uci_revert_state firewall "$state" + fi +} + +get_enabled() +{ + local name + config_get name "$1" name + + if [ "$name" = "$ZONE" ]; then + config_get_bool local_restrict "$1" local_restrict + fi +} + +if [ "$ACTION" = add ]; then + local enabled + local ipaddr + local netmask + local gateway + + include /lib/network + scan_interfaces + + config_get ipaddr "$INTERFACE" ipaddr + config_get netmask "$INTERFACE" netmask + config_get gateway "$INTERFACE" gateway + + if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then + config_load firewall + + local_restrict=0 + config_foreach get_enabled zone + + if [ "$local_restrict" = 1 ]; then + logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)" + iptables -I "zone_${INTERFACE}_ACCEPT" -i ! $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT + iptables -I "zone_${INTERFACE}_ACCEPT" -i ! $DEVICE -o $DEVICE -d $gateway -j ACCEPT + + local state="restricted_gw_${INTERFACE}" + uci_set_state firewall "$state" "" restricted_gw_state + uci_set_state firewall "$state" iface "$INTERFACE" + uci_set_state firewall "$state" ifname "$DEVICE" + uci_set_state firewall "$state" ipaddr "$ipaddr" + uci_set_state firewall "$state" netmask "$netmask" + uci_set_state firewall "$state" gateway "$gateway" + fi + fi + +elif [ "$ACTION" = remove ]; then + config_load firewall + config_foreach clear_restricted_gw restricted_gw_state +fi + |