diff options
author | Manuel Munz <freifunk@somakoma.de> | 2013-03-20 02:53:14 +0000 |
---|---|---|
committer | Manuel Munz <freifunk@somakoma.de> | 2013-03-20 02:53:14 +0000 |
commit | 6efd34e9ecfdc8acbaa09bfb414722fc9790844f (patch) | |
tree | 516803fe7dec8e188efb0bcc4a3e686c9d780b94 /contrib/package/freifunk-policyrouting/files/etc/hotplug.d | |
parent | f804a21c8db0acdb8bdf85edd24e55ab344ef007 (diff) |
contrib/freifunk-policyrouting: Almost complete rewrite, use ip only (no firewall depencies).
Diffstat (limited to 'contrib/package/freifunk-policyrouting/files/etc/hotplug.d')
-rw-r--r-- | contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting | 116 | ||||
-rw-r--r-- | contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting | 180 |
2 files changed, 85 insertions, 211 deletions
diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting deleted file mode 100644 index 786c5e4ce7..0000000000 --- a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting +++ /dev/null @@ -1,116 +0,0 @@ -if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then - pr=`uci get freifunk-policyrouting.pr.enable` - strict=`uci get freifunk-policyrouting.pr.strict` - zones=`uci get freifunk-policyrouting.pr.zones` - [ -f /proc/net/ipv6_route ] && has_ipv6=1 - if [ $pr = "1" ]; then - - # The wan device name - if [ -n "`uci -p /var/state get network.wan.ifname`" ]; then - wandev=`uci -p /var/state get network.wan.ifname` - else - wandev=`uci -p /var/state get network.wan.device` - fi - - iptables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1 - iptables -t mangle -F prerouting_policy > /dev/null 2>&1 - iptables -t mangle -N prerouting_policy > /dev/null 2>&1 - iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1 - if [ "$has_ipv6" = 1 ]; then - ip6tables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1 - ip6tables -t mangle -F prerouting_policy > /dev/null 2>&1 - ip6tables -t mangle -N prerouting_policy > /dev/null 2>&1 - ip6tables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1 - fi - - # If no route is in table olsr-default, then usually the hosts local default route is used. - # If set to strict then we add a filter which prevents this - if [ "$strict" == "1" ]; then - ln=$(( `iptables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 )) - if [ ! $ln -gt 0 ]; then - ln=1 - fi - if [ -z "`iptables -L |grep 'Chain forward_policy'`" ]; then - iptables -N forward_policy - fi - if [ -z "`iptables -L FORWARD -v |grep forward_policy`" ]; then - iptables -I FORWARD $ln -m mark --mark 1 -j forward_policy - fi - iptables -F forward_policy - iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited - - - if [ "$has_ipv6" = 1 ]; then - ln=$(( `ip6tables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 )) - if [ ! $ln -gt 0 ]; then - ln=1 - fi - if [ -z "`ip6tables -L |grep 'Chain forward_policy'`" ]; then - ip6tables -N forward_policy - fi - if [ -z "`ip6tables -L FORWARD -v |grep forward_policy`" ]; then - ip6tables -I FORWARD $ln -m mark --mark 1 -j forward_policy - fi - ip6tables -F forward_policy - ip6tables -I forward_policy -o $wandev -j REJECT - fi - fi - - # set mark 1 for all packets coming in via enabled zones - for i in $zones; do - # find out which interfaces belong to this zone - zone=`uci show firewall |grep "name=$i" |awk {' FS="."; print $1"."$2 '}` - interfaces=`uci get $zone.network` - if [ "$interfaces" == "" ]; then - interfaces=$i - fi - for int in $interfaces; do - if [ "`uci -q get network.$int.type`" == "bridge" ]; then - dev="br-$int" - else - if [ -n "`uci -p /var/state get network.$int.ifname`" ]; then - dev=`uci -p /var/state get network.$int.ifname` - else - dev=`uci -p /var/state get network.$int.device` - fi - fi - logger -t policyrouting "Add mark 1 to packages coming in via interface $dev" - iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1 - if [ "$has_ipv6" = 1 ]; then - ip6tables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1 - fi - done - done - else - # Cleanup policy routing stuff that might be lingering around - if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then - logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv4)" - iptables -t mangle -D PREROUTING -j prerouting_policy - iptables -t mangle -F prerouting_policy - iptables -t mangle -X prerouting_policy - fi - if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then - logger -t policyrouting "Delete strict forwarding rules (IPv4)" - iptables -D FORWARD -m mark --mark 1 -j forward_policy - iptables -F forward_policy - iptables -X forward_policy - fi - - if [ "$has_ipv6" = 1 ]; then - if [ -n "`ip6tables -t mangle -L PREROUTING |grep _policy`" ]; then - logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv6)" - ip6tables -t mangle -D PREROUTING -j prerouting_policy - ip6tables -t mangle -F prerouting_policy - ip6tables -t mangle -X prerouting_policy - fi - if [ -n "`ip6tables -L FORWARD |grep forward_policy`" ]; then - logger -t policyrouting "Delete strict forwarding rules (IPv6)" - ip6tables -D FORWARD -m mark --mark 1 -j forward_policy - ip6tables -F forward_policy - ip6tables -X forward_policy - fi - fi - logger -t policyrouting "All firewall rules for policyrouting removed." - fi -fi - diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting index f8c59a6379..c4ae38d972 100644 --- a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting +++ b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting @@ -1,109 +1,99 @@ -[ "$INTERFACE" != "wan" ] && exit 0 -[ -f /proc/net/ipv6_route ] && has_ipv6=1 +#!/bin/sh -olsrd_rmtables() { - # Remove custom routing tables from olsrd - if [ "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then - uci delete olsrd.@olsrd[0].RtTable - uci delete olsrd.@olsrd[0].RtTableDefault - uci commit - /etc/init.d/olsrd restart - fi -} +. /lib/functions.sh +. /lib/functions/network.sh -case $ACTION in - ifup) - pr="`uci get freifunk-policyrouting.pr.enable`" - fallback="`uci get freifunk-policyrouting.pr.fallback`" - # check if ipv6 is enabled: +proto="4" +[ -f /proc/net/ipv6_route ] && proto="4 6" - if [ $pr = "1" ]; then - logger -s -t policyrouting "Starting policy routing on $INTERFACE" +config_load freifunk-policyrouting +config_get enable pr enable +config_get fallback pr fallback +config_get zones pr zones - # Setup new tables - tables="/etc/iproute2/rt_tables" - if [ -z "`grep "111" $tables`" ]; then - echo "111 olsr" >> $tables - fi - if [ -z "`grep "112" $tables`" ]; then - echo "112 olsr-default" >> $tables - fi +if [ "$ACTION" = "ifup" ] && [ "$enable" = "1" ]; then + network_get_subnet net $INTERFACE + network_get_subnet6 net6 $INTERFACE + network_get_physdev dev $INTERFACE - # Make sure Rt_tables in olsrd are in place - if [ ! "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ ! "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then - uci set olsrd.@olsrd[0].RtTable='111' - uci set olsrd.@olsrd[0].RtTableDefault='112' - uci commit - /etc/init.d/olsrd restart + if [ "$net" != "" -a -n "$dev" ]; then + eval $(/bin/ipcalc.sh $net) + if [ "$PREFIX" != "0" ]; then + if [ ! "$(ip r s t olsr-default |grep "throw $NETWORK/$PREFIX")" ]; then + ip r a throw $NETWORK/$PREFIX table olsr-default + if [ "$?" = 0 ]; then + logger -s -t policyrouting "Add route: throw $NETWORK/$PREFIX table olsr-default" + else + logger -s -t policyrouting "Error! Could not add route: throw $NETWORK/$PREFIX table olsr-default" + fi fi + fi - # Disable dyn_gw and dyngw_plain - dyngwlib=`uci show olsrd |grep dyn_gw.so |awk {' FS="."; print $1"."$2 '}` - if [ -n "$dyngwlib" ]; then - uci set $dyngwlib.ignore=1 - uci commit + if [ -n "$net6" ]; then + if [ ! "$(ip -6 r s t olsr-default |grep "throw $net6")" ]; then + rule="throw $net6 table olsr-default dev $dev" + ip -6 r a $rule + if [ "$?" = 0 ]; then + logger -s -t policyrouting "Add route: $rule (IPv6)" + else + logger -s -t policyrouting "Error! Could not add route: $rule (IPv6)" + fi fi + fi - dyngwplainlib=`uci show olsrd |grep dyn_gw_plain |awk {' FS="."; print $1"."$2 '}` - if [ -n "$dyngwplainlib" ]; then - uci set $dyngwplainlib.ignore=1 - uci commit + networks="" + for z in $zones; do + network_zone="$(uci -q get firewall.zone_${z}.network)" + if [ -z "$network_zone" ]; then + network_zone="$z" fi - - gw="$(ip r |grep default | cut -d " " -f 3)" - # if no gateway was found stop now - [ -z "$gw" ] && logger -s -t policyrouting "No gateway found" && exit 1 - - device="`uci -q -p /var/state get network.wan.ifname`" - [ -z "$device" ] && device="`uci -q -p /var/state get network.wan.device`" - [ -z "$device" ] && logger -s -t policyrouting "No device found for wan." && exit 1 - - test -n "`ip r s t default`" && ip r d default t default - test -n "`ip r s |grep default`" && ip route del default - ip route add default via $gw dev $device table default - - if [ "$has_ipv6" = 1 ]; then - local ip6gw=$(ip -6 r |grep default |cut -d " " -f 3) - test -n "`ip -6 r s t default`" && ip -6 r d default t default - if [ -n "`ip -6 r s |grep default`" ]; then - ip -6 route del default - ip -6 r a $ip6gw via $ip6gw dev $dev table default - ip -6 route add default via $ip6gw dev $device table default - fi + networks="$networks $network_zone" + done + for n in $networks; do + if [ "$INTERFACE" = "$n" ]; then + for p in $proto; do + if [ ! "$(ip -$p ru s | grep "from all iif $dev lookup olsr-default")" ]; then + ip -$p rule add dev "$dev" lookup olsr-default prio 20000 + if [ "$?" = 0 ]; then + logger -s -t policyrouting "Use mesh gateway for interface $dev (IPv$p)" + if [ -z "$(uci -P /var/state get freifunk-policyrouting.${INTERFACE})" ]; then + uci -P /var/state set freifunk-policyrouting.${INTERFACE}="state" + fi + uci -P /var/state set freifunk-policyrouting.${INTERFACE}.device="$dev" + else + logger -s -t policyrouting "Error: Could not add rule: dev "$dev" lookup olsr-default prio 20000 (IPv$p)" + fi + fi + done fi + done + fi +fi - ip rule del lookup main - ip rule add fwmark 1 lookup olsr-default - ip rule add lookup main - ip rule add lookup olsr - # Fallback via mesh if no ipv4 gateway is found in default table - [ "$fallback" = 1 ] && ip rule add lookup olsr-default prio 32800 - - if [ "$has_ipv6" = 1 ]; then - ip -6 rule del lookup main - ip -6 rule add lookup olsr prio 16380 - ip -6 rule add lookup main prio 16390 - ip -6 rule add fwmark 1 lookup olsr-default prio 16400 - ip -6 rule add lookup default prio 16410 - [ "$fallback" = 1 ] && ip -6 rule add lookup olsr-default prio 16420 +if [ "$ACTION" = "ifdown" ]; then + dev="$(uci -q -P /var/state get freifunk-policyrouting.${INTERFACE}.device)" + if [ -n "$dev" ]; then + networks="" + for z in $zones; do + network_zone="$(uci -q get firewall.zone_${z}.network)" + if [ -z "$network_zone" ]; then + network_zone="$z" fi - else - olsrd_rmtables - fi - ;; - - ifdown) - logger -s -t policyrouting "Deleting ipv4 policy rules for $INTERFACE" - olsrd_rmtables - ip rule del fwmark 1 lookup olsr-default > /dev/null 2>&1 - ip rule del lookup olsr-default > /dev/null 2>&1 - ip rule del lookup olsr > /dev/null 2>&1 - if [ "$has_ipv6" = 1 ]; then - logger -s -t policyrouting "Deleting ipv4 policy rules for $INTERFACE" - ip -6 rule del fwmark 1 lookup olsr-default > /dev/null 2>&1 - ip -6 rule del lookup olsr-default > /dev/null 2>&1 - ip -6 rule del lookup olsr > /dev/null 2>&1 - ip -6 rule del lookup default > /dev/null 2>&1 + networks="$networks $network_zone" + done + for n in $networks; do + if [ "$INTERFACE" = "$n" ]; then + for p in $proto; do + if [ "$(ip -$p ru s | grep "from all iif $dev lookup olsr-default")" ]; then + ip -$p rule del dev "$dev" lookup olsr-default prio 20000 + if [ "$?" = 0 ]; then + logger -s -t policyrouting "Remove rule: dev "$dev" lookup olsr-default prio 20000 (IPv$p)" + else + logger -s -t policyrouting "Error! Could not remove rule: dev "$dev" lookup olsr-default prio 20000 (IPv$p)" + fi + fi + done + fi + done fi - ;; -esac +fi |