From daadcb9ea2edc6d6c99b379b40ea9f8a56864a04 Mon Sep 17 00:00:00 2001 From: Manuel Munz Date: Mon, 14 Mar 2011 19:34:23 +0000 Subject: Add freifunk-policyrouting and luci-app-freifunk-policyrouting --- .../files/etc/hotplug.d/firewall/24-policyrouting | 72 ++++++++++++++++++++ .../files/etc/hotplug.d/iface/30-policyrouting | 78 ++++++++++++++++++++++ 2 files changed, 150 insertions(+) create mode 100644 contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting create mode 100644 contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting (limited to 'contrib/package/freifunk-policyrouting/files/etc/hotplug.d') diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting new file mode 100644 index 0000000000..3e6f8155c2 --- /dev/null +++ b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting @@ -0,0 +1,72 @@ +if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then + pr=`uci get freifunk-policyrouting.pr.enable` + strict=`uci get freifunk-policyrouting.pr.strict` + zones=`uci get freifunk-policyrouting.pr.zones` + + if [ $pr = "1" ]; then + + # The wan device name + if [ -n "`uci -p /var/state get network.wan.ifname`" ]; then + wandev=`uci -p /var/state get network.wan.ifname` + else + wandev=`uci -p /var/state get network.wan.device` + fi + + iptables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1 + iptables -t mangle -F prerouting_policy > /dev/null 2>&1 + iptables -t mangle -N prerouting_policy > /dev/null 2>&1 + iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1 + + # If no route is in table olsr-default, then usually the hosts local default route is used. + # If set to strict then we add a filter which prevents this + if [ "$strict" == "1" ]; then + ln=$(( `iptables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 )) + if [ ! $ln -gt 0 ]; then + ln=1 + fi + if [ -z "`iptables -L |grep 'Chain forward_policy'`" ]; then + iptables -N forward_policy + fi + if [ -z "`iptables -L FORWARD -v |grep forward_policy`" ]; then + iptables -I FORWARD $ln -m mark --mark 1 -j forward_policy + fi + iptables -F forward_policy + iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited + fi + + # set mark 1 for all packets coming in via enabled zones + for i in $zones; do + # find out which interfaces belong to this zone + zone=`uci show firewall |grep "name=$i" |awk {' FS="."; print $1"."$2 '}` + interfaces=`uci get $zone.network` + if [ "$interfaces" == "" ]; then + interfaces=$i + fi + for int in $interfaces; do + if [ "`uci -q get network.$int.type`" == "bridge" ]; then + dev="br-$int" + else + dev=`uci get network.$int.ifname` + fi + logger -t policyrouting "Add mark 1 to packages coming in via interface $dev" + iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1 + done + done + else + # Cleanup policy routing stuff that might be lingering around + if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then + logger -t policyrouting "Delete prerouting_policy chain in table mangle" + iptables -t mangle -D PREROUTING -j prerouting_policy + iptables -t mangle -F prerouting_policy + iptables -t mangle -X prerouting_policy + fi + if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then + logger -t policyrouting "Delete strict forwarding rules" + iptables -D FORWARD -m mark --mark 1 -j forward_policy + iptables -F forward_policy + iptables -X forward_policy + fi + logger -t policyrouting "All firewall rules for policyrouting removed." + fi +fi + diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting new file mode 100644 index 0000000000..e3b0edeb30 --- /dev/null +++ b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting @@ -0,0 +1,78 @@ +[ "$INTERFACE" != "wan" ] && exit 0 + +case $ACTION in + ifup) + pr=`uci get freifunk-policyrouting.pr.enable` + if [ $pr = "1" ]; then + logger -t policyrouting "Starting policy routing on $INTERFACE" + + # Setup new tables + tables="/etc/iproute2/rt_tables" + if [ -z "`grep "111" $tables`" ]; then + echo "111 olsr" >> $tables + fi + if [ -z "`grep "112" $tables`" ]; then + echo "112 olsr-default" >> $tables + fi + + # Make sure Rt_tables in olsrd are in place + if [ ! "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ ! "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then + uci set olsrd.@olsrd[0].RtTable='111' + uci set olsrd.@olsrd[0].RtTableDefault='112' + uci commit + /etc/init.d/olsrd restart + fi + + # Disable dyn_gw and dyngw_plain + dyngwlib=`uci show olsrd |grep dyn_gw.so |awk {' FS="."; print $1"."$2 '}` + if [ -n "$dyngwlib" ]; then + uci set $dyngwlib.ignore=1 + uci commit + fi + + dyngwplainlib=`uci show olsrd |grep dyn_gw_plain |awk {' FS="."; print $1"."$2 '}` + if [ -n "$dyngwplainlib" ]; then + uci set $dyngwplainlib.ignore=1 + uci commit + fi + + gw=`uci -p /var/state get network.wan.gateway` + netmask=`uci -p /var/state get network.wan.netmask` + if [ -z "$netmask" ]; then + NETMASK="255.255.255.255" + fi + + if [ -n "`uci -p /var/state get network.wan.ifname`" ]; then + device=`uci -p /var/state get network.wan.ifname` + else + device=`uci -p /var/state get network.wan.device` + fi + + eval `ipcalc.sh $gw $netmask` + + test -n "`ip r s t default`" && ip r d default t default + test -n "`ip r s |grep default`" && ip route del default + ip route add $NETWORK/$NETMASK dev $device table default + ip route add default via $gw dev $device table default + + ip rule del lookup main + ip rule add fwmark 1 lookup olsr-default + ip rule add lookup main + ip rule add lookup olsr + else + # Remove custom routing tables from olsrd + if [ "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then + uci delete olsrd.@olsrd[0].RtTable + uci delete olsrd.@olsrd[0].RtTableDefault + uci commit + /etc/init.d/olsrd restart + fi + fi + ;; + + ifdown) + logger -t policyrouting "Deleting policy rules for $INTERFACE" + ip rule del fwmark 1 lookup olsr-default > /dev/null 2>&1 + ip rule del lookup olsr > /dev/null 2>&1 + ;; +esac -- cgit v1.2.3