contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
	pr=`uci get freifunk-policyrouting.pr.enable`
	strict=`uci get freifunk-policyrouting.pr.strict`
	zones=`uci get freifunk-policyrouting.pr.zones`
	[ -f /proc/net/ipv6_route ] && has_ipv6=1
	if [ $pr = "1" ]; then

		# The wan device name
		if  [ -n "`uci -p /var/state get network.wan.ifname`" ]; then
			wandev=`uci -p /var/state get network.wan.ifname`
		else
			wandev=`uci -p /var/state get network.wan.device`
		fi

		iptables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
		iptables -t mangle -F prerouting_policy > /dev/null 2>&1
		iptables -t mangle -N prerouting_policy > /dev/null 2>&1
	        iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
		if [ "$has_ipv6" = 1 ]; then
			ip6tables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
			ip6tables -t mangle -F prerouting_policy > /dev/null 2>&1
			ip6tables -t mangle -N prerouting_policy > /dev/null 2>&1
		        ip6tables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
		fi

		# If no route is in table olsr-default, then usually the hosts local default route is used.
		# If set to strict then we add a filter which prevents this
		if [ "$strict" == "1" ]; then
			ln=$(( `iptables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
			if [ ! $ln -gt 0 ]; then
				ln=1
			fi
			if [ -z "`iptables -L |grep 'Chain forward_policy'`" ]; then
				iptables -N forward_policy
			fi
			if [ -z "`iptables -L FORWARD -v |grep forward_policy`" ]; then
				iptables -I FORWARD $ln -m mark --mark 1 -j forward_policy
			fi
			iptables -F forward_policy
			iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited


			if [ "$has_ipv6" = 1 ]; then
				ln=$(( `ip6tables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
				if [ ! $ln -gt 0 ]; then
					ln=1
				fi
				if [ -z "`ip6tables -L |grep 'Chain forward_policy'`" ]; then
					ip6tables -N forward_policy
				fi
				if [ -z "`ip6tables -L FORWARD -v |grep forward_policy`" ]; then
					ip6tables -I FORWARD $ln -m mark --mark 1 -j forward_policy
				fi
				ip6tables -F forward_policy
				ip6tables -I forward_policy -o $wandev -j REJECT
			fi
		fi

		# set mark 1 for all packets coming in via enabled zones
	        for i in $zones; do
			# find out which interfaces belong to this zone
			zone=`uci show firewall |grep "name=$i" |awk {' FS="."; print $1"."$2 '}`
			interfaces=`uci get $zone.network`
			if [ "$interfaces" == "" ]; then
				interfaces=$i
			fi
			for int in $interfaces; do
				if [ "`uci -q get network.$int.type`" == "bridge" ]; then 
					dev="br-$int"
				else
					if  [ -n "`uci -p /var/state get network.$int.ifname`" ]; then
						dev=`uci -p /var/state get network.$int.ifname`
					else
						dev=`uci -p /var/state get network.$int.device`
					fi
				fi
				logger -t policyrouting "Add mark 1 to packages coming in via interface $dev"
				iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
				if [ "$has_ipv6" = 1 ]; then
					ip6tables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
				fi	
			done
		done
	else
	        # Cleanup policy routing stuff that might be lingering around
	        if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then
			logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv4)"
	                iptables -t mangle -D PREROUTING -j prerouting_policy
	                iptables -t mangle -F prerouting_policy
	                iptables -t mangle -X prerouting_policy
	        fi
		if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then
			logger -t policyrouting "Delete strict forwarding rules (IPv4)"
			iptables -D FORWARD -m mark --mark 1 -j forward_policy
			iptables -F forward_policy
			iptables -X forward_policy
		fi

		if [ "$has_ipv6" = 1 ]; then
		        if [ -n "`ip6tables -t mangle -L PREROUTING |grep _policy`" ]; then
				logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv6)"
		                ip6tables -t mangle -D PREROUTING -j prerouting_policy
		                ip6tables -t mangle -F prerouting_policy
		                ip6tables -t mangle -X prerouting_policy
		        fi
			if [ -n "`ip6tables -L FORWARD |grep forward_policy`" ]; then
				logger -t policyrouting "Delete strict forwarding rules (IPv6)"
				ip6tables -D FORWARD -m mark --mark 1 -j forward_policy
				ip6tables -F forward_policy
				ip6tables -X forward_policy
			fi
		fi
		logger -t policyrouting "All firewall rules for policyrouting removed."
	fi
fi