76 lines
1.9 KiB
Bash
76 lines
1.9 KiB
Bash
#!/bin/sh
|
|
|
|
clear_restricted_gw()
|
|
{
|
|
local state="$1"
|
|
local iface
|
|
local ifname
|
|
local ipaddr
|
|
local netmask
|
|
local gateway
|
|
|
|
config_get iface "$state" iface
|
|
|
|
if [ "$iface" = "$INTERFACE" ]; then
|
|
config_get ifname "$state" ifname
|
|
config_get ipaddr "$state" ipaddr
|
|
config_get netmask "$state" netmask
|
|
config_get gateway "$state" gateway
|
|
|
|
logger -t firewall.freifunk "removing local restriction to $iface($gateway)"
|
|
iptables -D "zone_${INTERFACE}_ACCEPT" ! -i $ifname -o $ifname -d $ipaddr/$netmask -j REJECT
|
|
iptables -D "zone_${INTERFACE}_ACCEPT" ! -i $ifname -o $ifname -d $gateway -j ACCEPT
|
|
|
|
uci_revert_state firewall "$state"
|
|
fi
|
|
}
|
|
|
|
get_enabled()
|
|
{
|
|
local name
|
|
config_get name "$1" name
|
|
|
|
if [ "$name" = "$ZONE" ]; then
|
|
config_get_bool local_restrict "$1" local_restrict
|
|
fi
|
|
}
|
|
|
|
if [ "$ACTION" = add ]; then
|
|
local enabled
|
|
local ipaddr
|
|
local netmask
|
|
local gateway
|
|
|
|
include /lib/network
|
|
scan_interfaces
|
|
|
|
config_get ipaddr "$INTERFACE" ipaddr
|
|
config_get netmask "$INTERFACE" netmask
|
|
config_get gateway "$INTERFACE" gateway
|
|
|
|
if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then
|
|
config_load firewall
|
|
|
|
local_restrict=0
|
|
config_foreach get_enabled zone
|
|
|
|
if [ "$local_restrict" = 1 ]; then
|
|
logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)"
|
|
iptables -I "zone_${INTERFACE}_ACCEPT" ! -i $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT
|
|
iptables -I "zone_${INTERFACE}_ACCEPT" ! -i $DEVICE -o $DEVICE -d $gateway -j ACCEPT
|
|
|
|
local state="restricted_gw_${INTERFACE}"
|
|
uci_set_state firewall "$state" "" restricted_gw_state
|
|
uci_set_state firewall "$state" iface "$INTERFACE"
|
|
uci_set_state firewall "$state" ifname "$DEVICE"
|
|
uci_set_state firewall "$state" ipaddr "$ipaddr"
|
|
uci_set_state firewall "$state" netmask "$netmask"
|
|
uci_set_state firewall "$state" gateway "$gateway"
|
|
fi
|
|
fi
|
|
|
|
elif [ "$ACTION" = remove ]; then
|
|
config_load firewall
|
|
config_foreach clear_restricted_gw restricted_gw_state
|
|
fi
|
|
|