From: Manuel Munz <>
Date: Mon, 14 Mar 2011 19:34:23 +0000 (+0000)
Subject: Add freifunk-policyrouting and luci-app-freifunk-policyrouting
X-Git-Tag: 0.11.0~2198

Add freifunk-policyrouting and luci-app-freifunk-policyrouting

diff --git a/applications/luci-freifunk-policyrouting/Makefile b/applications/luci-freifunk-policyrouting/Makefile
--- /dev/null
+++ b/applications/luci-freifunk-policyrouting/Makefile
@@ -0,0 +1,4 @@
+PO = freifunk-policyrouting
+include ../../build/
+include ../../build/
diff --git a/applications/luci-freifunk-policyrouting/luasrc/controller/freifunk/policy-routing.lua b/applications/luci-freifunk-policyrouting/luasrc/controller/freifunk/policy-routing.lua
--- /dev/null
+++ b/applications/luci-freifunk-policyrouting/luasrc/controller/freifunk/policy-routing.lua
@@ -0,0 +1,23 @@
+LuCI - Lua Configuration Interface
+Copyright 2011 Manuel Munz <freifunk at somakoma de>
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+module "luci.controller.freifunk.policy-routing"
+function index()
+	require("luci.i18n").loadc("freifunk-policyrouting")
+	local i18n = luci.i18n.translate
+	entry({"admin", "freifunk", "policyrouting"}, cbi("freifunk/policyrouting"), i18n("Policy Routing"), 60)
diff --git a/applications/luci-freifunk-policyrouting/luasrc/model/cbi/freifunk/policyrouting.lua b/applications/luci-freifunk-policyrouting/luasrc/model/cbi/freifunk/policyrouting.lua
--- /dev/null
+++ b/applications/luci-freifunk-policyrouting/luasrc/model/cbi/freifunk/policyrouting.lua
@@ -0,0 +1,40 @@
+LuCI - Lua Configuration Interface
+Copyright 2011 Manuel Munz <freifunk at somakoma de>
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+local uci = require "luci.model.uci".cursor()
+m = Map("freifunk-policyrouting", translate("Policy Routing"), translate("These pages can be used to setup policy routing for certain firewall zones. "..
+	"This is useful if you need to use your own internet connection for yourself but you don't want to share it with others (thats why it can also be "..
+	"called 'Ego Mode'). Your own traffic is then sent via your internet connection while traffic originating from the mesh will use another gateway in the mesh. "))
+c = m:section(NamedSection, "pr", "settings", "")
+local pr = c:option(Flag, "enable", translate("Enable Policy Routing"))
+pr.rmempty = false
+local strict = c:option(Flag, "strict", translate("Strict Filtering"), translate("If no default route is received from the mesh network then traffic which belongs to "..
+	"the selected firewall zones is routed via your internet connection as a fallback. If you do not want this and instead block that traffic then you should "..
+	"select this option."))
+strict.rmempty = false
+local zones = c:option(MultiValue, "zones", translate("Firewall zones"), translate("All traffic from interfaces belonging to these zones will be sent via "..
+	"a gateway in the mesh network."))
+uci:foreach("firewall", "zone", function(section)
+	local name =
+	if not (name == "wan") then
+		zones:value(name)
+	end
+return m
diff --git a/contrib/package/freifunk-policyrouting/Makefile b/contrib/package/freifunk-policyrouting/Makefile
--- /dev/null
+++ b/contrib/package/freifunk-policyrouting/Makefile
@@ -0,0 +1,39 @@
+# Copyright (C) 2011 Manuel Munz <freifunk at somakoma de>
+# This is free software, licensed under the Apache 2.0 license.
+include $(TOPDIR)/
+include $(INCLUDE_DIR)/
+define Package/freifunk-policyrouting
+  SECTION:=luci
+  SUBMENU:=Freifunk
+  TITLE:=Freifunk policy routing addon
+  DEPENDS:=+firewall +ip
+define Package/freifunk-policyrouting/description
+  Allows you to send your own traffic via your own default gateway while sending traffic received from the mesh to a gateway in the mesh.
+define Build/Prepare
+	mkdir -p $(PKG_BUILD_DIR)
+define Build/Configure
+define Build/Compile
+define Package/freifunk-policyrouting/install
+	$(CP) ./files/* $(1)/
+$(eval $(call BuildPackage,freifunk-policyrouting))
diff --git a/contrib/package/freifunk-policyrouting/files/etc/config/freifunk-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/config/freifunk-policyrouting
--- /dev/null
+++ b/contrib/package/freifunk-policyrouting/files/etc/config/freifunk-policyrouting
@@ -0,0 +1,6 @@
+config 'settings' 'pr'
+	option 'enable' '0'
+	option 'strict' '1'
+	option 'zones' ''
diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting
--- /dev/null
+++ b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting
@@ -0,0 +1,72 @@
+if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
+	pr=`uci get`
+	strict=`uci get`
+	zones=`uci get`
+	if [ $pr = "1" ]; then
+		# The wan device name
+		if  [ -n "`uci -p /var/state get network.wan.ifname`" ]; then
+			wandev=`uci -p /var/state get network.wan.ifname`
+		else
+			wandev=`uci -p /var/state get network.wan.device`
+		fi
+		iptables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1
+		iptables -t mangle -F prerouting_policy > /dev/null 2>&1
+		iptables -t mangle -N prerouting_policy > /dev/null 2>&1
+	        iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1
+		# If no route is in table olsr-default, then usually the hosts local default route is used.
+		# If set to strict then we add a filter which prevents this
+		if [ "$strict" == "1" ]; then
+			ln=$(( `iptables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 ))
+			if [ ! $ln -gt 0 ]; then
+				ln=1
+			fi
+			if [ -z "`iptables -L |grep 'Chain forward_policy'`" ]; then
+				iptables -N forward_policy
+			fi
+			if [ -z "`iptables -L FORWARD -v |grep forward_policy`" ]; then
+				iptables -I FORWARD $ln -m mark --mark 1 -j forward_policy
+			fi
+			iptables -F forward_policy
+			iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited
+		fi
+		# set mark 1 for all packets coming in via enabled zones
+	        for i in $zones; do
+			# find out which interfaces belong to this zone
+			zone=`uci show firewall |grep "name=$i" |awk {' FS="."; print $1"."$2 '}`
+			interfaces=`uci get $`
+			if [ "$interfaces" == "" ]; then
+				interfaces=$i
+			fi
+			for int in $interfaces; do
+				if [ "`uci -q get network.$int.type`" == "bridge" ]; then 
+					dev="br-$int"
+				else
+			                dev=`uci get network.$int.ifname`
+				fi
+				logger -t policyrouting "Add mark 1 to packages coming in via interface $dev"
+				iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1
+			done
+		done
+	else
+	        # Cleanup policy routing stuff that might be lingering around
+	        if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then
+			logger -t policyrouting "Delete prerouting_policy chain in table mangle"
+	                iptables -t mangle -D PREROUTING -j prerouting_policy
+	                iptables -t mangle -F prerouting_policy
+	                iptables -t mangle -X prerouting_policy
+	        fi
+		if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then
+			logger -t policyrouting "Delete strict forwarding rules"
+			iptables -D FORWARD -m mark --mark 1 -j forward_policy
+			iptables -F forward_policy
+			iptables -X forward_policy
+		fi
+		logger -t policyrouting "All firewall rules for policyrouting removed."
+	fi
diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting
--- /dev/null
+++ b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting
@@ -0,0 +1,78 @@
+[ "$INTERFACE" != "wan" ] && exit 0
+case $ACTION in
+        ifup)
+		pr=`uci get`
+		if [ $pr = "1" ]; then
+			logger -t policyrouting "Starting policy routing on $INTERFACE"
+			# Setup new tables
+			tables="/etc/iproute2/rt_tables"
+			if [ -z "`grep "111" $tables`" ]; then
+				echo "111 olsr" >> $tables
+			fi
+			if [ -z "`grep "112" $tables`" ]; then
+				echo "112 olsr-default" >> $tables
+			fi
+			# Make sure Rt_tables in olsrd are in place
+			if [ ! "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ ! "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then
+				uci set olsrd.@olsrd[0].RtTable='111'
+				uci set olsrd.@olsrd[0].RtTableDefault='112'
+				uci commit
+				/etc/init.d/olsrd restart
+			fi
+			# Disable dyn_gw and dyngw_plain
+			dyngwlib=`uci show olsrd |grep |awk {' FS="."; print $1"."$2 '}`
+			if [ -n "$dyngwlib" ]; then
+				uci set $dyngwlib.ignore=1
+				uci commit
+			fi
+			dyngwplainlib=`uci show olsrd |grep dyn_gw_plain |awk {' FS="."; print $1"."$2 '}`
+			if [ -n "$dyngwplainlib" ]; then
+				uci set $dyngwplainlib.ignore=1
+				uci commit
+			fi
+			gw=`uci -p /var/state get network.wan.gateway`
+			netmask=`uci -p /var/state get network.wan.netmask`
+			if [ -z "$netmask" ]; then
+				NETMASK=""
+			fi
+			if  [ -n "`uci -p /var/state get network.wan.ifname`" ]; then
+				device=`uci -p /var/state get network.wan.ifname`
+			else
+				device=`uci -p /var/state get network.wan.device`
+			fi
+			eval ` $gw $netmask`
+			test -n "`ip r s t default`" && ip r d default t default
+			test -n "`ip r s |grep default`" && ip route del default
+			ip route add $NETWORK/$NETMASK dev $device table default
+			ip route add default via $gw dev $device table default
+			ip rule del lookup main
+			ip rule add fwmark 1 lookup olsr-default
+			ip rule add lookup main
+			ip rule add lookup olsr
+		else
+			# Remove custom routing tables from olsrd
+			if [ "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then
+				uci delete olsrd.@olsrd[0].RtTable
+				uci delete olsrd.@olsrd[0].RtTableDefault
+				uci commit
+				/etc/init.d/olsrd restart
+			fi
+		fi
+	;;
+	ifdown)
+	logger -t policyrouting "Deleting policy rules for $INTERFACE"
+	ip rule del fwmark 1 lookup olsr-default > /dev/null 2>&1
+	ip rule del lookup olsr	> /dev/null 2>&1
+	;;
diff --git a/contrib/package/freifunk-policyrouting/files/etc/uci-defaults/freifunk-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/uci-defaults/freifunk-policyrouting
--- /dev/null
+++ b/contrib/package/freifunk-policyrouting/files/etc/uci-defaults/freifunk-policyrouting
@@ -0,0 +1,7 @@
+uci batch <<-EOF
+        add ucitrack freifunk-policyrouting
+        add_list ucitrack.@freifunk-policyrouting[-1].affects="network"
+        commit ucitrack
diff --git a/contrib/package/luci/Makefile b/contrib/package/luci/Makefile
--- a/contrib/package/luci/Makefile
+++ b/contrib/package/luci/Makefile
@@ -306,6 +306,9 @@ $(eval $(call application,siitwizard,SIIT IPv4-over-IPv6 configuration wizard,\
 $(eval $(call application,firewall,Firmware and Portforwarding application,\
+$(eval $(call application,freifunk-policyrouting,Policy routing for mesh traffic,\
+        +PACKAGE_luci-app-freifunk-policyrouting:freifunk-policyrouting +luci-mod-freifunk))
 $(eval $(call application,olsr,OLSR configuration and status module,\
 	+luci-mod-admin-full +PACKAGE_luci-app-olsr:olsrd +PACKAGE_luci-app-olsr:olsrd-mod-txtinfo))
diff --git a/po/de/freifunk-policyrouting.po b/po/de/freifunk-policyrouting.po
new file mode 100644
index 000000000..edbe375fe
--- /dev/null
+++ b/po/de/freifunk-policyrouting.po
@@ -0,0 +1,55 @@
+msgid ""
+msgstr ""
+"Project-Id-Version: \n"
+"POT-Creation-Date: \n"
+"PO-Revision-Date: \n"
+"Last-Translator: Manuel Munz <>\n"
+"Language-Team: \n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+msgid ""
+"All traffic from interfaces belonging to these zones will be sent via a "
+"gateway in the mesh network."
+msgstr ""
+"Traffic der aus diesen Zonen kommt wird über ein Internetgateway im Mesh "
+msgid "Enable Policy Routing"
+msgstr "Policy Routing aktivieren"
+msgid "Firewall zones"
+msgstr "Firewallzonen"
+msgid ""
+"If no default route is received from the mesh network then traffic which "
+"belongs to the selected firewall zones is routed via your internet "
+"connection as a fallback. If you do not want this and instead block that "
+"traffic then you should select this option."
+msgstr ""
+"Falls im Mesh kein anderer Internetgateway verfügbar ist, dann wird Traffic "
+"aus den ausgewählten Zonen als Fallback über die Internetverbindung dieses "
+"Routers geleitet. Wenn das nicht gewünscht ist und dieser Traffic dann "
+"stattdessen geblockt werden soll, dann aktiviere diese Option."
+msgid "Policy Routing"
+msgstr ""
+msgid "Strict Filtering"
+msgstr "Strenges Filtern"
+msgid ""
+"These pages can be used to setup policy routing for certain firewall zones. "
+"This is useful if you need to use your own internet connection for yourself "
+"but you don't want to share it with others (thats why it can also be called "
+"'Ego Mode'). Your own traffic is then sent via your internet connection "
+"while traffic originating from the mesh will use another gateway in the mesh."
+msgstr ""
+"Auf diesen Seiten kann Policy Routing für bestimmte Firewallzonen aktiviert "
+"werden. Dies ist z.B. nützlich, wenn du deinen eigenen Internetverkehr über "
+"deine eigene Internetverbindung routen aber diese nicht mit anderen teilen "
+"willst ('Mein Gateway für mich allein').  Eigener Traffic wird dann über die "
+"eigene Internetverbindung geschickt während Traffic aus den ausgewählten "
+"Firewallzonen über einen anderen Gateway im Mesh geleitet wird."
diff --git a/po/templates/freifunk-policyrouting.pot b/po/templates/freifunk-policyrouting.pot
new file mode 100644
index 000000000..c9465d4cf
--- /dev/null
+++ b/po/templates/freifunk-policyrouting.pot
@@ -0,0 +1,34 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+msgid ""
+"All traffic from interfaces belonging to these zones will be sent via a "
+"gateway in the mesh network."
+msgstr ""
+msgid "Enable Policy Routing"
+msgstr ""
+msgid "Firewall zones"
+msgstr ""
+msgid ""
+"If no default route is received from the mesh network then traffic which "
+"belongs to the selected firewall zones is routed via your internet "
+"connection as a fallback. If you do not want this and instead block that "
+"traffic then you should select this option."
+msgstr ""
+msgid "Policy Routing"
+msgstr ""
+msgid "Strict Filtering"
+msgstr ""
+msgid ""
+"These pages can be used to setup policy routing for certain firewall zones. "
+"This is useful if you need to use your own internet connection for yourself "
+"but you don't want to share it with others (thats why it can also be called "
+"'Ego Mode'). Your own traffic is then sent via your internet connection "
+"while traffic originating from the mesh will use another gateway in the mesh."
+msgstr ""
