From 2c46f1058da3021ed8b07a7936f6c469d31b65a8 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 27 Aug 2009 00:05:11 +0000 Subject: [PATCH] contrib/package: freifunk-firewall: introduce per-zone option "local_restrict" to only grant access to the default gateway in this zone while rejecting other hosts in the target subnet --- contrib/package/freifunk-firewall/Makefile | 2 +- .../etc/hotplug.d/firewall/23-restricted-wan | 76 +++++++++++++++++++ 2 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan diff --git a/contrib/package/freifunk-firewall/Makefile b/contrib/package/freifunk-firewall/Makefile index 8399870d0..eff1c7d64 100644 --- a/contrib/package/freifunk-firewall/Makefile +++ b/contrib/package/freifunk-firewall/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=freifunk-firewall -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) diff --git a/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan new file mode 100644 index 000000000..d0795b629 --- /dev/null +++ b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan @@ -0,0 +1,76 @@ +#!/bin/sh + +clear_restricted_gw() +{ + local state="$1" + local iface + local ifname + local ipaddr + local netmask + local gateway + + config_get iface "$state" iface + + if [ "$iface" = "$INTERFACE" ]; then + config_get ifname "$state" ifname + config_get ipaddr "$state" ipaddr + config_get netmask "$state" netmask + config_get gateway "$state" gateway + + logger -t firewall.freifunk "removing local restriction to $iface($gateway)" + iptables -D "zone_${INTERFACE}_ACCEPT" -i ! $ifname -o $ifname -d $ipaddr/$netmask -j REJECT + iptables -D "zone_${INTERFACE}_ACCEPT" -i ! $ifname -o $ifname -d $gateway -j ACCEPT + + uci_revert_state firewall "$state" + fi +} + +get_enabled() +{ + local name + config_get name "$1" name + + if [ "$name" = "$ZONE" ]; then + config_get_bool local_restrict "$1" local_restrict + fi +} + +if [ "$ACTION" = add ]; then + local enabled + local ipaddr + local netmask + local gateway + + include /lib/network + scan_interfaces + + config_get ipaddr "$INTERFACE" ipaddr + config_get netmask "$INTERFACE" netmask + config_get gateway "$INTERFACE" gateway + + if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then + config_load firewall + + local_restrict=0 + config_foreach get_enabled zone + + if [ "$local_restrict" = 1 ]; then + logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)" + iptables -I "zone_${INTERFACE}_ACCEPT" -i ! $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT + iptables -I "zone_${INTERFACE}_ACCEPT" -i ! $DEVICE -o $DEVICE -d $gateway -j ACCEPT + + local state="restricted_gw_${INTERFACE}" + uci_set_state firewall "$state" "" restricted_gw_state + uci_set_state firewall "$state" iface "$INTERFACE" + uci_set_state firewall "$state" ifname "$DEVICE" + uci_set_state firewall "$state" ipaddr "$ipaddr" + uci_set_state firewall "$state" netmask "$netmask" + uci_set_state firewall "$state" gateway "$gateway" + fi + fi + +elif [ "$ACTION" = remove ]; then + config_load firewall + config_foreach clear_restricted_gw restricted_gw_state +fi + -- 2.25.1