66 lines
1.5 KiB
Plaintext
66 lines
1.5 KiB
Plaintext
|
#!/bin/sh
|
||
|
|
||
|
clear_restricted_gw()
|
||
|
{
|
||
|
local state="$1"
|
||
|
local iface
|
||
|
local ifname
|
||
|
local subnet
|
||
|
|
||
|
config_get iface "$state" iface
|
||
|
|
||
|
if [ "$iface" = "$INTERFACE" ]; then
|
||
|
config_get ifname "$state" ifname
|
||
|
config_get subnet "$state" subnet
|
||
|
|
||
|
logger -t firewall.freifunk "removing local restriction to the network connected to $ifname ($iface)"
|
||
|
iptables -D forwarding_freifunk_rule -o $ifname -d $subnet -j REJECT --reject-with icmp-host-prohibited
|
||
|
uci_revert_state firewall "$state"
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
get_enabled()
|
||
|
{
|
||
|
local name
|
||
|
config_get name "$1" name
|
||
|
|
||
|
if [ "$name" = "$ZONE" ]; then
|
||
|
config_get_bool local_restrict "$1" local_restrict
|
||
|
fi
|
||
|
}
|
||
|
|
||
|
if [ "$ACTION" = add ]; then
|
||
|
local enabled
|
||
|
local subnet
|
||
|
|
||
|
. /lib/functions/network.sh
|
||
|
|
||
|
network_find_wan wan
|
||
|
|
||
|
[ "$INTERFACE" = "$wan" ] || return 0
|
||
|
|
||
|
network_get_subnet subnet $INTERFACE
|
||
|
|
||
|
if [ -n "$subnet" ]; then
|
||
|
config_load firewall
|
||
|
|
||
|
local_restrict=0
|
||
|
config_foreach get_enabled zone
|
||
|
|
||
|
if [ "$local_restrict" = 1 ]; then
|
||
|
logger -t firewall.freifunk "restricting local access to the network connected to $INTERFACE ($DEVICE)"
|
||
|
iptables -I forwarding_freifunk_rule -o $DEVICE -d $subnet -j REJECT --reject-with icmp-host-prohibited
|
||
|
local state="restricted_gw_${INTERFACE}"
|
||
|
uci_set_state firewall "$state" "" restricted_gw_state
|
||
|
uci_set_state firewall "$state" iface "$INTERFACE"
|
||
|
uci_set_state firewall "$state" ifname "$DEVICE"
|
||
|
uci_set_state firewall "$state" subnet "$subnet"
|
||
|
fi
|
||
|
fi
|
||
|
|
||
|
elif [ "$ACTION" = remove ]; then
|
||
|
config_load firewall
|
||
|
config_foreach clear_restricted_gw restricted_gw_state
|
||
|
fi
|
||
|
|