contrib/freifunk-firewall: Make it work with firewall3

diff --git a/contrib/package/freifunk-firewall/Makefile b/contrib/package/freifunk-firewall/Makefile
index eed1d7a8af076717bd59eb492973c288af7ddcb2..413ea47326df351737feea147024381d2aad62cb 100644 (file)
--- a/contrib/package/freifunk-firewall/Makefile
+++ b/contrib/package/freifunk-firewall/Makefile
@@ -7,7 +7,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=freifunk-firewall
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
 
@@ -18,7 +18,7 @@ define Package/freifunk-firewall
   CATEGORY:=LuCI
   SUBMENU:=9. Freifunk
   TITLE:=Freifunk Firewall Addon
-  DEPENDS:=+firewall
+  DEPENDS:=+firewall3
 endef
 
 define Package/freifunk-firewall/description

diff --git a/contrib/package/freifunk-firewall/files/etc/firewall.freifunk b/contrib/package/freifunk-firewall/files/etc/firewall.freifunk
index 4c3f3c476edc9c3fcecd56ede613fd05c100741a..d2805f668ce246deba3d8181a4f2023ceac9dec4 100644 (file)
--- a/contrib/package/freifunk-firewall/files/etc/firewall.freifunk
+++ b/contrib/package/freifunk-firewall/files/etc/firewall.freifunk
@@ -1,7 +1,7 @@
 #!/bin/sh
 # Freifunk Firewall addons
-# $Id$
 
+. /lib/functions.sh
 
 #
 # Apply advanced settings
@@ -36,7 +36,5 @@ apply_advanced() {
 
 config_foreach apply_advanced advanced
 
-[ -x /etc/init.d/luci_splash ] && ( sleep 3; /etc/init.d/luci_splash restart )&
-
 [ -x /etc/init.d/freifunk-p2pblock ] && /etc/init.d/freifunk-p2pblock enabled && \
        ( sleep 3; /etc/init.d/freifunk-p2pblock restart )&

diff --git a/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan
index d6f94ea901e99567e0c8f46b8149e0f67ee1522f..e71c852dfd7ab44fb2f5e37daa4ea75208bd12e6 100644 (file)
--- a/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan
+++ b/contrib/package/freifunk-firewall/files/etc/hotplug.d/firewall/23-restricted-wan
@@ -5,20 +5,16 @@ clear_restricted_gw()
        local state="$1"
        local iface
        local ifname
-       local ipaddr
-       local netmask
-       local gateway
+       local subnet
 
        config_get iface "$state" iface
 
        if [ "$iface" = "$INTERFACE" ]; then
                config_get ifname "$state" ifname
-               config_get ipaddr "$state" ipaddr
-               config_get netmask "$state" netmask
-               config_get gateway "$state" gateway
+               config_get subnet "$state" subnet
 
-               logger -t firewall.freifunk "removing local restriction to $iface($gateway)"
-               iptables -D forwarding_rule ! -i $ifname -o $ifname -d $ipaddr/$netmask -j REJECT --reject-with icmp-host-prohibited
+               logger -t firewall.freifunk "removing local restriction to the network connected to $ifname ($iface)"
+               iptables -D forwarding_freifunk_rule -o $ifname -d $subnet -j REJECT --reject-with icmp-host-prohibited
                uci_revert_state firewall "$state"
        fi
 }
@@ -35,33 +31,30 @@ get_enabled()
 
 if [ "$ACTION" = add ]; then
        local enabled
-       local ipaddr
-       local netmask
-       local gateway
+       local subnet
 
-       include /lib/network
-       scan_interfaces
+       . /lib/functions/network.sh
 
-       config_get ipaddr "$INTERFACE" ipaddr
-       config_get netmask "$INTERFACE" netmask
-       config_get gateway "$INTERFACE" gateway
+       network_find_wan wan
 
-       if [ -n "$gateway" ] && [ "$gateway" != 0.0.0.0 ]; then
+       [ "$INTERFACE" = "$wan" ] || return 0
+
+       network_get_subnet subnet $INTERFACE
+
+       if [ -n "$subnet" ]; then
                config_load firewall
 
                local_restrict=0
                config_foreach get_enabled zone
-
+               
                if [ "$local_restrict" = 1 ]; then
-                       logger -t firewall.freifunk "restricting local access to $DEVICE($gateway)"
-                       iptables -I forwarding_rule ! -i $DEVICE -o $DEVICE -d $ipaddr/$netmask -j REJECT --reject-with icmp-host-prohibited
+                       logger -t firewall.freifunk "restricting local access to the network connected to $INTERFACE ($DEVICE)"
+                       iptables -I forwarding_freifunk_rule -o $DEVICE -d $subnet -j REJECT --reject-with icmp-host-prohibited
                        local state="restricted_gw_${INTERFACE}"
                        uci_set_state firewall "$state" "" restricted_gw_state
                        uci_set_state firewall "$state" iface "$INTERFACE"
                        uci_set_state firewall "$state" ifname "$DEVICE"
-                       uci_set_state firewall "$state" ipaddr "$ipaddr"
-                       uci_set_state firewall "$state" netmask "$netmask"
-                       uci_set_state firewall "$state" gateway "$gateway"
+                       uci_set_state firewall "$state" subnet "$subnet"
                fi
        fi