IPT_REPLAY=/var/run/luci_splash.iptlog
LOCK=/var/run/luci_splash.lock
+[ -x /usr/sbin/ip6tables ] && [ -f /proc/net/ipv6_route ] && HAS_IPV6=1
silent() {
"$@" 2>/dev/null
echo iptables -D "$@" >> $IPT_REPLAY
}
+ipt6_log() {
+ [ "$HAS_IPV6" = 1 ] || return
+ ip6tables -I "$@"
+ echo ip6tables -D "$@" >> $IPT_REPLAY
+}
+
+
iface_add() {
local cfg="$1"
config_get ipaddr "$net" ipaddr
[ -n "$ipaddr" ] || return 0
+ config_get ip6addr "$net" ip6addr
+ #[ -n "$ipaddr" ] || return 0
+
config_get netmask "$net" netmask
[ -n "$netmask" ] || return 0
ipt_log "zone_${zone}_prerouting" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_prerouting -t nat
ipt_log "zone_${zone}_forward" -i "${ifname%:*}" -s "$NETWORK/$PREFIX" -j luci_splash_forwarding -t filter
+ if [ "$HAS_IPV6" = 1 ]; then
+ ipt6_log "zone_${zone}_forward" -i "${ifname%:*}" -s "$ip6addr" -j luci_splash_forwarding -t filter
+ fi
+
### Allow traffic to the same subnet
iptables -t nat -I luci_splash_prerouting -d "$ipaddr/${netmask:-32}" -j RETURN
iptables -t filter -I luci_splash_forwarding -d "$ipaddr/${netmask:-32}" -j RETURN
iptables -t filter -N luci_splash_forwarding
iptables -t filter -N luci_splash_filter
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t filter -N luci_splash_forwarding
+ ip6tables -t filter -N luci_splash_filter
+ fi
+
### Clear iptables replay log
[ -s $IPT_REPLAY ] && . $IPT_REPLAY
echo -n > $IPT_REPLAY
iptables -t filter -A luci_splash_filter -p tcp -j REJECT --reject-with tcp-reset
iptables -t filter -A luci_splash_filter -j REJECT --reject-with icmp-net-prohibited
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t filter -A luci_splash_forwarding -j luci_splash_filter
+ ip6tables -t filter -A luci_splash_filter -p tcp -j REJECT --reject-with tcp-reset
+ ip6tables -t filter -A luci_splash_filter -j REJECT --reject-with adm-prohibited
+ fi
+
### Add QoS chain
[ "$LIMIT_UP" -gt 0 -a "$LIMIT_DOWN" -gt 0 ] && {
iptables -t mangle -N luci_splash_mark_out
iptables -t mangle -N luci_splash_mark_in
iptables -t mangle -I PREROUTING -j luci_splash_mark_out
iptables -t mangle -I POSTROUTING -j luci_splash_mark_in
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t mangle -N luci_splash_mark_out
+ ip6tables -t mangle -N luci_splash_mark_in
+ ip6tables -t mangle -I PREROUTING -j luci_splash_mark_out
+ ip6tables -t mangle -I POSTROUTING -j luci_splash_mark_in
+ fi
}
### Find active mac addresses
silent iptables -t mangle -D PREROUTING -j luci_splash_mark_out
silent iptables -t mangle -D POSTROUTING -j luci_splash_mark_in
+ if [ "$HAS_IPV6" = 1 ]; then
+ silent ip6tables -t mangle -D PREROUTING -j luci_splash_mark_out
+ silent ip6tables -t mangle -D POSTROUTING -j luci_splash_mark_in
+ fi
+
### Clear subchains
silent iptables -t nat -F luci_splash_prerouting
silent iptables -t nat -F luci_splash_leases
silent iptables -t mangle -F luci_splash_mark_out
silent iptables -t mangle -F luci_splash_mark_in
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t filter -F luci_splash_forwarding
+ ip6tables -t filter -F luci_splash_filter
+ ip6tables -t mangle -F luci_splash_mark_out
+ ip6tables -t mangle -F luci_splash_mark_in
+ fi
+
### Delete subchains
silent iptables -t nat -X luci_splash_prerouting
silent iptables -t nat -X luci_splash_leases
silent iptables -t filter -X luci_splash_filter
silent iptables -t mangle -X luci_splash_mark_out
silent iptables -t mangle -X luci_splash_mark_in
-
+ if [ "$HAS_IPV6" = 1 ]; then
+ ip6tables -t filter -X luci_splash_forwarding
+ ip6tables -t filter -X luci_splash_filter
+ ip6tables -t mangle -X luci_splash_mark_out
+ ip6tables -t mangle -X luci_splash_mark_in
+ fi
sed -ie '/\/usr\/sbin\/luci-splash sync/d' /var/spool/cron/crontabs/root
lock -u $LOCK
local uci = luci.model.uci.cursor_state()
local ipt = luci.sys.iptparser.IptParser()
local net = luci.sys.net
+local fs = require "luci.fs"
local limit_up = 0
local limit_down = 0
+local has_ipv6 = fs.access("/proc/net/ipv6_route") and fs.access("/usr/sbin/ip6tables")
+
function lock()
os.execute("lock /var/run/luci_splash.lock")
end
end
end
+function ipt6_delete_all(args, comp, off)
+ off = off or { }
+ for i, r in ipairs(ipt:find(args)) do
+ if comp == nil or comp(r) then
+ off[r.table] = off[r.table] or { }
+ off[r.table][r.chain] = off[r.table][r.chain] or 0
+
+ os.execute("ip6tables -t %q -D %q %d 2>/dev/null"
+ %{ r.table, r.chain, r.index - off[r.table][r.chain] })
+
+ off[r.table][r.chain] = off[r.table][r.chain] + 1
+ end
+ end
+end
+
+
-- Convert mac to uci-compatible section name
function convert_mac_to_secname(mac)
return string.gsub(mac, ":", "")
os.execute("iptables -t mangle -I luci_splash_mark_in -d %q -j MARK --set-mark 80" % ipaddr)
end
+
os.execute("iptables -t filter -I luci_splash_filter -m mac --mac-source %q -j RETURN" % mac)
os.execute("iptables -t nat -I luci_splash_leases -m mac --mac-source %q -j RETURN" % mac)
+ if has_ipv6 then
+ os.execute("ip6tables -t filter -I luci_splash_filter -m mac --mac-source %q -j RETURN" % mac)
+ end
end
ipt_delete_all({table="filter", chain="luci_splash_filter", options={"MAC", mac:upper()}})
ipt_delete_all({table="nat", chain="luci_splash_leases", options={"MAC", mac:upper()}})
+ if has_ipv6 then
+ ipt6_delete_all({table="filter", chain="luci_splash_filter", options={"MAC", mac:upper()}})
+ end
end
function add_whitelist_rule(mac)
os.execute("iptables -t filter -I luci_splash_filter -m mac --mac-source %q -j RETURN" % mac)
os.execute("iptables -t nat -I luci_splash_leases -m mac --mac-source %q -j RETURN" % mac)
+ if has_ipv6 then
+ os.execute("ip6tables -t filter -I luci_splash_filter -m mac --mac-source %q -j RETURN" % mac)
+ end
end
-- Add blacklist rules
function add_blacklist_rule(mac)
os.execute("iptables -t filter -I luci_splash_filter -m mac --mac-source %q -j DROP" % mac)
+ if has_ipv6 then
+ os.execute("ip6tables -t filter -I luci_splash_filter -m mac --mac-source %q -j DROP" % mac)
+ end
end
ipt_delete_all({table="filter", chain="luci_splash_filter", options={"MAC"}},
function(r) return not macs[r.options[2]:lower()] end)
-
ipt_delete_all({table="nat", chain="luci_splash_leases", options={"MAC"}},
function(r) return not macs[r.options[2]:lower()] end)
-
ipt_delete_all({table="mangle", chain="luci_splash_mark_out", options={"MAC", "MARK", "set"}},
function(r) return not macs[r.options[2]:lower()] end)
-
ipt_delete_all({table="mangle", chain="luci_splash_mark_in", options={"MARK", "set"}},
function(r) return not ips[r.destination] end)
+ if has_ipv6 then
+ ipt6_delete_all({table="filter", chain="luci_splash_filter", options={"MAC"}},
+ function(r) return not macs[r.options[2]:lower()] end)
+ ipt_delete_all({table="mangle", chain="luci_splash_mark_out", options={"MAC", "MARK", "set"}},
+ function(r) return not macs[r.options[2]:lower()] end)
+ ipt_delete_all({table="mangle", chain="luci_splash_mark_in", options={"MARK", "set"}},
+ function(r) return not ips[r.destination] end)
+ end
+
unlock()
end
projects / project / luci.git / commitdiff