From 6efd34e9ecfdc8acbaa09bfb414722fc9790844f Mon Sep 17 00:00:00 2001 From: Manuel Munz Date: Wed, 20 Mar 2013 02:53:14 +0000 Subject: [PATCH] contrib/freifunk-policyrouting: Almost complete rewrite, use ip only (no firewall depencies). --- .../package/freifunk-policyrouting/Makefile | 4 +- .../etc/hotplug.d/firewall/24-policyrouting | 116 ----------- .../etc/hotplug.d/iface/30-policyrouting | 180 +++++++++--------- .../files/etc/init.d/freifunk-policyrouting | 144 +++++++++++++- .../etc/uci-defaults/freifunk-policyrouting | 2 +- 5 files changed, 225 insertions(+), 221 deletions(-) delete mode 100644 contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting diff --git a/contrib/package/freifunk-policyrouting/Makefile b/contrib/package/freifunk-policyrouting/Makefile index 7abfedbd56..13c770aed2 100644 --- a/contrib/package/freifunk-policyrouting/Makefile +++ b/contrib/package/freifunk-policyrouting/Makefile @@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=freifunk-policyrouting -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) @@ -15,7 +15,7 @@ define Package/freifunk-policyrouting CATEGORY:=LuCI SUBMENU:=9. Freifunk TITLE:=Freifunk policy routing addon - DEPENDS:=+firewall +ip + DEPENDS:=+ip endef define Package/freifunk-policyrouting/description diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting deleted file mode 100644 index 786c5e4ce7..0000000000 --- a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/firewall/24-policyrouting +++ /dev/null @@ -1,116 +0,0 @@ -if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then - pr=`uci get freifunk-policyrouting.pr.enable` - strict=`uci get freifunk-policyrouting.pr.strict` - zones=`uci get freifunk-policyrouting.pr.zones` - [ -f /proc/net/ipv6_route ] && has_ipv6=1 - if [ $pr = "1" ]; then - - # The wan device name - if [ -n "`uci -p /var/state get network.wan.ifname`" ]; then - wandev=`uci -p /var/state get network.wan.ifname` - else - wandev=`uci -p /var/state get network.wan.device` - fi - - iptables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1 - iptables -t mangle -F prerouting_policy > /dev/null 2>&1 - iptables -t mangle -N prerouting_policy > /dev/null 2>&1 - iptables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1 - if [ "$has_ipv6" = 1 ]; then - ip6tables -t mangle -D PREROUTING -j prerouting_policy > /dev/null 2>&1 - ip6tables -t mangle -F prerouting_policy > /dev/null 2>&1 - ip6tables -t mangle -N prerouting_policy > /dev/null 2>&1 - ip6tables -t mangle -I PREROUTING -j prerouting_policy > /dev/null 2>&1 - fi - - # If no route is in table olsr-default, then usually the hosts local default route is used. - # If set to strict then we add a filter which prevents this - if [ "$strict" == "1" ]; then - ln=$(( `iptables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 )) - if [ ! $ln -gt 0 ]; then - ln=1 - fi - if [ -z "`iptables -L |grep 'Chain forward_policy'`" ]; then - iptables -N forward_policy - fi - if [ -z "`iptables -L FORWARD -v |grep forward_policy`" ]; then - iptables -I FORWARD $ln -m mark --mark 1 -j forward_policy - fi - iptables -F forward_policy - iptables -I forward_policy -o $wandev -j REJECT --reject-with icmp-net-prohibited - - - if [ "$has_ipv6" = 1 ]; then - ln=$(( `ip6tables -L FORWARD -v --line-numbers | grep -m 1 reject | awk {' print $1 '}` - 1 )) - if [ ! $ln -gt 0 ]; then - ln=1 - fi - if [ -z "`ip6tables -L |grep 'Chain forward_policy'`" ]; then - ip6tables -N forward_policy - fi - if [ -z "`ip6tables -L FORWARD -v |grep forward_policy`" ]; then - ip6tables -I FORWARD $ln -m mark --mark 1 -j forward_policy - fi - ip6tables -F forward_policy - ip6tables -I forward_policy -o $wandev -j REJECT - fi - fi - - # set mark 1 for all packets coming in via enabled zones - for i in $zones; do - # find out which interfaces belong to this zone - zone=`uci show firewall |grep "name=$i" |awk {' FS="."; print $1"."$2 '}` - interfaces=`uci get $zone.network` - if [ "$interfaces" == "" ]; then - interfaces=$i - fi - for int in $interfaces; do - if [ "`uci -q get network.$int.type`" == "bridge" ]; then - dev="br-$int" - else - if [ -n "`uci -p /var/state get network.$int.ifname`" ]; then - dev=`uci -p /var/state get network.$int.ifname` - else - dev=`uci -p /var/state get network.$int.device` - fi - fi - logger -t policyrouting "Add mark 1 to packages coming in via interface $dev" - iptables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1 - if [ "$has_ipv6" = 1 ]; then - ip6tables -t mangle -I prerouting_policy -i $dev -j MARK --set-mark 1 - fi - done - done - else - # Cleanup policy routing stuff that might be lingering around - if [ -n "`iptables -t mangle -L PREROUTING |grep _policy`" ]; then - logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv4)" - iptables -t mangle -D PREROUTING -j prerouting_policy - iptables -t mangle -F prerouting_policy - iptables -t mangle -X prerouting_policy - fi - if [ -n "`iptables -L FORWARD |grep forward_policy`" ]; then - logger -t policyrouting "Delete strict forwarding rules (IPv4)" - iptables -D FORWARD -m mark --mark 1 -j forward_policy - iptables -F forward_policy - iptables -X forward_policy - fi - - if [ "$has_ipv6" = 1 ]; then - if [ -n "`ip6tables -t mangle -L PREROUTING |grep _policy`" ]; then - logger -t policyrouting "Delete prerouting_policy chain in table mangle (IPv6)" - ip6tables -t mangle -D PREROUTING -j prerouting_policy - ip6tables -t mangle -F prerouting_policy - ip6tables -t mangle -X prerouting_policy - fi - if [ -n "`ip6tables -L FORWARD |grep forward_policy`" ]; then - logger -t policyrouting "Delete strict forwarding rules (IPv6)" - ip6tables -D FORWARD -m mark --mark 1 -j forward_policy - ip6tables -F forward_policy - ip6tables -X forward_policy - fi - fi - logger -t policyrouting "All firewall rules for policyrouting removed." - fi -fi - diff --git a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting index f8c59a6379..c4ae38d972 100644 --- a/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting +++ b/contrib/package/freifunk-policyrouting/files/etc/hotplug.d/iface/30-policyrouting @@ -1,109 +1,99 @@ -[ "$INTERFACE" != "wan" ] && exit 0 -[ -f /proc/net/ipv6_route ] && has_ipv6=1 +#!/bin/sh -olsrd_rmtables() { - # Remove custom routing tables from olsrd - if [ "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then - uci delete olsrd.@olsrd[0].RtTable - uci delete olsrd.@olsrd[0].RtTableDefault - uci commit - /etc/init.d/olsrd restart - fi -} +. /lib/functions.sh +. /lib/functions/network.sh -case $ACTION in - ifup) - pr="`uci get freifunk-policyrouting.pr.enable`" - fallback="`uci get freifunk-policyrouting.pr.fallback`" - # check if ipv6 is enabled: +proto="4" +[ -f /proc/net/ipv6_route ] && proto="4 6" - if [ $pr = "1" ]; then - logger -s -t policyrouting "Starting policy routing on $INTERFACE" +config_load freifunk-policyrouting +config_get enable pr enable +config_get fallback pr fallback +config_get zones pr zones - # Setup new tables - tables="/etc/iproute2/rt_tables" - if [ -z "`grep "111" $tables`" ]; then - echo "111 olsr" >> $tables - fi - if [ -z "`grep "112" $tables`" ]; then - echo "112 olsr-default" >> $tables - fi +if [ "$ACTION" = "ifup" ] && [ "$enable" = "1" ]; then + network_get_subnet net $INTERFACE + network_get_subnet6 net6 $INTERFACE + network_get_physdev dev $INTERFACE - # Make sure Rt_tables in olsrd are in place - if [ ! "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ ! "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then - uci set olsrd.@olsrd[0].RtTable='111' - uci set olsrd.@olsrd[0].RtTableDefault='112' - uci commit - /etc/init.d/olsrd restart + if [ "$net" != "" -a -n "$dev" ]; then + eval $(/bin/ipcalc.sh $net) + if [ "$PREFIX" != "0" ]; then + if [ ! "$(ip r s t olsr-default |grep "throw $NETWORK/$PREFIX")" ]; then + ip r a throw $NETWORK/$PREFIX table olsr-default + if [ "$?" = 0 ]; then + logger -s -t policyrouting "Add route: throw $NETWORK/$PREFIX table olsr-default" + else + logger -s -t policyrouting "Error! Could not add route: throw $NETWORK/$PREFIX table olsr-default" + fi fi + fi - # Disable dyn_gw and dyngw_plain - dyngwlib=`uci show olsrd |grep dyn_gw.so |awk {' FS="."; print $1"."$2 '}` - if [ -n "$dyngwlib" ]; then - uci set $dyngwlib.ignore=1 - uci commit + if [ -n "$net6" ]; then + if [ ! "$(ip -6 r s t olsr-default |grep "throw $net6")" ]; then + rule="throw $net6 table olsr-default dev $dev" + ip -6 r a $rule + if [ "$?" = 0 ]; then + logger -s -t policyrouting "Add route: $rule (IPv6)" + else + logger -s -t policyrouting "Error! Could not add route: $rule (IPv6)" + fi fi + fi - dyngwplainlib=`uci show olsrd |grep dyn_gw_plain |awk {' FS="."; print $1"."$2 '}` - if [ -n "$dyngwplainlib" ]; then - uci set $dyngwplainlib.ignore=1 - uci commit + networks="" + for z in $zones; do + network_zone="$(uci -q get firewall.zone_${z}.network)" + if [ -z "$network_zone" ]; then + network_zone="$z" fi - - gw="$(ip r |grep default | cut -d " " -f 3)" - # if no gateway was found stop now - [ -z "$gw" ] && logger -s -t policyrouting "No gateway found" && exit 1 - - device="`uci -q -p /var/state get network.wan.ifname`" - [ -z "$device" ] && device="`uci -q -p /var/state get network.wan.device`" - [ -z "$device" ] && logger -s -t policyrouting "No device found for wan." && exit 1 - - test -n "`ip r s t default`" && ip r d default t default - test -n "`ip r s |grep default`" && ip route del default - ip route add default via $gw dev $device table default - - if [ "$has_ipv6" = 1 ]; then - local ip6gw=$(ip -6 r |grep default |cut -d " " -f 3) - test -n "`ip -6 r s t default`" && ip -6 r d default t default - if [ -n "`ip -6 r s |grep default`" ]; then - ip -6 route del default - ip -6 r a $ip6gw via $ip6gw dev $dev table default - ip -6 route add default via $ip6gw dev $device table default - fi + networks="$networks $network_zone" + done + for n in $networks; do + if [ "$INTERFACE" = "$n" ]; then + for p in $proto; do + if [ ! "$(ip -$p ru s | grep "from all iif $dev lookup olsr-default")" ]; then + ip -$p rule add dev "$dev" lookup olsr-default prio 20000 + if [ "$?" = 0 ]; then + logger -s -t policyrouting "Use mesh gateway for interface $dev (IPv$p)" + if [ -z "$(uci -P /var/state get freifunk-policyrouting.${INTERFACE})" ]; then + uci -P /var/state set freifunk-policyrouting.${INTERFACE}="state" + fi + uci -P /var/state set freifunk-policyrouting.${INTERFACE}.device="$dev" + else + logger -s -t policyrouting "Error: Could not add rule: dev "$dev" lookup olsr-default prio 20000 (IPv$p)" + fi + fi + done fi + done + fi +fi - ip rule del lookup main - ip rule add fwmark 1 lookup olsr-default - ip rule add lookup main - ip rule add lookup olsr - # Fallback via mesh if no ipv4 gateway is found in default table - [ "$fallback" = 1 ] && ip rule add lookup olsr-default prio 32800 - - if [ "$has_ipv6" = 1 ]; then - ip -6 rule del lookup main - ip -6 rule add lookup olsr prio 16380 - ip -6 rule add lookup main prio 16390 - ip -6 rule add fwmark 1 lookup olsr-default prio 16400 - ip -6 rule add lookup default prio 16410 - [ "$fallback" = 1 ] && ip -6 rule add lookup olsr-default prio 16420 +if [ "$ACTION" = "ifdown" ]; then + dev="$(uci -q -P /var/state get freifunk-policyrouting.${INTERFACE}.device)" + if [ -n "$dev" ]; then + networks="" + for z in $zones; do + network_zone="$(uci -q get firewall.zone_${z}.network)" + if [ -z "$network_zone" ]; then + network_zone="$z" fi - else - olsrd_rmtables - fi - ;; - - ifdown) - logger -s -t policyrouting "Deleting ipv4 policy rules for $INTERFACE" - olsrd_rmtables - ip rule del fwmark 1 lookup olsr-default > /dev/null 2>&1 - ip rule del lookup olsr-default > /dev/null 2>&1 - ip rule del lookup olsr > /dev/null 2>&1 - if [ "$has_ipv6" = 1 ]; then - logger -s -t policyrouting "Deleting ipv4 policy rules for $INTERFACE" - ip -6 rule del fwmark 1 lookup olsr-default > /dev/null 2>&1 - ip -6 rule del lookup olsr-default > /dev/null 2>&1 - ip -6 rule del lookup olsr > /dev/null 2>&1 - ip -6 rule del lookup default > /dev/null 2>&1 + networks="$networks $network_zone" + done + for n in $networks; do + if [ "$INTERFACE" = "$n" ]; then + for p in $proto; do + if [ "$(ip -$p ru s | grep "from all iif $dev lookup olsr-default")" ]; then + ip -$p rule del dev "$dev" lookup olsr-default prio 20000 + if [ "$?" = 0 ]; then + logger -s -t policyrouting "Remove rule: dev "$dev" lookup olsr-default prio 20000 (IPv$p)" + else + logger -s -t policyrouting "Error! Could not remove rule: dev "$dev" lookup olsr-default prio 20000 (IPv$p)" + fi + fi + done + fi + done fi - ;; -esac +fi diff --git a/contrib/package/freifunk-policyrouting/files/etc/init.d/freifunk-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/init.d/freifunk-policyrouting index 58faa67aa3..a8e44244b4 100755 --- a/contrib/package/freifunk-policyrouting/files/etc/init.d/freifunk-policyrouting +++ b/contrib/package/freifunk-policyrouting/files/etc/init.d/freifunk-policyrouting @@ -1,13 +1,143 @@ #!/bin/sh /etc/rc.common -START=60 +START=15 . /lib/functions/network.sh -boot() -{ - prenabled=$(uci get freifunk-policyrouting.pr.enable) - if [ ! "$prenabled" = "1" ] || ! network_is_up wan; then - uci -q delete olsrd.@olsrd[0].RtTable - uci -q delete olsrd.@olsrd[0].RtTableDefault +. /lib/functions.sh + +proto="4" +[ -f /proc/net/ipv6_route ] && proto="4 6" + +config_load freifunk-policyrouting +config_get enable pr enable +config_get fallback pr fallback +config_get zones pr zones + +olsrd_rmtables() { + # Remove custom routing tables from olsrd + if [ "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then + uci delete olsrd.@olsrd[0].RtTable + uci delete olsrd.@olsrd[0].RtTableDefault + uci commit + fi +} + +olsrd_intalltables() { + if [ ! "`uci -q get olsrd.@olsrd[0].RtTable`" == "111" ] || [ ! "`uci -q get olsrd.@olsrd[0].RtTableDefault`" == "112" ]; then + uci set olsrd.@olsrd[0].RtTable='111' + uci set olsrd.@olsrd[0].RtTableDefault='112' + uci commit olsrd + /etc/init.d/olsrd restart + fi +} + + +rt_tables() { + tables="/etc/iproute2/rt_tables" + if [ -z "`grep "111" $tables`" ]; then + echo "111 olsr" >> $tables + fi + if [ -z "`grep "112" $tables`" ]; then + echo "112 olsr-default" >> $tables + fi +} + +disable_dyngw() { + dyngwlib=`uci show olsrd |grep dyn_gw.so |awk {' FS="."; print $1"."$2 '}` + if [ -n "$dyngwlib" ]; then + uci set $dyngwlib.ignore=1 + uci commit olsrd + fi + + dyngwplainlib=`uci show olsrd |grep dyn_gw_plain |awk {' FS="."; print $1"."$2 '}` + if [ -n "$dyngwplainlib" ]; then + uci set $dyngwplainlib.ignore=1 uci commit olsrd fi } + +restart_services() { + wifi + /etc/init.d/network restart + /etc/init.d/olsrd restart +} + +boot() { + if [ "$enable" = "1" ]; then + [ -d /var/state ] || mkdir -p /var/state + touch /var/state/freifunk-policyrouting + start + else + olsrd_rmtables + fi +} +start() { + if [ $enable = "1" ]; then + logger -s -t policyrouting "Starting policy routing." + rt_tables + olsrd_intalltables + disable_dyngw + + for p in $proto; do + if [ ! "$(ip -$p ru s | grep "1000: from all lookup olsr")" ]; then + ip -$p rule add lookup olsr prio 1000 + if [ "$?" = "0" ]; then + logger -s -t policyrouting "Added rule: lookup olsr prio 1000 (IPv$p)" + else + logger -s -t policyrouting "Error! Could not add rule: lookup olsr prio 1000 (IPv$p)" + fi + fi + done + + # add unreachable with high metric so packets stop here if they find no gateway + # in table olsr-default + if [ "$strict" != 0 ]; then + for p in $proto; do + [ ! "$(ip -$p r s t olsr-default |grep "unreachable default")" ] && { + ip -$p route add unreachable default table olsr-default metric 65535 + if [ "$?" = "0" ]; then + logger -s -t policyrouting "Added route: unreachable default table olsr-default metric 65535 (IPv$p)" + else + logger -s -t policyrouting "Error! Could not add route: unreachable default table olsr-default metric 65535 (IPv$p)" + fi + } + done + + fi + if [ "$fallback" = 1 ]; then + for p in $proto; do + [ ! "$(ip -$p ru s |grep "from all lookup olsr-default")" ] && { + ip -$p rule add lookup olsr-default prio 33000 + if [ "$?" = "0" ]; then + logger -s -t policyrouting "Added rule: olsr-default prio 33000 (IPv$p)" + else + logger -s -t policyrouting "Error! Could not add rule: olsr-default prio 33000 (IPv$p)" + fi + } + done + fi + fi +} + +stop() { + logger -s -t policyrouting "Stopping policy routing" + olsrd_rmtables + for p in $proto; do + ip -$p route flush table olsr-default + ip -$p rule del lookup olsr-default > /dev/null 2>&1 + ip -$p rule del lookup olsr > /dev/null 2>&1 + done + restart_services + echo "Hint: To completely disable freifunk-policyrouting set enable=0 in /etc/config/freifunk-policyrouting." +} + +restart() { + logger -s -t policyrouting "Restarting policy routing" + olsrd_rmtables + for p in $proto; do + ip -$p route flush table olsr-default + ip -$p rule del lookup olsr-default > /dev/null 2>&1 + ip -$p rule del lookup olsr > /dev/null 2>&1 + done + start + restart_services +} diff --git a/contrib/package/freifunk-policyrouting/files/etc/uci-defaults/freifunk-policyrouting b/contrib/package/freifunk-policyrouting/files/etc/uci-defaults/freifunk-policyrouting index a6412d4df0..a1e631015c 100644 --- a/contrib/package/freifunk-policyrouting/files/etc/uci-defaults/freifunk-policyrouting +++ b/contrib/package/freifunk-policyrouting/files/etc/uci-defaults/freifunk-policyrouting @@ -1,7 +1,7 @@ #!/bin/sh uci batch <<-EOF add ucitrack freifunk-policyrouting - add_list ucitrack.@freifunk-policyrouting[-1].affects="network" + add_list ucitrack.@freifunk-policyrouting[-1].exec="/etc/init.d/freifunk-policyrouting restart" commit ucitrack EOF -- 2.30.2