From 15f87920016de785abc1ca7bfa2e930d0555d842 Mon Sep 17 00:00:00 2001
From: AE6XE <joe@ayerscasa.com>
Date: Sun, 24 May 2015 15:55:27 -0700
Subject: [PATCH 1/2] BUGFIX:  tunnel firewall to work same as dtdlink

---
 files/usr/local/bin/vtun_up | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/files/usr/local/bin/vtun_up b/files/usr/local/bin/vtun_up
index 2dd08109..be089d92 100755
--- a/files/usr/local/bin/vtun_up
+++ b/files/usr/local/bin/vtun_up
@@ -41,16 +41,14 @@ if [ $rules_exist -eq 0 -a "$action" = "up" ] ; then
         iptables -A zone_vpn -p tcp -m tcp --dport 1978 -j ACCEPT
         iptables -A zone_vpn -p tcp -m tcp --dport 23 -j ACCEPT
         iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
-        if [ ! $is_olsrgw -eq 1 ] ; then
-            iptables -I zone_dtdlink_forward 1 -j zone_wan_REJECT
-        fi
         iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
         iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
-        if [ ! $is_olsrgw -eq 1 ] ; then
-            iptables -I zone_wifi_forward 1 -j zone_wan_REJECT
-        fi
         iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
-        iptables -I zone_vpn_forward -j zone_wan_REJECT
+	if [ $is_olsrgw -eq 1 ] ; then
+        	iptables -I zone_vpn_forward -j zone_wan_ACCEPT
+	else
+        	iptables -I zone_vpn_forward -j zone_wan_REJECT
+	fi
         iptables -A zone_vpn -j input_vpn
         iptables -A zone_vpn -j zone_vpn_ACCEPT
         iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
@@ -79,13 +77,15 @@ if [ $inf_count -eq 0 -a "$action" = "down" ] ; then
         iptables -D zone_vpn_ACCEPT -o tun+ -j ACCEPT
         iptables -D zone_vpn -j zone_vpn_ACCEPT
         iptables -D zone_vpn -j input_vpn
-        iptables -D zone_vpn_forward -j zone_wan_REJECT
         iptables -D zone_vpn_forward -j zone_vpn_ACCEPT
+	if [ ! $is_olsrgw -eq 1 ] ; then
+        	iptables -D zone_vpn_forward -j zone_wan_ACCEPT
+	else
+        	iptables -D zone_vpn_forward -j zone_wan_REJECT
+	fi
         iptables -D zone_wifi_forward -j zone_vpn_ACCEPT
-        iptables -D zone_wifi_forward -j zone_wan_REJECT
         iptables -D zone_lan_forward -j zone_vpn_ACCEPT
         iptables -D zone_dtdlink_forward -j zone_vpn_ACCEPT
-        iptables -D zone_dtdlink_forward -j zone_wan_REJECT
         iptables -D zone_vpn -p tcp -m tcp --dport 23 -j ACCEPT
         iptables -D zone_vpn -p tcp -m tcp --dport 1978 -j ACCEPT
         iptables -D zone_vpn -p udp -m udp --dport 698 -j ACCEPT
@@ -111,17 +111,12 @@ if [ "$action" = "up" ] ; then
       	        ip rule add pref 20010 iif $interface lookup 29 # local interfaces
       	    fi
             ip rule add pref 20020 iif $interface lookup 30 # mesh
-            # ensure routing to internet is the local interface on this
-            # node and not forwarded to another gateway on the local mesh
-            # firewall rules above will always REJECT wan access comming across the tunnel
-            ip rule add pref 20090 iif $interface lookup main # local routes including wan
             ip rule add pref 20099 iif $interface unreachable
         fi
 else
     # Remove route policies for tunnel interface
     ip rule del pref 20010 iif $interface lookup 29
     ip rule del pref 20020 iif $interface lookup 30
-    ip rule del pref 20090 iif $interface lookup main
     ip rule del pref 20099 iif $interface unreachable
 fi
 

From f610c58b827bf1afe566df347e5f9df24b6e587f Mon Sep 17 00:00:00 2001
From: AE6XE <joe@ayerscasa.com>
Date: Sun, 24 May 2015 15:57:44 -0700
Subject: [PATCH 2/2] BUGFIX: tunnel firewall to behave same as dtdlink part 2

---
 files/usr/local/bin/vtun_up | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/files/usr/local/bin/vtun_up b/files/usr/local/bin/vtun_up
index be089d92..c1041fdc 100755
--- a/files/usr/local/bin/vtun_up
+++ b/files/usr/local/bin/vtun_up
@@ -106,17 +106,22 @@ fi
 
 if [ "$action" = "up" ] ; then
 	# Adding route policies for tunnel interface
+	# identical to hotplug for dtdlink
 	if ( ! `ip rule list | egrep "^20020:.*$interface.*30" > /dev/null`) then
 	    if [ -e /etc/config/dmz-mode ] ; then
       	        ip rule add pref 20010 iif $interface lookup 29 # local interfaces
       	    fi
             ip rule add pref 20020 iif $interface lookup 30 # mesh
+	    ip rule add pref 20080 iif $interface lookup 31 # gateway
+	    ip rule add pref 20090 iif $interface lookup main 
             ip rule add pref 20099 iif $interface unreachable
         fi
 else
     # Remove route policies for tunnel interface
     ip rule del pref 20010 iif $interface lookup 29
     ip rule del pref 20020 iif $interface lookup 30
+    ip rule del pref 20080 iff $interface lookup 31
+    ip rule del pref 20090 iff $interface lookup main
     ip rule del pref 20099 iif $interface unreachable
 fi