mirror of https://github.com/aredn/aredn.git
Rebuild the NAT version of the firewall (#1243)
* New fireware configuration for NATed LAN. * Fix ip rule
This commit is contained in:
parent
5d8a240c8f
commit
8d4eadee53
|
@ -26,7 +26,6 @@ config zone
|
||||||
option input REJECT
|
option input REJECT
|
||||||
option output ACCEPT
|
option output ACCEPT
|
||||||
option forward REJECT
|
option forward REJECT
|
||||||
option masq 1
|
|
||||||
option mtu_fix 1
|
option mtu_fix 1
|
||||||
|
|
||||||
config zone
|
config zone
|
||||||
|
|
|
@ -1,17 +0,0 @@
|
||||||
# This script is run when the node is in NAT mode to
|
|
||||||
# setup addtional firewall rules needed for nat.
|
|
||||||
# allowing all other traffic to transport as is.
|
|
||||||
|
|
||||||
dtdlinkip=`uci -q get network.dtdlink.ipaddr`
|
|
||||||
wifiip=`uci -q get network.wifi.ipaddr`
|
|
||||||
|
|
||||||
ip rule del pref 20010 fwmark 0x15 lookup 29 > /dev/null 2>&1
|
|
||||||
ip rule add pref 20010 fwmark 0x15 lookup 29
|
|
||||||
|
|
||||||
#tag traffic for use later in iprule's
|
|
||||||
nft insert rule ip fw4 mangle_prerouting ip daddr $wifiip meta mark set 0x15
|
|
||||||
nft insert rule ip fw4 mangle_prerouting ip daddr $dtdlinkip meta mark set 0x15
|
|
||||||
|
|
||||||
# Mark and masq local traffic going out the dtdlink interface.
|
|
||||||
nft add rule ip fw4 helper_lan meta mark set 0xe
|
|
||||||
nft add rule ip fw4 srcnat mark 0xe mark 0xe masquerade
|
|
|
@ -51,9 +51,7 @@ if [ "$ACTION" = "ifup" ] ; then
|
||||||
echo "Setting routing rules."
|
echo "Setting routing rules."
|
||||||
|
|
||||||
if [ "$INTERFACE" == "wifi" ] || [ "$INTERFACE" == "dtdlink" ] || [ "${INTERFACE:0:3}" = "tun" ] || [ "${INTERFACE:0:2}" = "wg" ] || [ "$xlink" != "" ]; then
|
if [ "$INTERFACE" == "wifi" ] || [ "$INTERFACE" == "dtdlink" ] || [ "${INTERFACE:0:3}" = "tun" ] || [ "${INTERFACE:0:2}" = "wg" ] || [ "$xlink" != "" ]; then
|
||||||
if [ "$(/sbin/uci -q get aredn.@dmz[0].mode)" != "0" ] ; then
|
ip rule add pref 20010 iif $DEVICE lookup 29
|
||||||
ip rule add pref 20010 iif $DEVICE lookup 29
|
|
||||||
fi
|
|
||||||
ip rule add pref 20020 iif $DEVICE lookup 30
|
ip rule add pref 20020 iif $DEVICE lookup 30
|
||||||
ip rule add pref 20080 iif $DEVICE lookup 31
|
ip rule add pref 20080 iif $DEVICE lookup 31
|
||||||
if [ $is_olsrgw -eq 1 ] ; then
|
if [ $is_olsrgw -eq 1 ] ; then
|
||||||
|
|
|
@ -51,6 +51,9 @@ function is_null(v)
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
function is_notnull(v)
|
||||||
|
return not is_null(v)
|
||||||
|
end
|
||||||
|
|
||||||
local function h2s(hex)
|
local function h2s(hex)
|
||||||
local s = ""
|
local s = ""
|
||||||
|
@ -225,7 +228,7 @@ if cfg.wan_proto == "dhcp" then
|
||||||
deleteme.wan_gw = true
|
deleteme.wan_gw = true
|
||||||
deleteme.wan_mask = true
|
deleteme.wan_mask = true
|
||||||
end
|
end
|
||||||
if not is_null(cfg.dmz_mode) or cfg.wan_proto ~= "disabled" then
|
if is_notnull(cfg.dmz_mode) or cfg.wan_proto ~= "disabled" then
|
||||||
deleteme.lan_gw = true
|
deleteme.lan_gw = true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -282,7 +285,7 @@ if is_null(cfg.dmz_mode) then
|
||||||
end
|
end
|
||||||
|
|
||||||
-- switch to dmz values if needed
|
-- switch to dmz values if needed
|
||||||
if not is_null(cfg.dmz_mode) then
|
if is_notnull(cfg.dmz_mode) then
|
||||||
cfg.lan_ip = cfg.dmz_lan_ip
|
cfg.lan_ip = cfg.dmz_lan_ip
|
||||||
cfg.lan_mask = cfg.dmz_lan_mask
|
cfg.lan_mask = cfg.dmz_lan_mask
|
||||||
cfg.dhcp_start = cfg.dmz_dhcp_start
|
cfg.dhcp_start = cfg.dmz_dhcp_start
|
||||||
|
@ -647,18 +650,14 @@ write_all("/tmp/new_config/vtun", expand_vars("<tun_network_config>"))
|
||||||
local nc = uci.cursor("/tmp/new_config")
|
local nc = uci.cursor("/tmp/new_config")
|
||||||
|
|
||||||
-- append to firewall
|
-- append to firewall
|
||||||
local add_masq = false
|
|
||||||
local fw = io.open("/tmp/new_config/firewall", "a")
|
local fw = io.open("/tmp/new_config/firewall", "a")
|
||||||
if fw then
|
if fw then
|
||||||
if not is_null(cfg.dmz_mode) then
|
if is_notnull(cfg.dmz_mode) then
|
||||||
fw:write("\nconfig forwarding\n option src wifi\n option dest lan\n")
|
fw:write("\nconfig forwarding\n option src wifi\n option dest lan\n")
|
||||||
fw:write("\nconfig forwarding\n option src dtdlink\n option dest lan\n")
|
fw:write("\nconfig forwarding\n option src dtdlink\n option dest lan\n")
|
||||||
if vpnzone then
|
if vpnzone then
|
||||||
fw:write("\nconfig forwarding\n option src vpn\n option dest lan\n")
|
fw:write("\nconfig forwarding\n option src vpn\n option dest lan\n")
|
||||||
end
|
end
|
||||||
add_masq = true
|
|
||||||
else
|
|
||||||
fw:write("\nconfig 'include'\n option 'path' '/etc/firewall.natmode'\n option 'reload' '1'\n")
|
|
||||||
end
|
end
|
||||||
|
|
||||||
if nc:get("aredn", "@wan[0]", "olsrd_gw") == "1" then
|
if nc:get("aredn", "@wan[0]", "olsrd_gw") == "1" then
|
||||||
|
@ -692,7 +691,7 @@ if fw then
|
||||||
if not oport:match("-") then
|
if not oport:match("-") then
|
||||||
host = host .. " option dest_port " .. iport .. "\n"
|
host = host .. " option dest_port " .. iport .. "\n"
|
||||||
end
|
end
|
||||||
if not is_null(cfg.dmz_mode) and intf == "both" then
|
if is_notnull(cfg.dmz_mode) and intf == "both" then
|
||||||
intf = "wan"
|
intf = "wan"
|
||||||
end
|
end
|
||||||
if intf == "both" then
|
if intf == "both" then
|
||||||
|
@ -720,8 +719,16 @@ if fw then
|
||||||
|
|
||||||
fw:close();
|
fw:close();
|
||||||
end
|
end
|
||||||
if add_masq then
|
|
||||||
nc:set("firewall", "@zone[2]", "masq", "0")
|
-- setup nat
|
||||||
|
if is_null(cfg.dmz_mode) then
|
||||||
|
-- zone[0] = lan, zone[1] = wan, zone[2] = wifi, zone[3] = dtdlink, zone[4] = vpn
|
||||||
|
local masq_src = cfg.lan_ip .. "/" .. netmask_to_cidr(cfg.lan_mask)
|
||||||
|
for z = 2, 4
|
||||||
|
do
|
||||||
|
nc:set("firewall", "@zone[" .. z .. "]", "masq", "1")
|
||||||
|
nc:set("firewall", "@zone[" .. z .. "]", "masq_src", masq_src)
|
||||||
|
end
|
||||||
nc:commit("firewall")
|
nc:commit("firewall")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -983,13 +990,13 @@ if h and e then
|
||||||
h:write("# automatically generated file - do not edit\n")
|
h:write("# automatically generated file - do not edit\n")
|
||||||
h:write("# use /etc/hosts.user for custom entries\n")
|
h:write("# use /etc/hosts.user for custom entries\n")
|
||||||
h:write("127.0.0.1\tlocalhost\n")
|
h:write("127.0.0.1\tlocalhost\n")
|
||||||
if not is_null(cfg.wifi_ip) then
|
if is_notnull(cfg.wifi_ip) then
|
||||||
h:write(cfg.lan_ip .. "\tlocalnode\n")
|
h:write(cfg.lan_ip .. "\tlocalnode\n")
|
||||||
h:write(cfg.wifi_ip .. "\t" .. node .. " " .. tactical .. "\n")
|
h:write(cfg.wifi_ip .. "\t" .. node .. " " .. tactical .. "\n")
|
||||||
else
|
else
|
||||||
h:write(cfg.lan_ip .. "\tlocalnode " .. node .. " " .. tactical .. "\n")
|
h:write(cfg.lan_ip .. "\tlocalnode " .. node .. " " .. tactical .. "\n")
|
||||||
end
|
end
|
||||||
if not is_null(cfg.dtdlink_ip) then
|
if is_notnull(cfg.dtdlink_ip) then
|
||||||
h:write(cfg.dtdlink_ip .. "\tdtdlink." .. node .. ".local.mesh dtdlink." .. node .."\n")
|
h:write(cfg.dtdlink_ip .. "\tdtdlink." .. node .. ".local.mesh dtdlink." .. node .."\n")
|
||||||
end
|
end
|
||||||
if is_null(cfg.dmz_mode) then
|
if is_null(cfg.dmz_mode) then
|
||||||
|
@ -1077,12 +1084,12 @@ if nixio.fs.access("/etc/config.mesh/olsrd", "r") then
|
||||||
of:write(line .. "\n")
|
of:write(line .. "\n")
|
||||||
end
|
end
|
||||||
|
|
||||||
if not is_null(cfg.dmz_mode) then
|
if is_notnull(cfg.dmz_mode) then
|
||||||
local a, b, c, d = cfg.dmz_lan_ip:match("(.*)%.(.*)%.(.*)%.(.*)")
|
local a, b, c, d = cfg.dmz_lan_ip:match("(.*)%.(.*)%.(.*)%.(.*)")
|
||||||
of:write(string.format("\nconfig Hna4\n\toption netaddr %s.%s.%s.%d\n\toption netmask 255.255.255.%d\n\n", a, b, c, d - 1, nixio.bit.band(255 * 2 ^ cfg.dmz_mode, 255)))
|
of:write(string.format("\nconfig Hna4\n\toption netaddr %s.%s.%s.%d\n\toption netmask 255.255.255.%d\n\n", a, b, c, d - 1, nixio.bit.band(255 * 2 ^ cfg.dmz_mode, 255)))
|
||||||
end
|
end
|
||||||
|
|
||||||
if cfg.wifi_enable ~= "1" and not is_null(cfg.wifi_ip) then
|
if cfg.wifi_enable ~= "1" and is_notnull(cfg.wifi_ip) then
|
||||||
of:write(string.format("config Hna4\n\toption netaddr %s\n\toption netmask 255.255.255.255\n\n", cfg.wifi_ip))
|
of:write(string.format("config Hna4\n\toption netaddr %s\n\toption netmask 255.255.255.255\n\n", cfg.wifi_ip))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -1216,7 +1223,7 @@ if sf then
|
||||||
if cfg.wifi_enable == "1" then
|
if cfg.wifi_enable == "1" then
|
||||||
sf:write("/usr/sbin/iw dev " .. cfg.wifi_intf .. " set txpower fixed " .. cfg.wifi_txpower .. "00\n")
|
sf:write("/usr/sbin/iw dev " .. cfg.wifi_intf .. " set txpower fixed " .. cfg.wifi_txpower .. "00\n")
|
||||||
end
|
end
|
||||||
if not is_null(cfg.aprs_lat) and not is_null(cfg.aprs_lon) then
|
if is_notnull(cfg.aprs_lat) and is_notnull(cfg.aprs_lon) then
|
||||||
nc:set("aredn", "@location[0]", "lat", cfg.aprs_lat)
|
nc:set("aredn", "@location[0]", "lat", cfg.aprs_lat)
|
||||||
nc:set("aredn", "@location[0]", "lon", cfg.aprs_lon)
|
nc:set("aredn", "@location[0]", "lon", cfg.aprs_lon)
|
||||||
nc:commit("aredn")
|
nc:commit("aredn")
|
||||||
|
|
Loading…
Reference in New Issue