Merge branch 'FirewallIncludes' into develop

files/etc/config.mesh/firewall

@@ -80,6 +80,10 @@ config rule
         option family           ipv4
         option target           ACCEPT
 
+config include
+        option path /usr/local/bin/mesh-firewall
+        option reload           1
+
 config include
         option path /etc/firewall.user
 

files/etc/local/mesh-firewall/01-tunnels

@@ -0,0 +1,90 @@
+#!/bin/sh
+<<'LICENSE'
+  Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
+  Copyright (C) 2015 Conrad Lara
+   See Contributors file for additional contributors
+
+  Copyright (c) 2013 David Rivenburg et al. BroadBand-HamNet
+
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation version 3 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+  Additional Terms:
+
+  Additional use restrictions exist on the AREDN(TM) trademark and logo.
+    See AREDNLicense.txt for more info.
+
+  Attributions to the AREDN Project must be retained in the source code.
+  If importing this code into a new or existing project attribution
+  to the AREDN project must be added to the source code.
+
+  You must not misrepresent the origin of the material conained within.
+
+  Modified versions must be modified to attribute to the original source
+  and be marked in reasonable ways as differentiate it from the original
+  version.
+
+LICENSE
+
+if [ "$MESHFW_TUNNELS_ENABLED" != "1" ]; then
+        exit 0;
+fi
+
+# Test for pre-existing firewall rules which use a wildcard and only need setup 1 time for multiple tunnel connections
+if ( $(iptables -L forwarding_vpn | egrep "^Chain forwarding_vpn \(.+ references\)" > /dev/null) ) then
+	rules_exist=1
+else
+	rules_exist=0
+fi
+
+# Do nothing on firewall if tunnels already (or still) exist--set up once.
+if [ $rules_exist -eq 0  ] ; then
+	echo "Adding vtun firewall rules..."
+        iptables -N forwarding_vpn
+        iptables -N input_vpn
+        iptables -N zone_vpn
+        iptables -N zone_vpn_ACCEPT
+        iptables -N zone_vpn_DROP
+        iptables -N zone_vpn_REJECT
+        iptables -N zone_vpn_forward
+        iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
+        iptables -I delegate_input 3 -i tun+ -j zone_vpn
+        iptables -I delegate_output 3 -j zone_vpn_ACCEPT
+        iptables -A zone_vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 2222 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 8080 -j ACCEPT
+        iptables -A zone_vpn -p udp -m udp --dport 698 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 1978 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 23 -j ACCEPT
+        iptables -A zone_vpn -p tcp -m tcp --dport 9090 -j ACCEPT
+        iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
+        iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
+        iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
+        iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
+	if [ "$MESHFW_MESHGW" -eq 1 ] ; then
+        	iptables -I zone_vpn_forward -j zone_wan_ACCEPT
+	else
+        	iptables -I zone_vpn_forward -j zone_wan_REJECT
+	fi
+        iptables -A zone_vpn -j input_vpn
+        iptables -A zone_vpn -j zone_vpn_ACCEPT
+        iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
+        iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
+        iptables -A zone_vpn_DROP -o tun+ -j DROP
+        iptables -A zone_vpn_DROP -i tun+ -j DROP
+        iptables -A zone_vpn_REJECT -o tun+ -j reject
+        iptables -A zone_vpn_REJECT -i tun+ -j reject
+        iptables -A zone_vpn_forward -j zone_dtdlink_ACCEPT
+        iptables -A zone_vpn_forward -j zone_lan_ACCEPT
+        iptables -A zone_vpn_forward -j zone_wifi_ACCEPT
+        iptables -A zone_vpn_forward -j forwarding_vpn
+fi

files/etc/local/mesh-firewall/README

@@ -0,0 +1,4 @@
+## This directory includes shell scripts that will be auto executed each time the firewall is reloaded
+## Some variables are set in the environment to make checks easier.
+## Files should follow the ##-name structure and be marked executable.
+## This directory is NOT saved during an OTA Upgrade

files/usr/local/bin/mesh-firewall

@@ -0,0 +1,67 @@
+#!/bin/sh
+<<'LICENSE'
+  Part of AREDN -- Used for creating Amateur Radio Emergency Data Networks
+  Copyright (C) 2015 Conrad Lara
+   See Contributors file for additional contributors
+
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation version 3 of the License.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+  Additional Terms:
+
+  Additional use restrictions exist on the AREDN(TM) trademark and logo.
+    See AREDNLicense.txt for more info.
+
+  Attributions to the AREDN Project must be retained in the source code.
+  If importing this code into a new or existing project attribution
+  to the AREDN project must be added to the source code.
+
+  You must not misrepresent the origin of the material conained within.
+
+  Modified versions must be modified to attribute to the original source
+  and be marked in reasonable ways as differentiate it from the original
+  version.
+
+LICENSE
+
+
+### Lets export some variables to help other scripts we call later.
+
+#Are we in NAT mode
+if [ -f "/etc/config/dmz-mode" ]
+then
+  export MESHFW_NATLAN=0
+else
+  export MESHFW_NATLAN=1
+fi
+
+#Is this node a meshgw
+export MESHFW_MESHGW
+MESHFW_MESHGW=$(grep -i olsrd_gw /etc/config.mesh/_setup|cut -d ' ' -f 3)
+
+# Are tunnels 'enabled'
+if [ -x "/usr/sbin/vtund" ]
+then
+  export MESHFW_TUNNELS_ENABLED=1
+else
+  export MESHFW_TUNNELS_ENABLED=0
+fi
+
+# Lets execute each include file
+
+for file in /etc/local/mesh-firewall/*
+do
+  if ( [ -x "$file" ] && [ -f "$file" ] ); then
+    echo "mesh-firewall: Executing $file"
+    $file
+  fi
+done

files/usr/local/bin/vtun_up

@@ -38,106 +38,12 @@ LICENSE
 
 interface=$1
 action=$2
-is_olsrgw=`cat /etc/config.mesh/_setup|grep -i olsrd_gw|cut -d ' ' -f 3`
 configmode=`uci -q -c /etc/local/uci/ get hsmmmesh.settings.config`
-inf_count=`ifconfig | egrep "^tun[0-9]" | wc -l`
 echo "Firewall rules for $interface $action"
 
 # Do nothing if node is not in mesh mode
 if [ "$configmode" != "mesh" ] ; then exit 0; fi
 
-# Test for pre-existing firewall rules which use a wildcard and only need setup 1 time for multiple tunnel connections
-if ( `iptables -L forwarding_vpn | egrep "^Chain forwarding_vpn \(.+ references\)" > /dev/null` ) then
-	rules_exist=1
-else
-	rules_exist=0
-fi
-
-# Do nothing on firewall if tunnels already (or still) exist--set up once for first and remove on last down
-if [ $rules_exist -eq 0 -a "$action" = "up" ] ; then
-	echo "Adding vtun firewall rules..."
-        iptables -N forwarding_vpn
-        iptables -N input_vpn
-        iptables -N zone_vpn
-        iptables -N zone_vpn_ACCEPT
-        iptables -N zone_vpn_DROP
-        iptables -N zone_vpn_REJECT
-        iptables -N zone_vpn_forward
-        iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
-        iptables -I delegate_input 3 -i tun+ -j zone_vpn
-        iptables -I delegate_output 3 -j zone_vpn_ACCEPT
-        iptables -A zone_vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT
-        iptables -A zone_vpn -p tcp -m tcp --dport 2222 -j ACCEPT
-        iptables -A zone_vpn -p tcp -m tcp --dport 8080 -j ACCEPT
-        iptables -A zone_vpn -p udp -m udp --dport 698 -j ACCEPT
-        iptables -A zone_vpn -p tcp -m tcp --dport 1978 -j ACCEPT
-        iptables -A zone_vpn -p tcp -m tcp --dport 23 -j ACCEPT
-        iptables -A zone_vpn -p tcp -m tcp --dport 9090 -j ACCEPT
-        iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
-        iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
-        iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
-        iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
-	if [ $is_olsrgw -eq 1 ] ; then
-        	iptables -I zone_vpn_forward -j zone_wan_ACCEPT
-	else
-        	iptables -I zone_vpn_forward -j zone_wan_REJECT
-	fi
-        iptables -A zone_vpn -j input_vpn
-        iptables -A zone_vpn -j zone_vpn_ACCEPT
-        iptables -A zone_vpn_ACCEPT -o tun+ -j ACCEPT
-        iptables -A zone_vpn_ACCEPT -i tun+ -j ACCEPT
-        iptables -A zone_vpn_DROP -o tun+ -j DROP
-        iptables -A zone_vpn_DROP -i tun+ -j DROP
-        iptables -A zone_vpn_REJECT -o tun+ -j reject
-        iptables -A zone_vpn_REJECT -i tun+ -j reject
-        iptables -A zone_vpn_forward -j zone_dtdlink_ACCEPT
-        iptables -A zone_vpn_forward -j zone_lan_ACCEPT
-        iptables -A zone_vpn_forward -j zone_wifi_ACCEPT
-        iptables -A zone_vpn_forward -j forwarding_vpn
-fi
-
-if [ $inf_count -eq 0 -a "$action" = "down" ] ; then
-	echo "Removing vtun firewall rules..."
-        iptables -D zone_vpn_forward -j forwarding_vpn
-        iptables -D zone_vpn_forward -j zone_wifi_ACCEPT
-        iptables -D zone_vpn_forward -j zone_lan_ACCEPT
-        iptables -D zone_vpn_forward -j zone_dtdlink_ACCEPT
-        iptables -D zone_vpn_REJECT -i tun+ -j reject
-        iptables -D zone_vpn_REJECT -o tun+ -j reject
-        iptables -D zone_vpn_DROP -i tun+ -j DROP
-        iptables -D zone_vpn_DROP -o tun+ -j DROP
-        iptables -D zone_vpn_ACCEPT -i tun+ -j ACCEPT
-        iptables -D zone_vpn_ACCEPT -o tun+ -j ACCEPT
-        iptables -D zone_vpn -j zone_vpn_ACCEPT
-        iptables -D zone_vpn -j input_vpn
-        iptables -D zone_vpn_forward -j zone_vpn_ACCEPT
-	if [ ! $is_olsrgw -eq 1 ] ; then
-        	iptables -D zone_vpn_forward -j zone_wan_ACCEPT
-	else
-        	iptables -D zone_vpn_forward -j zone_wan_REJECT
-	fi
-        iptables -D zone_wifi_forward -j zone_vpn_ACCEPT
-        iptables -D zone_lan_forward -j zone_vpn_ACCEPT
-        iptables -D zone_dtdlink_forward -j zone_vpn_ACCEPT
-        iptables -D zone_vpn -p tcp -m tcp --dport 23 -j ACCEPT
-        iptables -D zone_vpn -p tcp -m tcp --dport 1978 -j ACCEPT
-        iptables -D zone_vpn -p udp -m udp --dport 698 -j ACCEPT
-        iptables -D zone_vpn -p tcp -m tcp --dport 8080 -j ACCEPT
-        iptables -D zone_vpn -p tcp -m tcp --dport 2222 -j ACCEPT
-        iptables -D zone_vpn -p tcp -m tcp --dport 9090 -j ACCEPT
-        iptables -D zone_vpn -p icmp -m icmp --icmp-type 8 -j ACCEPT
-        iptables -D delegate_output -j zone_vpn_ACCEPT
-        iptables -D delegate_input -i tun+ -j zone_vpn
-        iptables -D delegate_forward -i tun+ -j zone_vpn_forward
-        iptables -X zone_vpn_REJECT
-        iptables -X zone_vpn_DROP
-        iptables -X zone_vpn_ACCEPT
-        iptables -X zone_vpn
-        iptables -X zone_vpn_forward
-        iptables -X input_vpn
-        iptables -X forwarding_vpn
-fi
-
 if [ "$action" = "up" ] ; then
 	# Adding route policies for tunnel interface
 	# identical to hotplug for dtdlink