network-defaults: prohibit traffic to net on ffuplink

this hotplug-script probibits all traffic to nodes on the upstream-network of ffuplink-interface. Only traffic to not directly attached networks is accepted. This script also sets up the default route for all traffic reaching the "ffuplink" routing-table. this all honors the settings of * ffwizard.sharenet * freifunk-policyrouting.enable
freifunk-berlin · Jan 30, 2018 · 0d671b3 · 0d671b3
1 parent eb5fe0f
commit 0d671b3
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/defaults/freifunk-berlin-network-defaults/Makefile b/defaults/freifunk-berlin-network-defaults/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=freifunk-berlin-network-defaults
 PKG_VERSION:=0.0.4
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
 
@@ -34,6 +34,8 @@ endef
 define Package/freifunk-berlin-network-defaults/install
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(CP) ./uci-defaults/* $(1)/etc/uci-defaults
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(CP) ./hotplug.d/iface/* $(1)/etc/hotplug.d/iface/
 endef
 
 $(eval $(call BuildPackage,freifunk-berlin-network-defaults))
diff --git a/defaults/freifunk-berlin-network-defaults/hotplug.d/iface/60-ffuplink_policyrouting b/defaults/freifunk-berlin-network-defaults/hotplug.d/iface/60-ffuplink_policyrouting
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+. /lib/functions.sh
+. /lib/functions/network.sh
+
+[ "$INTERFACE" = ffuplink ] || exit
+
+config_load ffwizard
+config_get sharenet settings sharenet
+[ "$sharenet" = 1 ] || exit
+
+config_load freifunk-policyrouting
+config_get pr_enable pr enable
+config_get fallback pr fallback
+config_get strict pr strict
+config_get zones pr zones
+[ "$pr_enable" = 1 ] || exit
+
+if [ "$ACTION" = ifup ]; then
+  logger -t ff-userlog "ffuplink interface is up"
+  logger -t ff-userlog "prohibiting traffic to net on ffuplink-interface"
+  network_get_subnet uplink_net ffuplink
+  eval $(/bin/ipcalc.sh $uplink_net)
+  ip route add prohibit $NETWORK/$PREFIX table ffuplink
+  logger -t ff-userlog "setting defaultroute via ffuplink-interface for interfaces of zone $zones"
+  network_get_gateway gw ffuplink
+  ip route add default via $gw dev ffuplink table ffuplink
+  logger -t ff-userlog "ffuplink-interface is setup"
+fi
+
+if [ "$ACTION" = ifdown ]; then
+  logger -t ff-userlog "ffuplink interface going down"
+  ip route flush table ffuplink
+fi