Opennet Firmware
init/on-openvpn
gehe zur Dokumentation dieser Datei
1 #!/bin/sh
2 
3 
4 # shellcheck source=opennet/packages/on-core/files/usr/lib/opennet/on-helper.sh
5 . "${IPKG_INSTROOT:-}/usr/lib/opennet/on-helper.sh"
6 
7 
8 configure_tunnel_network() {
9  local uci_prefix=network.on_vpn
10 
11  # Abbruch falls das Netzwerk schon vorhanden ist
12  [ -n "$(uci_get "$uci_prefix")" ] && return
13 
14  # add new network to configuration (to be recognized by olsrd)
15  uci set "${uci_prefix}=interface"
16  uci set "${uci_prefix}.proto=none"
17  uci set "${uci_prefix}.device=tun-on-user"
18 
19  apply_changes network
20 }
21 
22 
23 configure_tunnel_firewall() {
24  local was_changed=0
25  local uci_prefix
26  uci_prefix=$(find_first_uci_section firewall zone "name=$ZONE_TUNNEL")
27 
28  # Zone erzeugen, falls sie noch nicht vorhanden ist
29  if [ -z "$(uci_get "$uci_prefix")" ]; then
30  # Zone fuer ausgehenden Verkehr definieren
31  uci_prefix=firewall.$(uci add firewall zone)
32  uci set "${uci_prefix}.name=$ZONE_TUNNEL"
33  uci add_list "${uci_prefix}.network=$NETWORK_TUNNEL"
34  uci set "${uci_prefix}.forward=REJECT"
35  uci set "${uci_prefix}.input=REJECT"
36  uci set "${uci_prefix}.output=ACCEPT"
37  uci set "${uci_prefix}.masq=1"
38  was_changed=1
39  fi
40  create_uci_section_if_missing firewall forwarding \
41  "src=$ZONE_LOCAL" "dest=$ZONE_TUNNEL" \
42  && was_changed=1
43  create_uci_section_if_missing firewall rule \
44  "src=$ZONE_TUNNEL" "dest_port=22" "target=ACCEPT" "name=on-user-ssh" \
45  && was_changed=1
46  create_uci_section_if_missing firewall rule \
47  "src=$ZONE_TUNNEL" "proto=icmp" "target=ACCEPT" "name=on-user-icmp" \
48  && was_changed=1
49  [ "$was_changed" = "0" ] && return 0
50  apply_changes firewall
51 }
52 
53 configure_tos_firewall_handling() {
54  # Meaning of: <<-'EOF'
55  # <<EOF is here docs and ends with string EOF as delimiter
56  # <<-EOF means that leading tabs are stripped even in line containing delimiter
57  # <<-'EOF' means that not interpretation of text will take place
58  cat >> /etc/firewall.user <<-'EOF'
59  #
60  # Mit TOS 0x08 markierter Traffic wird nicht ueber den User-VPN-Tunnel geleitet, weil wir davon ausgehen,
61  # dass dieser Traffic zum UGW direkt gesendet werden soll. Siehe hierzu auch die Doku:
62  # https://downloads.opennet-initiative.de/openwrt/stable/latest/doc/md__funktionsdetails.html#ugw-nutzer-kombi
63  # Wir muessen sicherstellen, dass jeglicher Traffic aus dem LAN kein TOS 0x08 hat.
64  #
65 
66  ON_CHAIN="on_tos_lan_vpn"
67  iptables -t mangle --new-chain "$ON_CHAIN" 2>/dev/null || iptables -t mangle --flush "$ON_CHAIN"
68  ip6tables -t mangle --new-chain "$ON_CHAIN" 2>/dev/null || ip6tables -t mangle --flush "$ON_CHAIN"
69 
70  # Wenn Traffic aus LAN TOS 0x08 hat, dann ersetze TOS durch 0x00
71  iptables -t mangle -A "$ON_CHAIN" -i br-lan -m tos --tos 0x08 -j TOS --set-tos 0x00
72  ip6tables -t mangle -A "$ON_CHAIN" -i br-lan -m tos --tos 0x08 -j TOS --set-tos 0x00
73 
74  # Loesche Regeln, falls bereits vorhanden. Regeln muessen idempotent sein.
75  iptables -t mangle -D PREROUTING -j "$ON_CHAIN" 2>/dev/null
76  ip6tables -t mangle -D PREROUTING -j "$ON_CHAIN" 2>/dev/null
77  # Fuege Weiterleitung an unsere Chain hinzu.
78  iptables -t mangle -A PREROUTING -j "$ON_CHAIN"
79  ip6tables -t mangle -A PREROUTING -j "$ON_CHAIN"
80  EOF
81 }
82 
83 configure_tunnel_network
84 configure_tunnel_firewall
85 configure_tos_firewall_handling
mangle
set eu for table in filter nat mangle
Definition: firewall:10
create_uci_section_if_missing
create_uci_section_if_missing()
Prüfe, ob eine definierte UCI-Sektion existiert und lege sie andernfalls an.
Definition: uci.sh:58