projects / lede-routing / .git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
packages: BCP38 support for openwrt
[lede-routing/.git] / bcp38 / files / run.sh
diff --git a/bcp38/files/run.sh b/bcp38/files/run.sh
new file mode 100755 (executable)
index 0000000..33ec531
--- /dev/null
+++ b/bcp38/files/run.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+STOP=$1
+IPSET_NAME=bcp38-ipv4
+IPTABLES_CHAIN=BCP38
+
+. /lib/functions.sh
+
+config_load bcp38
+
+add_bcp38_rule()
+{
+       local subnet="$1"
+       local action="$2"
+
+       if [ "$action" == "nomatch" ]; then
+               ipset add "$IPSET_NAME" "$subnet" nomatch
+       else
+               ipset add "$IPSET_NAME" "$subnet"
+       fi
+}
+
+detect_upstream()
+{
+       local interface="$1"
+
+       subnets=$(ip route show dev "$interface"  | grep 'scope link' | awk '{print $1}')
+       for subnet in $subnets; do
+               # ipset test doesn't work for subnets, so strip out the subnet part
+               # and test for that; add as exception if there's a match
+               addr=$(echo $subnet | sed 's|/[0-9]\+$||')
+               ipset test "$IPSET_NAME" $addr 2>/dev/null && add_bcp38_rule $subnet nomatch
+       done
+}
+
+run() {
+       local section="$1"
+       local enabled
+       local interface
+       local detect_upstream
+       config_get_bool enabled "$section" enabled 0
+       config_get interface "$section" interface
+       config_get detect_upstream "$section" detect_upstream
+
+       if [ "$enabled" -eq "1" -a -n "$interface" -a -z "$STOP" ] ; then
+               setup_ipset
+               setup_iptables "$interface"
+               config_list_foreach "$section" match add_bcp38_rule match
+               config_list_foreach "$section" nomatch add_bcp38_rule nomatch
+               [ "$detect_upstream" -eq "1" ] && detect_upstream "$interface"
+       fi
+       exit 0
+}
+
+setup_ipset()
+{
+       ipset create "$IPSET_NAME" hash:net family ipv4
+       ipset flush "$IPSET_NAME"
+}
+
+setup_iptables()
+{
+       local interface="$1"
+       iptables -N "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -F "$IPTABLES_CHAIN" 2>/dev/null
+
+       iptables -I output_rule -j "$IPTABLES_CHAIN"
+       iptables -I input_rule -j "$IPTABLES_CHAIN"
+       iptables -I forwarding_rule -j "$IPTABLES_CHAIN"
+
+       # always accept DHCP traffic
+       iptables -A "$IPTABLES_CHAIN" -p udp --dport 67:68 --sport 67:68 -j RETURN
+       iptables -A "$IPTABLES_CHAIN" -o "$interface" -m set --match-set "$IPSET_NAME" dst -j REJECT --reject-with icmp-net-unreachable
+       iptables -A "$IPTABLES_CHAIN" -i "$interface" -m set --match-set "$IPSET_NAME" src -j DROP
+}
+
+destroy_ipset()
+{
+       ipset flush "$IPSET_NAME" 2>/dev/null
+       ipset destroy "$IPSET_NAME" 2>/dev/null
+}
+
+destroy_iptables()
+{
+       iptables -D output_rule -j "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -D input_rule -j "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -D forwarding_rule -j "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -F "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -X "$IPTABLES_CHAIN" 2>/dev/null
+}
+
+destroy_iptables
+destroy_ipset
+config_foreach run bcp38
+
+exit 0
Unnamed repository; edit this file 'description' to name the repository.