59 lines
1.4 KiB
Bash
59 lines
1.4 KiB
Bash
#!/bin/sh
|
|
|
|
[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0
|
|
[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0
|
|
[ "$INTERFACE" = wan ] || exit 0
|
|
|
|
uci -q get firewall.allow_wan_input || exit 0
|
|
|
|
is_private_ipv4() {
|
|
local ADDRESS="$1"
|
|
local MASK="$2"
|
|
local IP NETMASK BROADCAST NETWORK PREFIX
|
|
if [ "$MASK" -ge 8 ]; then
|
|
NETWORK=
|
|
eval $(ipcalc.sh "$ADDRESS/8")
|
|
[ "$NETWORK" = "10.0.0.0" ] && return 0
|
|
fi
|
|
if [ "$MASK" -ge 12 ]; then
|
|
NETWORK=
|
|
eval $(ipcalc.sh "$ADDRESS/12")
|
|
[ "$NETWORK" = "172.16.0.0" ] && return 0
|
|
fi
|
|
if [ "$MASK" -ge 16 ]; then
|
|
NETWORK=
|
|
eval $(ipcalc.sh "$ADDRESS/16")
|
|
[ "$NETWORK" = "192.168.0.0" ] && return 0
|
|
fi
|
|
return 1
|
|
}
|
|
|
|
WAN_IS_PRIVATE=false
|
|
(
|
|
ADDRESS=
|
|
MASK=
|
|
PROTO=
|
|
UP=
|
|
|
|
eval $(ifstatus wan | jsonfilter \
|
|
-e 'ADDRESS=@["ipv4-address"][0].address' \
|
|
-e 'MASK=@["ipv4-address"][0].mask' \
|
|
-e 'PROTO=@.proto' \
|
|
-e 'UP=@.up'
|
|
)
|
|
|
|
logger -t allow_wan_input "WAN up:$UP proto:$PROTO ip:$ADDRESS mask:$MASK"
|
|
[ "$PROTO" = dhcp ] || exit 1
|
|
[ -n "$ADDRESS" -a -n "$MASK" ] || exit 1
|
|
is_private_ipv4 "$ADDRESS" "$MASK"
|
|
) && WAN_IS_PRIVATE=true
|
|
|
|
if $WAN_IS_PRIVATE ; then
|
|
logger -t allow_wan_input "Enable allow_wan_input rule for private address"
|
|
uci delete firewall.allow_wan_input.enabled
|
|
else
|
|
logger -t allow_wan_input "Disable allow_wan_input rule for public address"
|
|
uci set firewall.allow_wan_input.enabled=0
|
|
fi
|
|
uci commit firewall
|