470f5b31e3
Don't set the default firewall zone to wan if not specified to keep the behavior aligned with other tunnel protocols like gre and 6rd. If the interface zone is not specified try to get it from the firewall config when constructing the procd firewall rule. While at it only add a procd inbound firewall rule if a zone is specified. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
116 lines
2.8 KiB
Bash
Executable File
116 lines
2.8 KiB
Bash
Executable File
#!/bin/sh
|
|
# 464xlat.sh - 464xlat CLAT
|
|
#
|
|
# Copyright (c) 2015 Steven Barth <cyrus@openwrt.org>
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License version 2
|
|
# as published by the Free Software Foundation
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
|
|
[ -n "$INCLUDE_ONLY" ] || {
|
|
. /lib/functions.sh
|
|
. /lib/functions/network.sh
|
|
. ../netifd-proto.sh
|
|
init_proto "$@"
|
|
}
|
|
|
|
proto_464xlat_setup() {
|
|
local cfg="$1"
|
|
local iface="$2"
|
|
local link="464-$cfg"
|
|
|
|
local ip6addr ip6prefix tunlink zone
|
|
json_get_vars ip6addr ip6prefix tunlink zone
|
|
|
|
[ "$zone" = "-" ] && zone=""
|
|
|
|
( proto_add_host_dependency "$cfg" "::" "$tunlink" )
|
|
|
|
if [ -z "$tunlink" ] && ! network_find_wan6 tunlink; then
|
|
proto_notify_error "$cfg" "NO_WAN_LINK"
|
|
return
|
|
fi
|
|
network_get_device tundev "$tunlink"
|
|
|
|
ip6addr=$(464xlatcfg "$link" "$tundev" "$ip6prefix" 192.0.0.1 $ip6addr)
|
|
if [ -z "$ip6addr" ]; then
|
|
proto_notify_error "$cfg" "CLAT_CONFIG_FAILED"
|
|
return
|
|
fi
|
|
|
|
ip -6 rule del from all lookup local
|
|
ip -6 rule add from all lookup local pref 1
|
|
ip -6 rule add to $ip6addr lookup prelocal pref 0
|
|
echo "$ip6addr" > /tmp/464-$cfg-anycast
|
|
|
|
proto_init_update "$link" 1
|
|
proto_add_ipv4_route "0.0.0.0" 0 "" "" 2048
|
|
proto_add_ipv6_route $ip6addr 128 "" "" "" "" 128
|
|
|
|
proto_add_data
|
|
[ -n "$zone" ] && json_add_string zone "$zone"
|
|
|
|
json_add_array firewall
|
|
[ -z "$zone" ] && zone=$(fw3 -q network $iface 2>/dev/null)
|
|
|
|
json_add_object ""
|
|
json_add_string type nat
|
|
json_add_string target SNAT
|
|
json_add_string family inet
|
|
json_add_string snat_ip 192.0.0.1
|
|
json_close_object
|
|
[ -n "$zone" ] && {
|
|
json_add_object ""
|
|
json_add_string type rule
|
|
json_add_string family inet6
|
|
json_add_string proto all
|
|
json_add_string direction in
|
|
json_add_string dest "$zone"
|
|
json_add_string src "$zone"
|
|
json_add_string src_ip $ip6addr
|
|
json_add_string target ACCEPT
|
|
json_close_object
|
|
}
|
|
json_close_array
|
|
proto_close_data
|
|
|
|
proto_send_update "$cfg"
|
|
}
|
|
|
|
proto_464xlat_teardown() {
|
|
local cfg="$1"
|
|
local link="464-$cfg"
|
|
|
|
[ -f /tmp/464-$cfg-anycast ] || return
|
|
local ip6addr=$(cat /tmp/464-$cfg-anycast)
|
|
|
|
464xlatcfg "$link"
|
|
|
|
rm -rf /tmp/464-$cfg-anycast
|
|
[ -n "$ip6addr" ] && ip -6 rule del to $ip6addr lookup prelocal
|
|
|
|
if [ -z "$(ls /tmp/464-*-anycast 2>&-)" ]; then
|
|
ip -6 rule del from all lookup local
|
|
ip -6 rule add from all lookup local pref 0
|
|
fi
|
|
}
|
|
|
|
proto_464xlat_init_config() {
|
|
no_device=1
|
|
available=1
|
|
|
|
proto_config_add_string "ip6prefix"
|
|
proto_config_add_string "ip6addr"
|
|
proto_config_add_string "tunlink"
|
|
proto_config_add_string "zone"
|
|
}
|
|
|
|
[ -n "$INCLUDE_ONLY" ] || {
|
|
add_protocol 464xlat
|
|
}
|