1#!/bin/bash 2# 3# Copyright (c) 2021, The OpenThread Authors. 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions are met: 8# 1. Redistributions of source code must retain the above copyright 9# notice, this list of conditions and the following disclaimer. 10# 2. Redistributions in binary form must reproduce the above copyright 11# notice, this list of conditions and the following disclaimer in the 12# documentation and/or other materials provided with the distribution. 13# 3. Neither the name of the copyright holder nor the 14# names of its contributors may be used to endorse or promote products 15# derived from this software without specific prior written permission. 16# 17# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27# POSSIBILITY OF SUCH DAMAGE. 28# 29### BEGIN INIT INFO 30# Provides: otbr-firewall 31# Required-Start: 32# Required-Stop: 33# Should-Start: 34# Should-Stop: 35# Default-Start: 2 3 4 5 36# Default-Stop: 37# Short-Description: OTBR firewall 38# Description: This service sets up firewall for OTBR. 39### END INIT INFO 40 41THREAD_IF="wpan0" 42OTBR_FORWARD_INGRESS_CHAIN="OTBR_FORWARD_INGRESS" 43 44. /lib/lsb/init-functions 45. /lib/init/vars.sh 46 47set -euxo pipefail 48 49ipset_destroy_if_exist() 50{ 51 if ipset list "$1"; then 52 ipset destroy "$1" 53 fi 54} 55 56firewall_start() 57{ 58 firewall_stop 59 ipset create -exist otbr-ingress-deny-src hash:net family inet6 60 ipset create -exist otbr-ingress-deny-src-swap hash:net family inet6 61 ipset create -exist otbr-ingress-allow-dst hash:net family inet6 62 ipset create -exist otbr-ingress-allow-dst-swap hash:net family inet6 63 64 ip6tables -N $OTBR_FORWARD_INGRESS_CHAIN 65 ip6tables -I FORWARD 1 -o $THREAD_IF -j $OTBR_FORWARD_INGRESS_CHAIN 66 67 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -i $THREAD_IF -j DROP 68 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-deny-src src -j DROP 69 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-allow-dst dst -j ACCEPT 70 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -j DROP 71 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -j ACCEPT 72} 73 74firewall_stop() 75{ 76 while ip6tables -C FORWARD -o $THREAD_IF -j $OTBR_FORWARD_INGRESS_CHAIN; do 77 ip6tables -D FORWARD -o $THREAD_IF -j $OTBR_FORWARD_INGRESS_CHAIN 78 done 79 80 if ip6tables -L $OTBR_FORWARD_INGRESS_CHAIN; then 81 ip6tables -w -F $OTBR_FORWARD_INGRESS_CHAIN 82 ip6tables -w -X $OTBR_FORWARD_INGRESS_CHAIN 83 fi 84 85 ipset_destroy_if_exist otbr-ingress-deny-src 86 ipset_destroy_if_exist otbr-ingress-deny-src-swap 87 ipset_destroy_if_exist otbr-ingress-allow-dst 88 ipset_destroy_if_exist otbr-ingress-allow-dst-swap 89} 90 91case "$1" in 92 start) 93 firewall_start 94 ;; 95 restart | reload | force-reload) 96 echo "Error: argument '$1' not supported" >&2 97 exit 3 98 ;; 99 stop) 100 firewall_stop 101 ;; 102 status) 103 # No-op 104 ;; 105 *) 106 echo "Usage: $0 start|stop" >&2 107 exit 3 108 ;; 109esac 110