1#!/bin/sh /etc/rc.common 2# 3# Copyright (c) 2022, The OpenThread Authors. 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions are met: 8# 1. Redistributions of source code must retain the above copyright 9# notice, this list of conditions and the following disclaimer. 10# 2. Redistributions in binary form must reproduce the above copyright 11# notice, this list of conditions and the following disclaimer in the 12# documentation and/or other materials provided with the distribution. 13# 3. Neither the name of the copyright holder nor the 14# names of its contributors may be used to endorse or promote products 15# derived from this software without specific prior written permission. 16# 17# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27# POSSIBILITY OF SUCH DAMAGE. 28# 29 30START=89 31 32USE_PROCD=1 33 34OTBR_FORWARD_INGRESS_CHAIN="OTBR_FORWARD_INGRESS" 35THREAD_IF_BACKUP_FILE="/tmp/otbr-firewall" 36 37ipset_destroy_if_exist() 38{ 39 if ipset list "$1"; then 40 ipset destroy "$1" 41 fi 42} 43 44stop_service() 45{ 46 if [ -f "$THREAD_IF_BACKUP_FILE" ]; then 47 THREAD_IF_NAME=$(cat $THREAD_IF_BACKUP_FILE) 48 49 while ip6tables -C FORWARD -o $THREAD_IF_NAME -j $OTBR_FORWARD_INGRESS_CHAIN; do 50 ip6tables -D FORWARD -o $THREAD_IF_NAME -j $OTBR_FORWARD_INGRESS_CHAIN 51 done 52 53 if ip6tables -L $OTBR_FORWARD_INGRESS_CHAIN; then 54 ip6tables -w -F $OTBR_FORWARD_INGRESS_CHAIN 55 ip6tables -w -X $OTBR_FORWARD_INGRESS_CHAIN 56 fi 57 58 ipset_destroy_if_exist otbr-ingress-deny-src 59 ipset_destroy_if_exist otbr-ingress-deny-src-swap 60 ipset_destroy_if_exist otbr-ingress-allow-dst 61 ipset_destroy_if_exist otbr-ingress-allow-dst-swap 62 63 rm $THREAD_IF_BACKUP_FILE 64 fi 65} 66 67start_service() 68{ 69 THREAD_IF_NAME=$(uci -q get otbr-agent.service.thread_if_name) 70 echo "$THREAD_IF_NAME" > "$THREAD_IF_BACKUP_FILE" 71 72 ipset create -exist otbr-ingress-deny-src hash:net family inet6 73 ipset create -exist otbr-ingress-deny-src-swap hash:net family inet6 74 ipset create -exist otbr-ingress-allow-dst hash:net family inet6 75 ipset create -exist otbr-ingress-allow-dst-swap hash:net family inet6 76 77 ip6tables -N $OTBR_FORWARD_INGRESS_CHAIN 78 ip6tables -I FORWARD 1 -o $THREAD_IF_NAME -j $OTBR_FORWARD_INGRESS_CHAIN 79 80 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -i $THREAD_IF_NAME -p ip -j DROP 81 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-deny-src src -p ip -j DROP 82 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-allow-dst dst -p ip -j ACCEPT 83 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -p ip -j DROP 84 ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -p ip -j ACCEPT 85} 86