1*4a64e381SAndroid Build Coastguard Worker#!/bin/sh /etc/rc.common 2*4a64e381SAndroid Build Coastguard Worker# 3*4a64e381SAndroid Build Coastguard Worker# Copyright (c) 2022, The OpenThread Authors. 4*4a64e381SAndroid Build Coastguard Worker# All rights reserved. 5*4a64e381SAndroid Build Coastguard Worker# 6*4a64e381SAndroid Build Coastguard Worker# Redistribution and use in source and binary forms, with or without 7*4a64e381SAndroid Build Coastguard Worker# modification, are permitted provided that the following conditions are met: 8*4a64e381SAndroid Build Coastguard Worker# 1. Redistributions of source code must retain the above copyright 9*4a64e381SAndroid Build Coastguard Worker# notice, this list of conditions and the following disclaimer. 10*4a64e381SAndroid Build Coastguard Worker# 2. Redistributions in binary form must reproduce the above copyright 11*4a64e381SAndroid Build Coastguard Worker# notice, this list of conditions and the following disclaimer in the 12*4a64e381SAndroid Build Coastguard Worker# documentation and/or other materials provided with the distribution. 13*4a64e381SAndroid Build Coastguard Worker# 3. Neither the name of the copyright holder nor the 14*4a64e381SAndroid Build Coastguard Worker# names of its contributors may be used to endorse or promote products 15*4a64e381SAndroid Build Coastguard Worker# derived from this software without specific prior written permission. 16*4a64e381SAndroid Build Coastguard Worker# 17*4a64e381SAndroid Build Coastguard Worker# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 18*4a64e381SAndroid Build Coastguard Worker# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19*4a64e381SAndroid Build Coastguard Worker# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20*4a64e381SAndroid Build Coastguard Worker# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 21*4a64e381SAndroid Build Coastguard Worker# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22*4a64e381SAndroid Build Coastguard Worker# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23*4a64e381SAndroid Build Coastguard Worker# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24*4a64e381SAndroid Build Coastguard Worker# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25*4a64e381SAndroid Build Coastguard Worker# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26*4a64e381SAndroid Build Coastguard Worker# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27*4a64e381SAndroid Build Coastguard Worker# POSSIBILITY OF SUCH DAMAGE. 28*4a64e381SAndroid Build Coastguard Worker# 29*4a64e381SAndroid Build Coastguard Worker 30*4a64e381SAndroid Build Coastguard WorkerSTART=89 31*4a64e381SAndroid Build Coastguard Worker 32*4a64e381SAndroid Build Coastguard WorkerUSE_PROCD=1 33*4a64e381SAndroid Build Coastguard Worker 34*4a64e381SAndroid Build Coastguard WorkerOTBR_FORWARD_INGRESS_CHAIN="OTBR_FORWARD_INGRESS" 35*4a64e381SAndroid Build Coastguard WorkerTHREAD_IF_BACKUP_FILE="/tmp/otbr-firewall" 36*4a64e381SAndroid Build Coastguard Worker 37*4a64e381SAndroid Build Coastguard Workeripset_destroy_if_exist() 38*4a64e381SAndroid Build Coastguard Worker{ 39*4a64e381SAndroid Build Coastguard Worker if ipset list "$1"; then 40*4a64e381SAndroid Build Coastguard Worker ipset destroy "$1" 41*4a64e381SAndroid Build Coastguard Worker fi 42*4a64e381SAndroid Build Coastguard Worker} 43*4a64e381SAndroid Build Coastguard Worker 44*4a64e381SAndroid Build Coastguard Workerstop_service() 45*4a64e381SAndroid Build Coastguard Worker{ 46*4a64e381SAndroid Build Coastguard Worker if [ -f "$THREAD_IF_BACKUP_FILE" ]; then 47*4a64e381SAndroid Build Coastguard Worker THREAD_IF_NAME=$(cat $THREAD_IF_BACKUP_FILE) 48*4a64e381SAndroid Build Coastguard Worker 49*4a64e381SAndroid Build Coastguard Worker while ip6tables -C FORWARD -o $THREAD_IF_NAME -j $OTBR_FORWARD_INGRESS_CHAIN; do 50*4a64e381SAndroid Build Coastguard Worker ip6tables -D FORWARD -o $THREAD_IF_NAME -j $OTBR_FORWARD_INGRESS_CHAIN 51*4a64e381SAndroid Build Coastguard Worker done 52*4a64e381SAndroid Build Coastguard Worker 53*4a64e381SAndroid Build Coastguard Worker if ip6tables -L $OTBR_FORWARD_INGRESS_CHAIN; then 54*4a64e381SAndroid Build Coastguard Worker ip6tables -w -F $OTBR_FORWARD_INGRESS_CHAIN 55*4a64e381SAndroid Build Coastguard Worker ip6tables -w -X $OTBR_FORWARD_INGRESS_CHAIN 56*4a64e381SAndroid Build Coastguard Worker fi 57*4a64e381SAndroid Build Coastguard Worker 58*4a64e381SAndroid Build Coastguard Worker ipset_destroy_if_exist otbr-ingress-deny-src 59*4a64e381SAndroid Build Coastguard Worker ipset_destroy_if_exist otbr-ingress-deny-src-swap 60*4a64e381SAndroid Build Coastguard Worker ipset_destroy_if_exist otbr-ingress-allow-dst 61*4a64e381SAndroid Build Coastguard Worker ipset_destroy_if_exist otbr-ingress-allow-dst-swap 62*4a64e381SAndroid Build Coastguard Worker 63*4a64e381SAndroid Build Coastguard Worker rm $THREAD_IF_BACKUP_FILE 64*4a64e381SAndroid Build Coastguard Worker fi 65*4a64e381SAndroid Build Coastguard Worker} 66*4a64e381SAndroid Build Coastguard Worker 67*4a64e381SAndroid Build Coastguard Workerstart_service() 68*4a64e381SAndroid Build Coastguard Worker{ 69*4a64e381SAndroid Build Coastguard Worker THREAD_IF_NAME=$(uci -q get otbr-agent.service.thread_if_name) 70*4a64e381SAndroid Build Coastguard Worker echo "$THREAD_IF_NAME" > "$THREAD_IF_BACKUP_FILE" 71*4a64e381SAndroid Build Coastguard Worker 72*4a64e381SAndroid Build Coastguard Worker ipset create -exist otbr-ingress-deny-src hash:net family inet6 73*4a64e381SAndroid Build Coastguard Worker ipset create -exist otbr-ingress-deny-src-swap hash:net family inet6 74*4a64e381SAndroid Build Coastguard Worker ipset create -exist otbr-ingress-allow-dst hash:net family inet6 75*4a64e381SAndroid Build Coastguard Worker ipset create -exist otbr-ingress-allow-dst-swap hash:net family inet6 76*4a64e381SAndroid Build Coastguard Worker 77*4a64e381SAndroid Build Coastguard Worker ip6tables -N $OTBR_FORWARD_INGRESS_CHAIN 78*4a64e381SAndroid Build Coastguard Worker ip6tables -I FORWARD 1 -o $THREAD_IF_NAME -j $OTBR_FORWARD_INGRESS_CHAIN 79*4a64e381SAndroid Build Coastguard Worker 80*4a64e381SAndroid Build Coastguard Worker ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -i $THREAD_IF_NAME -p ip -j DROP 81*4a64e381SAndroid Build Coastguard Worker ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-deny-src src -p ip -j DROP 82*4a64e381SAndroid Build Coastguard Worker ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m set --match-set otbr-ingress-allow-dst dst -p ip -j ACCEPT 83*4a64e381SAndroid Build Coastguard Worker ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -m pkttype --pkt-type unicast -p ip -j DROP 84*4a64e381SAndroid Build Coastguard Worker ip6tables -A $OTBR_FORWARD_INGRESS_CHAIN -p ip -j ACCEPT 85*4a64e381SAndroid Build Coastguard Worker} 86