From 56fffd6b9c771ec4f43b77d6df89902d73467f33 Mon Sep 17 00:00:00 2001 From: subramanian c Date: Wed, 21 Dec 2022 13:13:37 +0000 Subject: [PATCH] Firewall: Handle access control through /etc/config/hosts --- map-topology/files/etc/firewall.hosts | 126 ++++++++++++++++++ .../992-firewall_host.ucidefaults | 12 ++ 2 files changed, 138 insertions(+) create mode 100644 map-topology/files/etc/firewall.hosts create mode 100644 map-topology/files/etc/uci-defaults/992-firewall_host.ucidefaults diff --git a/map-topology/files/etc/firewall.hosts b/map-topology/files/etc/firewall.hosts new file mode 100644 index 000000000..d3634ab22 --- /dev/null +++ b/map-topology/files/etc/firewall.hosts @@ -0,0 +1,126 @@ +#!/bin/sh + +. /lib/functions.sh + +day="" +IP_RULE="" + +process_ac_schedule() { + local acs_id="$1" + local is_enabled + local access_control + local start_time="" + local stop_time="" + local mac="" + + handle_day_list() { + local value=$1 + + val=$(echo $value | cut -c 1-3) + if [ -z $day ]; then + day="$val" + else + day="$day,$val" + fi + } + + config_list_foreach "$acs_id" "day" handle_day_list + config_get is_enabled "$acs_id" "enable" 1 + config_get access_control "$acs_id" "dm_parent" + + if [ "$is_enabled" == "0" ] || [ -z "$access_control" ]; then + return + fi + + IP_RULE="" + + mac=$(uci -q get hosts.$access_control.macaddr) + access_policy=$(uci -q get hosts.$access_control.access_policy) + + config_get start_time "$acs_id" "start_time" + config_get duration "$acs_id" "duration" + + if [ -z "$mac" ] && [ -z "$start_time" ] && [ -z "$duration" ] && [ -z "$day" ] && [ -z "$access_policy" ]; then + return + fi + if [ -n "$mac" ]; then + IP_RULE="$IP_RULE -m mac --mac-source $mac" + fi + + # as per iptables manual default starttime is 00:00 + # default stoptime is 23:59 + if [ -z "$start_time" ]; then + start_time="0:0" + fi + + if [ -n "$duration" ]; then + hh=$(echo $start_time | awk -F: '{ print $1 }') + mm=$(echo $start_time | awk -F: '{ print $2 }') + hh_s=`expr $hh \* 3600` + mm_s=`expr $mm \* 60` + ss=$(( hh_s + mm_s )) + + stop_ss=$(( ss + duration )) + hh=$(( stop_ss / 3600 )) + if [ $hh -lt 24 ]; then + rem_ss=$(( stop_ss % 3600 )) + mm=$(( rem_ss / 60 )) + ss=$(( rem_ss % 60 )) + stop_time="$hh:$mm:$ss" + else + stop_time="23:59" + fi + else + stop_time="23:59" + fi + + # conversion to utc + zone=$(date +%z | cut -c 1) + utc_h=$(date -u -d @$(date "+%s" -d "$start_time") +%H) + local_h=$(echo $start_time | awk -F: '{ print $1 }') + if [ "$zone" == "+" ] && [ $utc_h -gt $local_h ]; then + start_utc="0:0" + else + start_utc=$(date -u -d @$(date "+%s" -d "$start_time") +%H:%M) + fi + + utc_h=$(date -u -d @$(date "+%s" -d "$stop_time") +%H) + local_h=$(echo $stop_time | awk -F: '{ print $1 }') + if [ "$zone" == "-" ] && [ $utc_h -lt $local_h ]; then + stop_utc="23:59" + else + stop_utc=$(date -u -d @$(date "+%s" -d "$stop_time") +%H:%M) + fi + + + IP_RULE="$IP_RULE -m time --timestart $start_utc --timestop $stop_utc" + if [ -n "$day" ]; then + IP_RULE="$IP_RULE --weekdays $day" + fi + + if [ "$access_policy" == "Deny" ]; then + IP_RULE="$IP_RULE -j DROP" + else + IP_RULE="$IP_RULE -j ACCEPT" + fi + + iptables -w -A hosts_forward ${IP_RULE} + ip6tables -w -A hosts_forward ${IP_RULE} + + day="" +} + +iptables -w -F hosts_forward +ip6tables -w -F hosts_forward + +iptables -w -t filter -N hosts_forward +ret=$? +[ $ret -eq 0 ] && iptables -w -t filter -I FORWARD -j hosts_forward +ip6tables -w -t filter -N hosts_forward +ret=$? +[ $ret -eq 0 ] && ip6tables -w -t filter -I FORWARD -j hosts_forward + +# Load /etc/config/hosts UCI file +config_load hosts +config_foreach process_ac_schedule ac_schedule + diff --git a/map-topology/files/etc/uci-defaults/992-firewall_host.ucidefaults b/map-topology/files/etc/uci-defaults/992-firewall_host.ucidefaults new file mode 100644 index 000000000..10c4dba6a --- /dev/null +++ b/map-topology/files/etc/uci-defaults/992-firewall_host.ucidefaults @@ -0,0 +1,12 @@ +#!/bin/sh + +if [ -f /etc/firewall.hosts ]; then + uci -q get firewall.hosts || { + uci -q set firewall.hosts=include + uci -q set firewall.hosts.path="/etc/firewall.hosts" + uci -q set firewall.hosts.reload=1 + } +fi + + +exit 0