Firewall: Handle access control through /etc/config/hosts

map-topology/files/etc/firewall.hosts

@@ -0,0 +1,126 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+day=""
+IP_RULE=""
+
+process_ac_schedule() {
+	local acs_id="$1"
+	local is_enabled
+	local access_control
+	local start_time=""
+	local stop_time=""
+	local mac=""
+
+	handle_day_list() {
+		local value=$1
+
+		val=$(echo $value | cut -c 1-3)
+		if [ -z $day ]; then
+			day="$val"
+		else
+			day="$day,$val"
+		fi
+	}
+
+	config_list_foreach "$acs_id" "day" handle_day_list
+	config_get is_enabled "$acs_id" "enable" 1
+	config_get access_control "$acs_id" "dm_parent"
+
+	if [ "$is_enabled" == "0" ] || [ -z "$access_control" ]; then
+		return
+	fi
+
+	IP_RULE=""
+
+	mac=$(uci -q get hosts.$access_control.macaddr)
+	access_policy=$(uci -q get hosts.$access_control.access_policy)
+
+	config_get start_time "$acs_id" "start_time"
+	config_get duration "$acs_id" "duration"
+
+	if [ -z "$mac" ] && [ -z "$start_time" ] && [ -z "$duration" ] && [ -z "$day" ] && [ -z "$access_policy" ]; then
+		return
+	fi
+	if [ -n "$mac" ]; then
+		IP_RULE="$IP_RULE -m mac --mac-source $mac"
+	fi
+
+	# as per iptables manual default starttime is 00:00
+	# default stoptime is 23:59
+	if [ -z "$start_time" ]; then
+		start_time="0:0"
+	fi
+
+        if [ -n "$duration" ]; then
+		hh=$(echo $start_time | awk -F: '{ print $1 }')
+                mm=$(echo $start_time | awk -F: '{ print $2 }')
+                hh_s=`expr $hh \* 3600`
+                mm_s=`expr $mm \* 60`
+                ss=$(( hh_s + mm_s ))
+
+                stop_ss=$(( ss + duration ))
+                hh=$(( stop_ss / 3600 ))
+                if [ $hh -lt 24 ]; then
+                	rem_ss=$(( stop_ss % 3600 ))
+                	mm=$(( rem_ss / 60 ))
+                	ss=$(( rem_ss % 60 ))
+                	stop_time="$hh:$mm:$ss"
+                else
+                	stop_time="23:59"
+                fi
+        else
+        	stop_time="23:59"
+        fi
+
+	# conversion to utc
+	zone=$(date +%z | cut -c 1)
+	utc_h=$(date -u -d @$(date "+%s" -d "$start_time") +%H)
+	local_h=$(echo $start_time | awk -F: '{ print $1 }')
+	if [ "$zone" == "+" ] && [ $utc_h -gt $local_h ]; then
+		start_utc="0:0"
+	else
+		start_utc=$(date -u -d @$(date "+%s" -d "$start_time") +%H:%M)
+	fi
+
+	utc_h=$(date -u -d @$(date "+%s" -d "$stop_time") +%H)
+	local_h=$(echo $stop_time | awk -F: '{ print $1 }')
+	if [ "$zone" == "-" ] && [ $utc_h -lt $local_h ]; then
+		stop_utc="23:59"
+	else
+		stop_utc=$(date -u -d @$(date "+%s" -d "$stop_time") +%H:%M)
+	fi
+
+
+	IP_RULE="$IP_RULE -m time --timestart $start_utc --timestop $stop_utc"
+	if [ -n "$day" ]; then
+		IP_RULE="$IP_RULE --weekdays $day"
+	fi
+
+	if [ "$access_policy" == "Deny" ]; then
+		IP_RULE="$IP_RULE -j DROP"
+	else
+		IP_RULE="$IP_RULE -j ACCEPT"
+	fi
+
+	iptables -w -A hosts_forward ${IP_RULE}
+	ip6tables -w -A hosts_forward ${IP_RULE}
+
+	day=""
+}
+
+iptables -w -F hosts_forward
+ip6tables -w -F hosts_forward
+
+iptables -w -t filter -N hosts_forward
+ret=$?                        
+[ $ret -eq 0 ] && iptables -w -t filter -I FORWARD -j hosts_forward
+ip6tables -w -t filter -N hosts_forward
+ret=$?                        
+[ $ret -eq 0 ] && ip6tables -w -t filter -I FORWARD -j hosts_forward
+
+# Load /etc/config/hosts UCI file
+config_load hosts
+config_foreach process_ac_schedule ac_schedule
+

map-topology/files/etc/uci-defaults/992-firewall_host.ucidefaults

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+if [ -f /etc/firewall.hosts ]; then
+	uci -q get firewall.hosts || {
+		uci -q set firewall.hosts=include
+		uci -q set firewall.hosts.path="/etc/firewall.hosts"
+		uci -q set firewall.hosts.reload=1
+	}
+fi
+
+
+exit 0