diff --git a/hostmngr/Makefile b/hostmngr/Makefile index 3794641af..b4c9fc990 100644 --- a/hostmngr/Makefile +++ b/hostmngr/Makefile @@ -63,6 +63,7 @@ define Package/hostmngr/install $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/hostmngr $(1)/usr/sbin/ $(INSTALL_DATA) $(PKG_BUILD_DIR)/src/bbf_plugin/libhostmngr.so $(1)/etc/hostmngr/ $(INSTALL_DATA) ./files/etc/hostmngr/input.json $(1)/etc/hostmngr/ + $(INSTALL_DATA) ./files/lib/hosts/hosts_acl.sh $(1)/lib/hosts/ endef ifeq ($(LOCAL_DEV),1) diff --git a/hostmngr/files/etc/firewall.hosts b/hostmngr/files/etc/firewall.hosts index 737bd9877..7c8b56eef 100644 --- a/hostmngr/files/etc/firewall.hosts +++ b/hostmngr/files/etc/firewall.hosts @@ -1,103 +1,7 @@ #!/bin/sh . /lib/functions.sh - -day="" -IP_RULE="" - -process_ac_schedule() { - local acs_id="$1" - local is_enabled - local access_control - local start_time="" - local mac="" - - handle_day_list() { - local value=$1 - - val=$(echo $value | cut -c 1-3) - if [ -z $day ]; then - day="$val" - else - day="$day,$val" - fi - } - - config_list_foreach "$acs_id" "day" handle_day_list - config_get is_enabled "$acs_id" "enable" 1 - config_get access_control "$acs_id" "dm_parent" - - if [ "$is_enabled" == "0" ] || [ -z "$access_control" ]; then - return - fi - - IP_RULE="" - - mac=$(uci -q get hosts.$access_control.macaddr) - access_policy=$(uci -q get hosts.$access_control.access_policy) - - config_get start_time "$acs_id" "start_time" - config_get duration "$acs_id" "duration" - - if [ -z "$mac" ] && [ -z "$start_time" ] && [ -z "$duration" ] && [ -z "$day" ] && [ -z "$access_policy" ]; then - return - fi - if [ -n "$mac" ]; then - IP_RULE="$IP_RULE -m mac --mac-source $mac" - fi - - # as per iptables manual default starttime is 00:00 - # default stoptime is 23:59 - if [ -z "$start_time" ]; then - start_time="0:0" - fi - # conversion to utc - zone=$(date +%z | cut -c 1) - utc_h=$(date -u -d @$(date "+%s" -d "$start_time") +%H) - local_h=$(echo $start_time | awk -F: '{ print $1 }') - if [ "$zone" == "+" ] && [ $utc_h -gt $local_h ]; then - start_utc="0:0" - else - start_utc=$(date -u -d @$(date "+%s" -d "$start_time") +%H:%M) - fi - - if [ -n "$duration" ]; then - hh=$(echo $start_utc | awk -F: '{ print $1 }') - mm=$(echo $start_utc | awk -F: '{ print $2 }') - hh_s=`expr $hh \* 3600` - mm_s=`expr $mm \* 60` - ss=$(( hh_s + mm_s )) - - stop_ss=$(( ss + duration )) - hh=$(( stop_ss / 3600 )) - if [ $hh -lt 24 ]; then - rem_ss=$(( stop_ss % 3600 )) - mm=$(( rem_ss / 60 )) - ss=$(( rem_ss % 60 )) - stop_utc="$hh:$mm:$ss" - else - stop_utc="23:59" - fi - else - stop_utc="23:59" - fi - - IP_RULE="$IP_RULE -m time --timestart $start_utc --timestop $stop_utc" - if [ -n "$day" ]; then - IP_RULE="$IP_RULE --weekdays $day" - fi - - if [ "$access_policy" == "Deny" ]; then - IP_RULE="$IP_RULE -j DROP" - else - IP_RULE="$IP_RULE -j ACCEPT" - fi - - iptables -w -A hosts_forward ${IP_RULE} - ip6tables -w -A hosts_forward ${IP_RULE} - - day="" -} +. /lib/hosts/hosts_acl.sh iptables -w -F hosts_forward ip6tables -w -F hosts_forward diff --git a/hostmngr/files/etc/init.d/hostmngr b/hostmngr/files/etc/init.d/hostmngr index 931f39169..0851b3bf6 100755 --- a/hostmngr/files/etc/init.d/hostmngr +++ b/hostmngr/files/etc/init.d/hostmngr @@ -4,6 +4,7 @@ START=97 STOP=20 . /etc/bbfdm/bbfdm_services.sh +. /lib/hosts/hosts_acl.sh USE_PROCD=1 @@ -19,6 +20,7 @@ start_service() { procd_close_instance bbfdm_add_service "bbfdm.hosts" "${HOSTS_JSON_INPUT}" + hosts_acl } service_triggers() diff --git a/hostmngr/files/lib/hosts/hosts_acl.sh b/hostmngr/files/lib/hosts/hosts_acl.sh new file mode 100644 index 000000000..193316180 --- /dev/null +++ b/hostmngr/files/lib/hosts/hosts_acl.sh @@ -0,0 +1,230 @@ +#!/bin/sh + +. /lib/functions.sh + +day="" +next_days="" +prev_days="" +IP_RULE="" +IP_RULE1="" + +get_next_day() { + local weekday="$1" + case "$weekday" in + "Mon"|"Monday") echo "Tuesday" + ;; + "Tue"|"Tuesday") echo "Wednesday" + ;; + "Wed"|"Wednesday") echo "Thursday" + ;; + "Thu"|"Thursday") echo "Friday" + ;; + "Fri"|"Friday") echo "Saturday" + ;; + "Sat"|"Saturday") echo "Sunday" + ;; + "Sun"|"Sunday") echo "Monday" + ;; + esac +} + +get_previous_day() { + local weekday="$1" + case "$weekday" in + "Mon"|"Monday") echo "Sunday" + ;; + "Tue"|"Tuesday") echo "Monday" + ;; + "Wed"|"Wednesday") echo "Tuesday" + ;; + "Thu"|"Thursday") echo "Wednesday" + ;; + "Fri"|"Friday") echo "Thursday" + ;; + "Sat"|"Saturday") echo "Friday" + ;; + "Sun"|"Sunday") echo "Saturday" + ;; + esac +} + +ip_rule_west_zone() { + local utc_start_t_h="$1" + local utc_stop_t_h="$2" + local local_start_t_h="$3" + local local_stop_t_h="$4" + local utc_start_time="$5" + local utc_stop_time="$6" + + if [ "$utc_start_t_h" -lt "$local_start_t_h" ]; then + IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop $utc_stop_time" + if [ -n "$next_days" ]; then + IP_RULE="$IP_RULE --weekdays $next_days" + fi + else + if [ "$utc_stop_t_h" -lt "$local_stop_t_h" ]; then + IP_RULE1="$IP_RULE" + IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop 23:59" + IP_RULE1="$IP_RULE1 -m time --timestart 00:00 --timestop $utc_stop_time" + if [ -n "$next_days" ]; then + IP_RULE1="$IP_RULE1 --weekdays $next_days" + fi + else + IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop $utc_stop_time" + fi + if [ -n "$day" ]; then + IP_RULE="$IP_RULE --weekdays $day" + fi + fi +} + +ip_rule_east_zone() { + local utc_start_t_h="$1" + local utc_stop_t_h="$2" + local local_start_t_h="$3" + local local_stop_t_h="$4" + local utc_start_time="$5" + local utc_stop_time="$6" + + if [ "$utc_start_t_h" -lt "$local_start_t_h" ]; then + IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop $utc_stop_time" + if [ -n "$day" ]; then + IP_RULE="$IP_RULE --weekdays $day" + fi + else + if [ "$utc_stop_t_h" -lt "$local_stop_t_h" ]; then + IP_RULE1="$IP_RULE" + IP_RULE="$IP_RULE -m time --timestart 00:00 --timestop $utc_stop_time" + IP_RULE1="$IP_RULE1 -m time --timestart $utc_start_time --timestop 23:59" + if [ -n "$prev_days" ]; then + IP_RULE1="$IP_RULE1 --weekdays $prev_days" + fi + else + IP_RULE="$IP_RULE -m time --timestart $utc_start_time --timestop $utc_stop_time" + fi + if [ -n "$day" ]; then + IP_RULE="$IP_RULE --weekdays $day" + fi + fi +} + +process_ac_schedule() { + local acs_id="$1" + local is_enabled + local access_control + local start_time="" + local mac="" + + + handle_day_list() { + local value=$1 + + val=$(echo $value | cut -c 1-3) + next_day_val=$(get_next_day $val) + prev_day_val=$(get_previous_day $val) + if [ -z $day ]; then + day="$val" + next_days="$next_day_val" + prev_days="$prev_day_val" + else + day="$day,$val" + next_days="$next_days,$next_day_val" + prev_days="$prev_days,$prev_day_val" + fi + } + + config_list_foreach "$acs_id" "day" handle_day_list + config_get is_enabled "$acs_id" "enable" 1 + config_get access_control "$acs_id" "dm_parent" + + if [ "$is_enabled" == "0" ] || [ -z "$access_control" ]; then + return + fi + + IP_RULE="" + IP_RULE1="" + + mac=$(uci -q get hosts.$access_control.macaddr) + access_policy=$(uci -q get hosts.$access_control.access_policy) + + config_get start_time "$acs_id" "start_time" + config_get duration "$acs_id" "duration" + + if [ -z "$mac" ] && [ -z "$start_time" ] && [ -z "$duration" ] && [ -z "$day" ] && [ -z "$access_policy" ]; then + return + fi + if [ -n "$mac" ]; then + IP_RULE="$IP_RULE -m mac --mac-source $mac" + fi + + zone=$(date +%z | cut -c 1) + local_start_time=$start_time + if [ -n "$duration" ]; then + hh=$(echo $local_start_time | awk -F: '{ print $1 }') + mm=$(echo $local_start_time | awk -F: '{ print $2 }') + hh_s=`expr $hh \* 3600` + mm_s=`expr $mm \* 60` + ss=$(( hh_s + mm_s )) + local_start_hh=$hh + + stop_ss=$(( ss + duration )) + hh=$(( stop_ss / 3600 )) + rem_ss=$(( stop_ss % 3600 )) + mm=$(( rem_ss / 60 )) + ss=$(( rem_ss % 60 )) + local_stop_time="$hh:$mm:$ss" + local_stop_hh=$hh + fi + + utc_start_time=$(date -u -d @$(date "+%s" -d "$local_start_time") +%H:%M) + utc_stop_time=$(date -u -d @$(date "+%s" -d "$local_stop_time") +%H:%M) + utc_start_hh=$(echo $utc_start_time | awk -F: '{ print $1 }') + utc_stop_hh=$(echo $utc_stop_time | awk -F: '{ print $1 }') + if [ "$zone" == "-" ]; then + ip_rule_west_zone $utc_start_hh $utc_stop_hh $local_start_hh $local_stop_hh $utc_start_time $utc_stop_time + else + ip_rule_east_zone $utc_start_hh $utc_stop_hh $local_start_hh $local_stop_hh $utc_start_time $utc_stop_time + fi + + if [ "$access_policy" == "Deny" ]; then + IP_RULE="$IP_RULE -j DROP" + if [ -n "$IP_RULE1" ]; then + IP_RULE1="$IP_RULE1 -j DROP" + fi + else + IP_RULE="$IP_RULE -j ACCEPT" + if [ -n "$IP_RULE1" ]; then + IP_RULE1="$IP_RULE1 -j ACCEPT" + fi + fi + + iptables -w -A hosts_forward ${IP_RULE} + ip6tables -w -A hosts_forward ${IP_RULE} + if [ -n "$IP_RULE1" ]; then + iptables -w -A hosts_forward ${IP_RULE1} + ip6tables -w -A hosts_forward ${IP_RULE1} + fi + + day="" + next_days="" + prev_days="" +} + +hosts_acl() { + iptables -w -F hosts_forward + ip6tables -w -F hosts_forward + + hosts_forward=$(iptables -t filter --list | grep hosts_forward) + if [ -z "$hosts_forward" ]; then + iptables -w -t filter -N hosts_forward + ret=$? + [ $ret -eq 0 ] && iptables -w -t filter -I FORWARD -j hosts_forward + ip6tables -w -t filter -N hosts_forward + ret=$? + [ $ret -eq 0 ] && ip6tables -w -t filter -I FORWARD -j hosts_forward + fi + + # Load /etc/config/hosts UCI file + config_load hosts + config_foreach process_ac_schedule ac_schedule +}