From 5d8dbfa1bc5fd9c0dd26eb1eb276eb81c0527b24 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 21 Mar 2015 16:20:43 +0100
Subject: [PATCH] freifunk: Apply firewall rules for IPv4

---
 src/initscripts/init.d/firewall     |  9 +++++++
 src/initscripts/init.d/lib-freifunk | 38 +++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index c383652e0b..2cc865e672 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -3,6 +3,8 @@
 . /etc/sysconfig/rc
 . ${rc_functions}
 
+. /etc/rc.d/init.d/lib-freifunk
+
 eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings)
@@ -104,6 +106,10 @@ iptables_init() {
 	iptables -t nat -N CUSTOMPOSTROUTING
 	iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+	# Freifunk
+	iptables -N FREIFUNK
+	iptables -A FORWARD -j FREIFUNK
+
 	# P2PBLOCK
 	iptables -N P2PBLOCK
 	iptables -A INPUT -j P2PBLOCK
@@ -285,6 +291,9 @@ iptables_init() {
 	# Install firewall rules for the red interface.
 	iptables_red_up
 
+	# Install firewall rules for Freifunk
+	freifunk_init_firewall
+
 	# If red has not been brought up yet, we will
 	# add the blocking rules for MASQUERADE
 	if [ ! -e "/var/ipfire/red/active" ]; then
diff --git a/src/initscripts/init.d/lib-freifunk b/src/initscripts/init.d/lib-freifunk
index 426fba9990..1b0b7a504e 100755
--- a/src/initscripts/init.d/lib-freifunk
+++ b/src/initscripts/init.d/lib-freifunk
@@ -11,9 +11,14 @@ function freifunk_is_enabled() {
 }
 
 function freifunk_start() {
+	freifunk_flush_firewall
+
 	# Do nothing if Freifunk is not enabled
 	freifunk_is_enabled || exit 0
 
+	# Initialize firewall rules
+	freifunk_init_firewall
+
 	# Bring up the batman interface
 	freifunk_batman_create
 	freifunk_batman_attach_all
@@ -30,6 +35,8 @@ function freifunk_start() {
 }
 
 function freifunk_stop() {
+	freifunk_flush_firewall
+
 	/etc/init.d/alfred stop &>/dev/null
 
 	ip link set "${BATMAN_INTERFACE}" down &>/dev/null
@@ -98,6 +105,37 @@ function freifunk_batman_attach_all() {
 	done
 }
 
+function freifunk_init_firewall() {
+	# Flush the existing configuration
+	freifunk_flush_firewall
+
+	# Forward everything incoming and outgoing on the
+	# BATMAN interface without further noticing.
+	iptables -A FREIFUNK -i bat+ -j ACCEPT
+	iptables -A FREIFUNK -o bat+ -j ACCEPT
+
+	# Also make the mesh bridge transparent for IPv4
+	iptables -A FREIFUNK -i meshbr+ -j ACCEPT
+	iptables -A FREIFUNK -o meshbr+ -j ACCEPT
+
+	# Forward all packets from and to the local interfaces
+	local mesh
+	for mesh in FREIFUNK1 FREIFUNK2 FREIFUNK3 FREIFUNK4; do
+		local interface_var="${mesh}_DEV"
+		local interface="${!interface_var}"
+
+		[ -n "${interface}" ] || continue
+
+		iptables -A FREIFUNK -i "${interface}" -j ACCEPT
+		iptables -A FREIFUNK -o "${interface}" -j ACCEPT
+	done
+}
+
+function freifunk_flush_firewall() {
+	# Flush all existing rules
+	iptables -F FREIFUNK
+}
+
 function freifunk_ipv6_enable() {
 	local device="${1}"
 
-- 
2.39.5