From 5147dfc73aafd5b5accc6e480d51a639b000eac5 Mon Sep 17 00:00:00 2001
From: Aaron Goodman <aaronjg@stanford.edu>
Date: Thu, 28 May 2020 18:29:56 -0400
Subject: [PATCH] mwan3: Allow user to specify rules based on source interface

Add an option for adding rules based on source interface.
The default 0.0.0.0/0 src and destination ip addresses has been removed. It is unclear
how the 'any' family of rules would have worked, as it appears each rule always required an
ipv4 or ipv6 address src and destination address.  With this change, the any family will work
again.

I also cleaned up a bunch of repeated code around adding the iptables rules for
ipv4/ipv6/any in making the change.

Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
---
 net/mwan3/files/lib/mwan3/mwan3.sh | 190 ++++++++---------------------
 1 file changed, 49 insertions(+), 141 deletions(-)

diff --git a/net/mwan3/files/lib/mwan3/mwan3.sh b/net/mwan3/files/lib/mwan3/mwan3.sh
index e8044f76a..1c30fea45 100644
--- a/net/mwan3/files/lib/mwan3/mwan3.sh
+++ b/net/mwan3/files/lib/mwan3/mwan3.sh
@@ -890,13 +890,31 @@ mwan3_set_user_iptables_rule()
 	config_get timeout $1 timeout 600
 	config_get ipset $1 ipset
 	config_get proto $1 proto all
-	config_get src_ip $1 src_ip 0.0.0.0/0
-	config_get src_port $1 src_port 0:65535
-	config_get dest_ip $1 dest_ip 0.0.0.0/0
-	config_get dest_port $1 dest_port 0:65535
+	config_get src_ip $1 src_ip
+	config_get src_iface $1 src_iface
+	network_get_device src_dev $src_iface
+	config_get src_port $1 src_port
+	config_get dest_ip $1 dest_ip
+	config_get dest_port $1 dest_port
 	config_get use_policy $1 use_policy
 	config_get family $1 family any
 
+	[ -z "$dest_ip" ] && unset dest_ip
+	[ -z "$src_ip" ] && unset src_ip
+	[ -z "$ipset" ] && unset ipset
+	[ -z "$src_port" ]  && unset src_port
+	[ -z "$dest_port" ]  && unset dest_port
+	[ "$proto"  != 'tcp' ]  && [ "$proto" != 'udp' ] && {
+		[ -n "$src_port" ] && {
+			$LOG warn "src_port set to '$src_port' but proto set to '$proto' not tcp or udp. src_port will be ignored"
+		}
+		[ -n "$dest_port" ] && {
+			$LOG warn "dest_port set to '$dest_port' but proto set to '$proto' not tcp or udp. dest_port will be ignored"
+		}
+		unset src_port
+		unset dest_port
+	}
+
 	config_get rule_logging $1 logging 0
 	config_get global_logging globals logging 0
 	config_get loglevel globals loglevel notice
@@ -969,144 +987,34 @@ mwan3_set_user_iptables_rule()
 
 			fi
 		fi
+		for IPT in "$IPT4" "$IPT6"; do
+			[ "$family" == "ipv4" ] && [ "$IPT" == "$IPT6" ] && continue
+			[ "$family" == "ipv6" ] && [ "$IPT" == "$IPT4" ] && continue
+			[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
+				$IPT -A mwan3_rules \
+				     -p $proto \
+				     ${src_ip:+-s} $src_ip \
+				     ${src_dev:+-i} $src_dev \
+				     ${dest_ip:+-d} $dest_ip\
+				     $ipset \
+				     ${src_port:+-m} ${src_port:+multiport} ${src_port:+--sports} $src_port \
+				     ${dest_port:+-m} ${dest_port:+multiport} ${dest_port:+--dports} $dest_port \
+				     -m mark --mark 0/$MMX_MASK \
+				     -m comment --comment "$1" \
+				     -j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
+			}
 
-		if [ "$family" == "any" ]; then
-
-			for IPT in "$IPT4" "$IPT6"; do
-				case $proto in
-					tcp|udp)
-					[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
-						$IPT -A mwan3_rules \
-							-p $proto \
-							-s $src_ip \
-							-d $dest_ip $ipset \
-							-m multiport --sports $src_port \
-							-m multiport --dports $dest_port \
-							-m mark --mark 0/$MMX_MASK \
-							-m comment --comment "$1" \
-							-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
-					}
-					$IPT -A mwan3_rules \
-						-p $proto \
-						-s $src_ip \
-						-d $dest_ip $ipset \
-						-m multiport --sports $src_port \
-						-m multiport --dports $dest_port \
-						-m mark --mark 0/$MMX_MASK \
-						-m comment --comment "$1" \
-						-j $policy &> /dev/null
-					;;
-					*)
-					[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
-						$IPT -A mwan3_rules \
-							-p $proto \
-							-s $src_ip \
-							-d $dest_ip $ipset \
-							-m mark --mark 0/$MMX_MASK \
-							-m comment --comment "$1" \
-							-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
-					}
-					$IPT -A mwan3_rules \
-						-p $proto \
-						-s $src_ip \
-						-d $dest_ip $ipset \
-						-m mark --mark 0/$MMX_MASK \
-						-m comment --comment "$1" \
-						-j $policy &> /dev/null
-					;;
-				esac
-			done
-
-		elif [ "$family" == "ipv4" ]; then
-
-			case $proto in
-				tcp|udp)
-				[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
-					$IPT4 -A mwan3_rules \
-						-p $proto \
-						-s $src_ip \
-						-d $dest_ip $ipset \
-						-m multiport --sports $src_port \
-						-m multiport --dports $dest_port \
-						-m mark --mark 0/$MMX_MASK \
-						-m comment --comment "$1" \
-						-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
-				}
-				$IPT4 -A mwan3_rules \
-					-p $proto \
-					-s $src_ip \
-					-d $dest_ip $ipset \
-					-m multiport --sports $src_port \
-					-m multiport --dports $dest_port \
-					-m mark --mark 0/$MMX_MASK \
-					-m comment --comment "$1" \
-					-j $policy &> /dev/null
-				;;
-				*)
-				[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
-					$IPT4 -A mwan3_rules \
-						-p $proto \
-						-s $src_ip \
-						-d $dest_ip $ipset \
-						-m mark --mark 0/$MMX_MASK \
-						-m comment --comment "$1" \
-						-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
-				}
-				$IPT4 -A mwan3_rules \
-					-p $proto \
-					-s $src_ip \
-					-d $dest_ip $ipset \
-					-m mark --mark 0/$MMX_MASK \
-					-m comment --comment "$1" \
-					-j $policy &> /dev/null
-				;;
-			esac
-
-		elif [ "$family" == "ipv6" ]; then
-
-			case $proto in
-				tcp|udp)
-				[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
-					$IPT6 -A mwan3_rules \
-						-p $proto \
-						-s $src_ip \
-						-d $dest_ip $ipset \
-						-m multiport --sports $src_port \
-						-m multiport --dports $dest_port \
-						-m mark --mark 0/$MMX_MASK \
-						-m comment --comment "$1" \
-						-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
-				}
-				$IPT6 -A mwan3_rules \
-					-p $proto \
-					-s $src_ip \
-					-d $dest_ip $ipset \
-					-m multiport --sports $src_port \
-					-m multiport --dports $dest_port \
-					-m mark --mark 0/$MMX_MASK \
-					-m comment --comment "$1" \
-					-j $policy &> /dev/null
-				;;
-				*)
-				[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
-					$IPT6 -A mwan3_rules \
-						-p $proto \
-						-s $src_ip \
-						-d $dest_ip $ipset \
-						-m mark --mark 0/$MMX_MASK \
-						-m comment --comment "$1" \
-						-j LOG --log-level  "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
-				}
-				$IPT6 -A mwan3_rules \
-					-p $proto \
-					-s $src_ip \
-					-d $dest_ip $ipset \
-					-m mark --mark 0/$MMX_MASK \
-					-m comment --comment "$1" \
-					-j $policy &> /dev/null
-				;;
-			esac
-		fi
+			$IPT -A mwan3_rules \
+			     -p $proto \
+			     ${src_ip:+-s} $src_ip \
+			     ${src_dev:+-i} $src_dev \
+			     ${dest_ip:+-d} $dest_ip\
+			     $ipset \
+			     ${src_port:+-m} ${src_port:+multiport} ${src_port:+--sports} $src_port \
+			     ${dest_port:+-m} ${dest_port:+multiport} ${dest_port:+--dports} $dest_port \
+			     -m mark --mark 0/$MMX_MASK \
+			     -j $policy &> /dev/null
+		done
 	fi
 }