mwan3: Allow user to specify rules based on source interface

Add an option for adding rules based on source interface. The default 0.0.0.0/0 src and destination ip addresses has been removed. It is unclear how the 'any' family of rules would have worked, as it appears each rule always required an ipv4 or ipv6 address src and destination address. With this change, the any family will work again. I also cleaned up a bunch of repeated code around adding the iptables rules for ipv4/ipv6/any in making the change. Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
4 years ago · 5147dfc73a
--- a/net/mwan3/files/lib/mwan3/mwan3.sh
+++ b/net/mwan3/files/lib/mwan3/mwan3.sh
@ -890,13 +890,31 @@ mwan3_set_user_iptables_rule()
 	config_get timeout $1 timeout 600
 	config_get ipset $1 ipset
 	config_get proto $1 proto all
 	config_get src_ip $1 src_ip 0.0.0.0/0
 	config_get src_port $1 src_port 0:65535
 	config_get dest_ip $1 dest_ip 0.0.0.0/0
 	config_get dest_port $1 dest_port 0:65535
 	config_get src_ip $1 src_ip
 	config_get src_iface $1 src_iface
 	network_get_device src_dev $src_iface
 	config_get src_port $1 src_port
 	config_get dest_ip $1 dest_ip
 	config_get dest_port $1 dest_port
 	config_get use_policy $1 use_policy
 	config_get family $1 family any
 	[ -z "$dest_ip" ] && unset dest_ip
 	[ -z "$src_ip" ] && unset src_ip
 	[ -z "$ipset" ] && unset ipset
 	[ -z "$src_port" ]  && unset src_port
 	[ -z "$dest_port" ]  && unset dest_port
 	[ "$proto"  != 'tcp' ]  && [ "$proto" != 'udp' ] && {
 		[ -n "$src_port" ] && {
 			$LOG warn "src_port set to '$src_port' but proto set to '$proto' not tcp or udp. src_port will be ignored"
 		}
 		[ -n "$dest_port" ] && {
 			$LOG warn "dest_port set to '$dest_port' but proto set to '$proto' not tcp or udp. dest_port will be ignored"
 		}
 		unset src_port
 		unset dest_port
 	}
 	config_get rule_logging $1 logging 0
 	config_get global_logging globals logging 0
 	config_get loglevel globals loglevel notice
@ -969,144 +987,34 @@ mwan3_set_user_iptables_rule()
 			fi
 		fi
 		for IPT in "$IPT4" "$IPT6"; do
 			[ "$family" == "ipv4" ] && [ "$IPT" == "$IPT6" ] && continue
 			[ "$family" == "ipv6" ] && [ "$IPT" == "$IPT4" ] && continue
 			[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
 				$IPT -A mwan3_rules \
 				     -p $proto \
 				     ${src_ip:+-s} $src_ip \
 				     ${src_dev:+-i} $src_dev \
 				     ${dest_ip:+-d} $dest_ip\
 				     $ipset \
 				     ${src_port:+-m} ${src_port:+multiport} ${src_port:+--sports} $src_port \
 				     ${dest_port:+-m} ${dest_port:+multiport} ${dest_port:+--dports} $dest_port \
 				     -m mark --mark 0/$MMX_MASK \
 				     -m comment --comment "$1" \
 				     -j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
 			}
 		if [ "$family" == "any" ]; then
 			for IPT in "$IPT4" "$IPT6"; do
 				case $proto in
 					tcp|udp)
 					[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
 						$IPT -A mwan3_rules \
 							-p $proto \
 							-s $src_ip \
 							-d $dest_ip $ipset \
 							-m multiport --sports $src_port \
 							-m multiport --dports $dest_port \
 							-m mark --mark 0/$MMX_MASK \
 							-m comment --comment "$1" \
 							-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
 					}
 					$IPT -A mwan3_rules \
 						-p $proto \
 						-s $src_ip \
 						-d $dest_ip $ipset \
 						-m multiport --sports $src_port \
 						-m multiport --dports $dest_port \
 						-m mark --mark 0/$MMX_MASK \
 						-m comment --comment "$1" \
 						-j $policy &> /dev/null
 					;;
 					*)
 					[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
 						$IPT -A mwan3_rules \
 							-p $proto \
 							-s $src_ip \
 							-d $dest_ip $ipset \
 							-m mark --mark 0/$MMX_MASK \
 							-m comment --comment "$1" \
 							-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
 					}
 					$IPT -A mwan3_rules \
 						-p $proto \
 						-s $src_ip \
 						-d $dest_ip $ipset \
 						-m mark --mark 0/$MMX_MASK \
 						-m comment --comment "$1" \
 						-j $policy &> /dev/null
 					;;
 				esac
 			done
 		elif [ "$family" == "ipv4" ]; then
 			case $proto in
 				tcp|udp)
 				[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
 					$IPT4 -A mwan3_rules \
 						-p $proto \
 						-s $src_ip \
 						-d $dest_ip $ipset \
 						-m multiport --sports $src_port \
 						-m multiport --dports $dest_port \
 						-m mark --mark 0/$MMX_MASK \
 						-m comment --comment "$1" \
 						-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
 				}
 				$IPT4 -A mwan3_rules \
 					-p $proto \
 					-s $src_ip \
 					-d $dest_ip $ipset \
 					-m multiport --sports $src_port \
 					-m multiport --dports $dest_port \
 					-m mark --mark 0/$MMX_MASK \
 					-m comment --comment "$1" \
 					-j $policy &> /dev/null
 				;;
 				*)
 				[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
 					$IPT4 -A mwan3_rules \
 						-p $proto \
 						-s $src_ip \
 						-d $dest_ip $ipset \
 						-m mark --mark 0/$MMX_MASK \
 						-m comment --comment "$1" \
 						-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
 				}
 				$IPT4 -A mwan3_rules \
 					-p $proto \
 					-s $src_ip \
 					-d $dest_ip $ipset \
 					-m mark --mark 0/$MMX_MASK \
 					-m comment --comment "$1" \
 					-j $policy &> /dev/null
 				;;
 			esac
 		elif [ "$family" == "ipv6" ]; then
 			case $proto in
 				tcp|udp)
 				[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
 					$IPT6 -A mwan3_rules \
 						-p $proto \
 						-s $src_ip \
 						-d $dest_ip $ipset \
 						-m multiport --sports $src_port \
 						-m multiport --dports $dest_port \
 						-m mark --mark 0/$MMX_MASK \
 						-m comment --comment "$1" \
 						-j LOG --log-level "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
 				}
 				$IPT6 -A mwan3_rules \
 					-p $proto \
 					-s $src_ip \
 					-d $dest_ip $ipset \
 					-m multiport --sports $src_port \
 					-m multiport --dports $dest_port \
 					-m mark --mark 0/$MMX_MASK \
 					-m comment --comment "$1" \
 					-j $policy &> /dev/null
 				;;
 				*)
 				[ "$global_logging" = "1" ] && [ "$rule_logging" = "1" ] && {
 					$IPT6 -A mwan3_rules \
 						-p $proto \
 						-s $src_ip \
 						-d $dest_ip $ipset \
 						-m mark --mark 0/$MMX_MASK \
 						-m comment --comment "$1" \
 						-j LOG --log-level  "$loglevel" --log-prefix "MWAN3($1)" &> /dev/null
 				}
 				$IPT6 -A mwan3_rules \
 					-p $proto \
 					-s $src_ip \
 					-d $dest_ip $ipset \
 					-m mark --mark 0/$MMX_MASK \
 					-m comment --comment "$1" \
 					-j $policy &> /dev/null
 				;;
 			esac
 		fi
 			$IPT -A mwan3_rules \
 			     -p $proto \
 			     ${src_ip:+-s} $src_ip \
 			     ${src_dev:+-i} $src_dev \
 			     ${dest_ip:+-d} $dest_ip\
 			     $ipset \
 			     ${src_port:+-m} ${src_port:+multiport} ${src_port:+--sports} $src_port \
 			     ${dest_port:+-m} ${dest_port:+multiport} ${dest_port:+--dports} $dest_port \
 			     -m mark --mark 0/$MMX_MASK \
 			     -j $policy &> /dev/null
 		done
 	fi
 }