From 5d38f7d6fb83e9a02acfb8cfa62c5faeb50b3797 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <karel.koci@nic.cz>
Date: Mon, 20 Jul 2020 15:12:51 +0200
Subject: [PATCH] firewall-redirect-192-168-1-1: create

This package is inteded to be used to have one exact address that router
always answers on. This makes it less confusing for unfamiliar users.

This prevents few issues. One example is when user or some automatic
operation changes router's lan IP range then documented IP 192.168.1.1
is no longer functional. The worst case scenario is that some upstream
router or service is going to answer on this address. That can
potentially confuse less experienced users so this prevents it.
---
 net/firewall-redirect-192-168-1-1/Makefile    | 39 +++++++++++++++++++
 .../files/firewall-redirect.sh                | 21 ++++++++++
 .../files/uci-defaults                        | 15 +++++++
 3 files changed, 75 insertions(+)
 create mode 100644 net/firewall-redirect-192-168-1-1/Makefile
 create mode 100755 net/firewall-redirect-192-168-1-1/files/firewall-redirect.sh
 create mode 100755 net/firewall-redirect-192-168-1-1/files/uci-defaults

diff --git a/net/firewall-redirect-192-168-1-1/Makefile b/net/firewall-redirect-192-168-1-1/Makefile
new file mode 100644
index 000000000..6769f1836
--- /dev/null
+++ b/net/firewall-redirect-192-168-1-1/Makefile
@@ -0,0 +1,39 @@
+#
+## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/)
+#
+## This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+# #
+#
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=firewall-redirect-192_168_1_1
+PKG_VERSION:=0.1.0
+PKG_RELEASE:=1
+
+PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz>
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/firewall-redirect-192-168-1-1
+  SECTION:=net
+  CATEGORY:=Base system
+  TITLE:=Firewall redirect 192.168.1.1 onto router
+  DEPENDS:=+firewall
+endef
+
+define Package/firewall-redirect-192-168-1-1/description
+  Additional firewall rule that redirects all traffic from zone 'lan' targeting IP
+  address 192.168.1.1 to local address.
+endef
+
+Build/Compile:=:
+
+define Package/firewall-redirect-192-168-1-1/install
+	$(INSTALL_DIR) $(1)/usr/libexec/
+	$(INSTALL_BIN) ./files/firewall-redirect.sh $(1)/usr/libexec/firewall-redirect-192-168-1-1.sh
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/95-firewall-redirect-192-168-1-1
+endef
+
+$(eval $(call BuildPackage,firewall-redirect-192-168-1-1))
diff --git a/net/firewall-redirect-192-168-1-1/files/firewall-redirect.sh b/net/firewall-redirect-192-168-1-1/files/firewall-redirect.sh
new file mode 100755
index 000000000..7e00daf09
--- /dev/null
+++ b/net/firewall-redirect-192-168-1-1/files/firewall-redirect.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+comment="!redirect: 192.168.1.1"
+chain="zone_lan_prerouting"
+
+# Remove any existing rule
+# (firewall3 removes only fules in chains it knows so we have to do this to potentially clean after ourself)
+iptables -t nat -S \
+	| grep -F " --comment \"$comment\" " \
+	| while read -r operation rule; do
+		# Operation -A is dropped (variable 'operation' is intentionally left out)
+		echo "$rule" | xargs -x iptables -t nat -D
+		# Note: xargs is used here because it handles quotes properly over just plain expansion
+	done
+
+# Add appropriate redirect rule
+if iptables -t nat -S "$chain" >/dev/null 2>&1; then
+	iptables -t nat -I "$chain" -m comment --comment "$comment" -d 192.168.1.1 -j REDIRECT
+	echo " * Redirecting 192.168.1.1 on lan interface to router"
+else
+	echo "Warning: There is no zone 'zone_lan_prerouting' (zone 'lan' probably does not exist)"
+fi
diff --git a/net/firewall-redirect-192-168-1-1/files/uci-defaults b/net/firewall-redirect-192-168-1-1/files/uci-defaults
new file mode 100755
index 000000000..9d51465fb
--- /dev/null
+++ b/net/firewall-redirect-192-168-1-1/files/uci-defaults
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -e
+
+uci -q batch <<EOT
+	delete firewall.redirect_192_168_1_1
+	set firewall.redirect_192_168_1_1=include
+	set firewall.redirect_192_168_1_1.type='script'
+	set firewall.redirect_192_168_1_1.path='/usr/libexec/firewall-redirect-192-168-1-1.sh'
+	set firewall.redirect_192_168_1_1.family='ipv4'
+	set firewall.redirect_192_168_1_1.reload='1'
+	commit firewall.sentinel_firewall
+EOT
+
+# Always reload firewall to use latest version
+/etc/init.d/firewall reload
-- 
GitLab