#!/bin/sh /etc/rc.common

START=90
USE_PROCD=1
QUIET=""
INT="wlan0+"
ORG_SUBNET1="10.0.0.0/8"
ORG_SUBNET2="192.168.0.0/16"
BROADCAST1="10.3.255.255"
BROADCAST2="10.2.255.255"

IFCONFIG=/sbin/ifconfig
BRCTL=/usr/sbin/brctl
EBTABLES=/usr/sbin/ebtables
IPTABLES=/usr/sbin/iptables
INSMOD=/usr/sbin/insmod
RMMOD=/usr/sbin/rmmod
 
# Required openWRT packages: ebtables kmod-ebtables, kmod-ebtables-ipv4 kmod-ebtables-watchers?

load_modules() {
# Required kernel modules
# Choose relocatable ebtables-modules and
# dont turn off possible error messages!
    $INSMOD ebtables
    $INSMOD ebtable_broute
    $INSMOD ebtable_filter
    $INSMOD ebtable_nat
    $INSMOD ebt_802_3
    $INSMOD ebt_among
    $INSMOD ebt_limit
    $INSMOD ebt_mark_m
    $INSMOD ebt_pkttype
    $INSMOD ebt_stp
    $INSMOD ebt_vlan
    $INSMOD ebt_mark
    $INSMOD ebt_redirect

    # Ebtables IPv4 Moduels
    $INSMOD ebt_arp
    $INSMOD ebt_ip
    $INSMOD ebt_arpreply
    $INSMOD ebt_dnat
    $INSMOD ebt_snat
}

unload_modules() {
    # Ebtables IPv4 Moduels
    $RMMOD ebt_arp
    $RMMOD ebt_ip
    $RMMOD ebt_arpreply
    $RMMOD ebt_dnat
    $RMMOD ebt_snat

    # Base Ebtables modules
    $RMMOD ebt_802_3
    $RMMOD ebt_among
    $RMMOD ebt_limit
    $RMMOD ebt_mark_m
    $RMMOD ebt_pkttype
    $RMMOD ebt_stp
    $RMMOD ebt_vlan
    $RMMOD ebt_mark
    $RMMOD ebt_redirect
    $RMMOD ebtable_nat
    $RMMOD ebtable_filter
    $RMMOD ebtable_broute
    $RMMOD ebtables
}

# ===================================================
# ORDER IS CRITICAL IN FILTER SETUP, DONT MUCK IT UP!
# ===================================================

restart() {
    echo "restarting..."
	stop_service
	start_service
}

start_service() {
    echo "starting service..."
    load_modules
    # sleep 5
    # Set up Policies
    $EBTABLES -t filter -P FORWARD DROP

    # Drop ARP gratuitous packets?
    $EBTABLES -t filter -A FORWARD -i $INT -p arp --arp-gratuitous -j DROP

    # Accept all arps just on our organization subnet(s)
    $EBTABLES -t filter -A FORWARD -i $INT -p arp --arp-ip-dst $ORG_SUBNET1 -j ACCEPT
    $EBTABLES -t filter -A FORWARD -i $INT -p arp --arp-ip-dst $ORG_SUBNET2 -j ACCEPT
    
    # Drop the rest
    $EBTABLES -t filter -A FORWARD -i $INT -p arp -j DROP

    # We may need more than just replys here. Should go to OUTPUT? All arps?
    $EBTABLES -t filter -A FORWARD -o $INT -p arp --arp-opcode Reply   -j ACCEPT
    $EBTABLES -t filter -A FORWARD -o $INT -p arp --arp-opcode ARP_NAK -j ACCEPT
    # Drop the rest?
    # $EBTABLES -t filter -A FORWARD -o $INT -p arp -j DROP
   
    # Drop all ARPs that don't go to static IPs in the 10.x.0.0/24 and 10.x.255.0/24 ranges
    # $EBTABLES -t filter -A FORWARD -i wlan0 -p arp --arp-ip-dst 10.3.0.0/24 -j ACCEPT
    # $EBTABLES -t filter -A FORWARD -i wlan0 -p arp --arp-ip-dst 10.3.255.0/24 -j ACCEPT
    # $EBTABLES -t filter -A FORWARD -i wlan0 -p arp -j DROP
    
    
    # Drop all subnet broadcasts
    $EBTABLES -t filter -A FORWARD -o $INT -p ipv4 --ip-destination $BROADCAST1 -j DROP
    $EBTABLES -t filter -A FORWARD -o $INT -p ipv4 --ip-destination $BROADCAST2 -j DROP
    
    # Convert DHCP Discovers and Requests to unicast to our DHCP servers
    # DHCP (UDP 68? 0.0.0.0 to 255.255.255.255 67) discover and requests.
    # offer from address 67 to 1.1.1.1 p 68
    
    # Drop all DHCP requests out to wireless
    # THis is a discover or request message option 53
    # UDP Src=0.0.0.0 sPort=68 Dest=255.255.255.255 dPort=67
    # Accept all DHCP offers 
    # UDP Src=192.168.1.1 sPort=67 Dest=255.255.255.255 | dPort=68
    # DHCP option 53: DHCP Offer
    
    # ACCPT DHCP requests from clients
    # UDP Src=0.0.0.0 sPort=68 Dest=255.255.255.255[a] dPort=67
    # DCHP ACK from server: UDP Src=192.168.1.1 sPort=67 Dest=255.255.255.255 dPort=68
    
    # Accept all DHCP discovers and requests in interfaces
    # TEST $EBTABLES -t filter -A FORWARD -i $INT -d broadcast? -p IPv4 --ip-prot udp -ip-sport 68 --ip-dport 67 -j ACCEPT
    # Accept all DHCP Offers and ACKs from the servers.
    # TEST $EBTABLES -t filter -A FORWARD -o $INT -d broadcast -p IPv4 --ip-prot udp --ip-dport 67 --ip-dport 68 -j ACCEPT
    
    # Quick and dirty accept of DHCP packets
    $EBTABLES -t filter -A FORWARD -p IPv4 --ip-prot udp --ip-dport 67:68 -j ACCEPT
 
    # Drop all multicast on wifi interfaces, we assume we don't generate this ourselves
    #$EBTABLES -t filter -A FORWARD -i $INT -s Multicast -j DROP
    #$EBTABLES -t filter -A FORWARD -i $INT -d Multicast -j DROP
    #$EBTABLES -t filter -A FORWARD -o $INT -s Multicast -j DROP
    #$EBTABLES -t filter -A FORWARD -o $INT -d Multicast -j DROP
    
    # Or just drop all multicasts period
    $EBTABLES -t filter -A FORWARD --pkttype-type multicast -j DROP
    $EBTABLES -t filter -A INPUT   --pkttype-type multicast -j DROP
    $EBTABLES -t filter -A OUTPUT  --pkttype-type multicast -j DROP

    # Drop the rest of the broadcasts (didn't work?)
    # $EBTABLES -t filter -A FORWARD -o $INT --pkttype-type broadcast -j DROP
    # $EBTABLES -t filter -A FORWARD -i $INT --pkttype-type broadcast -j DROP
    
    # Drop all subnet broadcasts (didn't work?)
    # $EBTABLES -t filter -A FORWARD -o $INT -p ipv4 --ip-destination 255.255.255.255 -j DROP
    # $EBTABLES -t filter -A FORWARD -i $INT -p ipv4 --ip-destination 255.255.255.255 -j DROP

    # Drop the rest of the broadcasts
    $EBTABLES -t filter -A FORWARD -d broadcast -j DROP
    
    # Accept all IPv4 and 802_1Q
    $EBTABLES -t filter -A FORWARD -p IPv4   -j ACCEPT
    $EBTABLES -t filter -A FORWARD -p 802_1Q -j ACCEPT
}

stop_service() {
    echo "Clearing all layer 2 filter rules..."
    # Clear filter table
    $EBTABLES -t filter -F
    $EBTABLES -t filter -X
    $EBTABLES -t filter -P INPUT   ACCEPT
    $EBTABLES -t filter -P FORWARD ACCEPT
    $EBTABLES -t filter -P OUTPUT  ACCEPT
    # Clear nat table
    $EBTABLES -t nat -F
    $EBTABLES -t nat -X
    $EBTABLES -t nat -P PREROUTING  ACCEPT
    $EBTABLES -t nat -P OUTPUT      ACCEPT
    $EBTABLES -t nat -P POSTROUTING ACCEPT
    # Clear broute table
    $EBTABLES -t broute -F
    $EBTABLES -t broute -X
    $EBTABLES -t broute -P BROUTING ACCEPT
    unload_modules
}

reload_service() {
    echo "reload service..."
}

boot() {
	# Be silent on boot, firewall might be started by hotplug already,
	# so don't complain in syslog.
	QUIET=-q
    echo "Booting service..."
}

# (sleep 300; stop_service ) &


