25 lines
705 B
Bash
25 lines
705 B
Bash
#!/bin/sh
|
|
|
|
set -x
|
|
|
|
[ -n "$DEVICE" ] || exit 1
|
|
[ -n "$ID" ] || exit 2
|
|
[ -n "$IP_REMOTE" ] || exit 3
|
|
|
|
chain="inet ocserv client-${ID}"
|
|
remote_ip="${IP_REMOTE%/*}"
|
|
|
|
case "${REASON}" in
|
|
connect)
|
|
nft "add chain ${chain} { type filter hook forward priority filter; policy accept; }"
|
|
nft "flush chain ${chain}" # in case it already existed and not empty
|
|
if [ -n "$OCSERV_ROUTES" ] ; then
|
|
# convert netmask to prefix len, e.g. /255.0.0.0 to /8 and replace spaces with commas
|
|
routes="$(netmask $OCSERV_ROUTES | paste -s -d ',' | tr -d '[:space:]')"
|
|
nft "add rule ${chain} iif ${DEVICE} ip saddr ${remote_ip} ip daddr { ${routes} } mark set 0x100"
|
|
fi
|
|
;;
|
|
disconnect)
|
|
nft "delete chain ${chain}"
|
|
;;
|
|
esac
|