3 files changed, 46 insertions, 28 deletions

diff --git a/inventory/group_vars/elevate-festival/main.yml b/inventory/group_vars/elevate-festival/main.yml
index 2d2b3d70..649335f7 100644
--- a/inventory/group_vars/elevate-festival/main.yml
+++ b/inventory/group_vars/elevate-festival/main.yml
@@ -36,6 +36,10 @@ network_zones:
   mixer:
     vlan: 48
     prefix: 192.168.48.0/24
+    offsets:
+      kuschelbaer: 48
+      atem: 208
+      x32: 216
 
   infoscreens:
     vlan: 73
diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index da10e73c..2d5cb1b3 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -148,43 +148,45 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
-    ## TODO: this script needs to be activated ... probably using a symlink file?
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K91network-fw:
+    link: "../init.d/network-fw"
+
   /etc/init.d/network-fw:
     mode: "0755"
     content: |
       #!/bin/sh /etc/rc.common
 
       START=22
-      STOP=90
+      STOP=91
 
-      source /lib/functions/network.sh
-
-      network_get_device WAN_IF "wan"
-      network_get_device MGMT_IF "mgmt"
+      WAN_IF=$(uci get network.wan.ifname)
+      MGMT_IF=$(uci get network.mgmt.ifname)
+      MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
+      MGMT_NETMASK=$(uci get network.mgmt.netmask)
 
       start() {
+        iptables -A INPUT -p icmp -j ACCEPT
         iptables -A INPUT -i lo -j ACCEPT
-        iptables -A INPUT -i $MGMT_IF -j ACCEPT
-        iptables -A INPUT -i $WAN_IF -p icmp -j ACCEPT
-        iptables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
-        iptables -A INPUT -i $WAN_IF -p tcp --dport 22000 -j ACCEPT
+        iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -p tcp --dport 22000 -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -m state --state RELATED,ESTABLISHED -j ACCEPT
 
-        iptables -A FORWARD -i lo -j ACCEPT
         for zone in "{{ network_internal_zone_names | join('" "') }}"; do
-          network_get_device interface "$zone"
-          network_get_subnets subnets "$zone"
+          interface=$(uci get "network.$zone.ifname")
+          ipaddr=$(uci get "network.$zone.ipaddr")
+          netmask=$(uci get "network.$zone.netmask")
 
           ### todo: only do this if dhcp is defined in network_zone
-          iptables -A INPUT -i $interface -p udp --dport 67 --sport 68 -j ACCEPT
-          iptables -A INPUT -i $interface -p udp --dport 53 -j ACCEPT
-          iptables -A INPUT -i $interface -p tcp --dport 53 -j ACCEPT
-
-          iptables -A FORWARD -i $WAN_IF -o $interface -p icmp -j ACCEPT
-          iptables -A FORWARD -i $WAN_IF -o $interface -m state --state RELATED,ESTABLISHED -j ACCEPT
-          for subnet in $subnets; do
-            iptables -A FORWARD -i $interface -o $WAN_IF -s $subnet -j ACCEPT
-            iptables -t nat -A POSTROUTING -o $WAN_IF -s $subnet -j MASQUERADE
-          done
+          iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT
+          iptables -A INPUT -i "$interface" -p udp --dport 53 -j ACCEPT
+          iptables -A INPUT -i "$interface" -p tcp --dport 53 -j ACCEPT
+
+          iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT
+          iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
+          iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE
         done
 
         iptables -P INPUT DROP
@@ -193,10 +195,10 @@ openwrt_mixin:
 
       stop() {
         iptables -P INPUT ACCEPT
-        iptables INPUT -F
+        iptables -F INPUT
         iptables -P FORWARD ACCEPT
-        iptables FORWARD -F
-        iptables -t nat POSTROUTING -F
+        iptables -F FORWARD
+        iptables -t nat -F POSTROUTING
       }
 
 
diff --git a/roles/openwrt/image/tasks/prepare.yml b/roles/openwrt/image/tasks/prepare.yml
index 887143d9..a3ab7112 100644
--- a/roles/openwrt/image/tasks/prepare.yml
+++ b/roles/openwrt/image/tasks/prepare.yml
@@ -20,7 +20,19 @@
     - "{{ openwrt_mixin | map('dirname') | map('regex_replace', '^', openwrt_imgbuilder_files) | unique | list }}"
 
 
-- name: Copy mixins in place [1/2]
+- name: Copy mixins in place [1/3]
+  file:
+    dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}"
+    src: "{{ item.value.link }}"
+    force: yes
+    follow: no
+    state: link
+  with_dict: "{{ openwrt_mixin }}"
+  when: '"link" in item.value'
+  loop_control:
+    label: "{{ item.key }}"
+
+- name: Copy mixins in place [2/3]
   copy:
     src: "{{ item.value.file }}"
     dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}"
@@ -30,7 +42,7 @@
   loop_control:
     label: "{{ item.key }}"
 
-- name: Copy mixins in place [2/2]
+- name: Copy mixins in place [3/3]
   copy:
     content: "{{ item.value.content }}"
     dest: "{{ openwrt_imgbuilder_files }}/{{ item.key }}"