4 files changed, 14 insertions, 0 deletions

diff --git a/usr/libexec/commission/commission b/usr/libexec/commission/commission
index b2120ea..8691984 100755
--- a/usr/libexec/commission/commission
+++ b/usr/libexec/commission/commission
@@ -19,6 +19,8 @@ fi
 PASSWORDS=$(passwd -Sa | egrep '^[^[:space:]]+[[:space:]]P[[:space:]]' | wc -l)
 
 if (($PASSWORDS == 0)) ; then
+    # Block wwan0 from commissioning
+    /usr/libexec/commission/nfon.sh
     # No password, so indicate commissioning mode
     # php-fpm-commision will be turned on as well
     rm -f "/run/mt-commission"
diff --git a/usr/libexec/commission/nfoff.sh b/usr/libexec/commission/nfoff.sh
new file mode 100755
index 0000000..54e7cd3
--- /dev/null
+++ b/usr/libexec/commission/nfoff.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+for handle in $(nft -a list table inet filter | grep iifname | sed -E 's/.*#[[:space:]]*handle[[:space:]]*//') ; do
+    echo "Enable wwan0: nft delete rule inet filter input handle ${handle}"
+    nft delete rule inet filter input handle ${handle}
+done
diff --git a/usr/libexec/commission/nfon.sh b/usr/libexec/commission/nfon.sh
new file mode 100755
index 0000000..92d3cb2
--- /dev/null
+++ b/usr/libexec/commission/nfon.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+nft add table inet filter
+nft add chain inet filter input { type filter hook input priority 0 \; }
+nft add rule inet filter input iifname "wwan0" drop
+echo 'Blocking wwan0 in commissioning mode'
+nft -a list table inet filter
diff --git a/usr/libexec/commission/off.sh b/usr/libexec/commission/off.sh
index ae86c55..b726744 100755
--- a/usr/libexec/commission/off.sh
+++ b/usr/libexec/commission/off.sh
@@ -11,3 +11,4 @@ else
     /etc/init.d/commission stop 2>&1 | logger -p local0.crit
     /etc/init.d/commission-php-fpm stop 2>&1 | logger -p local0.crit
 fi
+/usr/libexec/commission/nfoff.sh