Drop legacy firewall package

SVN-Revision: 36837
This commit is contained in:
Jo-Philipp Wich 2013-06-04 12:21:44 +00:00
parent a0e412a616
commit 0dd6753c09
17 changed files with 0 additions and 1961 deletions

View file

@ -1,58 +0,0 @@
#
# Copyright (C) 2008-2013 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
include $(TOPDIR)/rules.mk
PKG_NAME:=firewall
PKG_VERSION:=2
PKG_RELEASE:=60
include $(INCLUDE_DIR)/package.mk
define Package/firewall
SECTION:=net
CATEGORY:=Base system
URL:=http://openwrt.org/
TITLE:=OpenWrt firewall
MAINTAINER:=Jo-Philipp Wich <xm@subsignal.org>
DEPENDS:=+iptables +kmod-ipt-conntrack +kmod-ipt-nat
PKGARCH:=all
endef
define Package/firewall/description
UCI based firewall for OpenWrt
endef
define Build/Compile
true
endef
define Package/firewall/conffiles
/etc/config/firewall
/etc/firewall.user
endef
define Package/firewall/install
$(INSTALL_DIR) $(1)/lib/firewall
$(INSTALL_DATA) ./files/lib/*.sh $(1)/lib/firewall
$(INSTALL_DIR) $(1)/sbin
$(INSTALL_BIN) ./files/bin/fw $(1)/sbin
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
$(INSTALL_DIR) $(1)/etc/init.d/
$(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
$(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
$(INSTALL_DATA) ./files/reflection.hotplug $(1)/etc/hotplug.d/firewall/10-nat-reflection
$(INSTALL_DIR) $(1)/etc
$(INSTALL_DATA) ./files/firewall.user $(1)/etc
$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
$(INSTALL_DATA) ./files/firewall.upgrade $(1)/lib/upgrade/keep.d/firewall
endef
$(eval $(call BuildPackage,firewall))

View file

@ -1,49 +0,0 @@
#!/bin/sh
FW_LIBDIR=/lib/firewall
. /lib/functions.sh
. ${FW_LIBDIR}/fw.sh
case "$(type fw)" in
*function) ;;
*) exit 255;;
esac
usage() {
echo $0 "<command>" "<family>" "<table>" "<chain>" "<target>" "{" "<rules>" "}"
exit 0
}
cmd=$1
shift
case "$cmd" in
--help|help) usage ;;
start|stop|reload|restart)
. ${FW_LIBDIR}/core.sh
fw_$cmd
exit $?
;;
esac
fam=$1
shift
case "$fam" in
ip)
fam=i
if [ $# -gt 2 ]; then
for p in $(seq 2 $(($# - 1))); do
if eval "[ \$$p == '}' ]"; then
fam=I
break
fi
done
fi ;;
ip4) fam=4 ;;
ip6) fam=6 ;;
arp) fam=a ;;
eth) fam=e ;;
-*) exec $0 $cmd ${fam##*-} "$@" ;;
esac
fw "$cmd" "$fam" "$@"
exit $?

View file

@ -1,176 +0,0 @@
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
option network 'lan'
option input ACCEPT
option output ACCEPT
option forward REJECT
config zone
option name wan
option network 'wan'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
# allow IPsec/ESP and ISAKMP passthrough
#config rule
# option src wan
# option dest lan
# option protocol esp
# option target ACCEPT
#config rule
# option src wan
# option dest lan
# option src_port 500
# option dest_port 500
# option proto udp
# option target ACCEPT
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp

View file

@ -1,22 +0,0 @@
#!/bin/sh
# This script is executed as part of the hotplug event with
# HOTPLUG_TYPE=iface, triggered by various scripts when an interface
# is configured (ACTION=ifup) or deconfigured (ACTION=ifdown). The
# interface is available as INTERFACE, the real device as DEVICE.
[ "$DEVICE" == "lo" ] && exit 0
. /lib/functions.sh
. /lib/firewall/core.sh
fw_init
fw_is_loaded || exit 0
case "$ACTION" in
ifup)
fw_configure_interface "$INTERFACE" add "$DEVICE" &
;;
ifdown)
fw_configure_interface "$INTERFACE" del "$DEVICE"
;;
esac

View file

@ -1,27 +0,0 @@
#!/bin/sh /etc/rc.common
# Copyright (C) 2008-2010 OpenWrt.org
START=45
FW_LIBDIR=/lib/firewall
fw() {
. $FW_LIBDIR/core.sh
fw_$1
}
start() {
fw start
}
stop() {
fw stop
}
restart() {
fw restart
}
reload() {
fw reload
}

View file

@ -1 +0,0 @@
/etc/firewall.user

View file

@ -1,4 +0,0 @@
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

View file

@ -1,101 +0,0 @@
# Copyright (C) 2009-2010 OpenWrt.org
# Copyright (C) 2009 Malte S. Stretz <http://msquadrat.de>
#
# This is a temporary file, I hope to have some of this stuff merged into
# /lib/functions.sh (without the fw_ prefix of course) one day.
fw_config_append() { # <package>
CONFIG_APPEND=1 config_load "$@"
unset CONFIG_APPEND
}
fw_config_once() { # <function> <type>
local func=$1
local type=$2
shift 2
local config=cfg00nil
fw_config__once() {
config=$1
}
config_foreach fw_config__once "$type"
$func $config "$@"
}
fw_config_get_section() { # <config> <prefix> <type> <name> <default> ...
local config=$1
local prefix=$2
shift 2
[ -n "$config" ] || return 1
[ -n "$prefix" ] && {
prefix="${prefix}_"
export ${NO_EXPORT:+-n} -- "${prefix}NAME"="${config}"
config_get "${prefix}TYPE" "$config" TYPE
}
local enabled
config_get_bool enabled "$config" enabled 1
[ $enabled -eq 1 ] || return 1
[ "$1" == '{' ] && shift
while [ $# -ge 3 ]; do
local type=$1
local name=$2
local dflt=$3
shift 3
# TODO: Move handling of defaults to /lib/functions.sh
# and get replace the case block with the following
# two lines:
# type=${type#string}
# config_get${type:+_${type}} "${prefix}${name}" "$config" "$name" "$dflt" || return
case "$type" in
string)
local tmp
config_get tmp "$config" "$name" || return
[ -z "$tmp" ] && tmp=$dflt
export ${NO_EXPORT:+-n} -- "${prefix}${name}=${tmp}"
continue
;;
boolean)
type=bool
;;
esac;
local cmd=${prefix}config_get_${type}
type $cmd > /dev/null || {
cmd=config_get_${type}
}
type $cmd > /dev/null || {
echo "config type $type (for $name) not supported" >&2
return 1
}
$cmd "${prefix}${name}" "$config" "$name" "$dflt" || return
done
}
config_get_ipaddr() {
local varn=$1
local conf=$2
local name=$3
local dflt=$4
local addr
config_get addr "$conf" "$name" || return
[ -n "$addr" ] || addr=$dflt
local mask=${addr#*/}
[ "$mask" != "$addr" ] || mask=
addr=${addr%/*}
local vers=
case "$addr" in
*:*) vers=6; mask="${mask:-128}" ;;
*.*) vers=4; mask="${mask:-32}" ;;
esac
export ${NO_EXPORT:+-n} -- "${varn}=${addr}"
export ${NO_EXPORT:+-n} -- "${varn}_prefixlen=${mask}"
export ${NO_EXPORT:+-n} -- "${varn}_version=${vers}"
}

View file

@ -1,159 +0,0 @@
# Copyright (C) 2009-2010 OpenWrt.org
FW_LIBDIR=${FW_LIBDIR:-/lib/firewall}
. $FW_LIBDIR/fw.sh
include /lib/network
fw_start() {
fw_init
FW_DEFAULTS_APPLIED=
fw_is_loaded && {
echo "firewall already loaded" >&2
exit 1
}
uci_set_state firewall core "" firewall_state
fw_clear DROP
fw_callback pre core
echo "Loading defaults"
fw_config_once fw_load_defaults defaults
echo "Loading zones"
config_foreach fw_load_zone zone
echo "Loading forwardings"
config_foreach fw_load_forwarding forwarding
echo "Loading rules"
config_foreach fw_load_rule rule
echo "Loading redirects"
config_foreach fw_load_redirect redirect
echo "Loading includes"
config_foreach fw_load_include include
[ -z "$FW_NOTRACK_DISABLED" ] && {
echo "Optimizing conntrack"
config_foreach fw_load_notrack_zone zone
}
echo "Loading interfaces"
config_foreach fw_configure_interface interface add
fw_callback post core
uci_set_state firewall core zones "$FW_ZONES"
uci_set_state firewall core loaded 1
}
fw_stop() {
fw_init
fw_callback pre stop
local z n i
config_get z core zones
for z in $z; do
config_get n core "${z}_networks"
for n in $n; do
config_get i core "${n}_ifname"
[ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
done
config_get i core "${z}_tcpmss"
[ "$i" == 1 ] && {
fw del i m FORWARD zone_${z}_MSSFIX
fw del i m zone_${z}_MSSFIX
}
done
fw_clear ACCEPT
fw_callback post stop
uci_revert_state firewall
config_clear
local h
for h in $FW_HOOKS; do unset $h; done
unset FW_HOOKS
unset FW_INITIALIZED
}
fw_restart() {
fw_stop
fw_start
}
fw_reload() {
fw_restart
}
fw_is_loaded() {
local bool=$(uci_get_state firewall.core.loaded)
return $((! ${bool:-0}))
}
fw_die() {
echo "Error:" "$@" >&2
fw_log error "$@"
fw_stop
exit 1
}
fw_log() {
local level="$1"
[ -n "$2" ] && shift || level=notice
[ "$level" != error ] || echo "Error: $@" >&2
logger -t firewall -p user.$level "$@"
}
fw_init() {
[ -z "$FW_INITIALIZED" ] || return 0
. $FW_LIBDIR/config.sh
scan_interfaces
fw_config_append firewall
local hooks="core stop defaults zone notrack synflood"
local file lib hk pp
for file in $FW_LIBDIR/core_*.sh; do
. $file
hk=$(basename $file .sh)
hk=${hk#core_}
append hooks $hk
done
for file in $FW_LIBDIR/*.sh; do
lib=$(basename $file .sh)
lib=${lib##[0-9][0-9]_}
case $lib in
core*|fw|config|uci_firewall) continue ;;
esac
. $file
for hk in $hooks; do
for pp in pre post; do
type ${lib}_${pp}_${hk}_cb >/dev/null && {
append FW_CB_${pp}_${hk} ${lib}
append FW_HOOKS FW_CB_${pp}_${hk}
}
done
done
done
fw_callback post init
FW_INITIALIZED=1
return 0
}

View file

@ -1,44 +0,0 @@
# Copyright (C) 2009-2010 OpenWrt.org
fw_config_get_forwarding() {
[ "${forwarding_NAME}" != "$1" ] || return
fw_config_get_section "$1" forwarding { \
string _name "$1" \
string name "" \
string src "" \
string dest "" \
string family "" \
} || return
[ -n "$forwarding_name" ] || forwarding_name=$forwarding__name
}
fw_load_forwarding() {
fw_config_get_forwarding "$1"
fw_callback pre forwarding
local chain=delegate_forward
[ -n "$forwarding_src" ] && {
chain=zone_${forwarding_src}_forward
}
local target=ACCEPT
[ -n "$forwarding_dest" ] && {
target=zone_${forwarding_dest}_dest_ACCEPT
}
local mode
fw_get_family_mode mode ${forwarding_family:-x} ${forwarding_dest:-${forwarding_src:--}} i
fw add $mode f $chain $target ^
# propagate masq zone flag
[ -n "$forwarding_src" ] && list_contains FW_CONNTRACK_ZONES $forwarding_src && {
append FW_CONNTRACK_ZONES $forwarding_dest
}
[ -n "$forwarding_dest" ] && list_contains FW_CONNTRACK_ZONES $forwarding_dest && {
append FW_CONNTRACK_ZONES $forwarding_src
}
fw_callback post forwarding
}

View file

@ -1,361 +0,0 @@
# Copyright (C) 2009-2011 OpenWrt.org
# Copyright (C) 2008 John Crispin <blogic@openwrt.org>
FW_INITIALIZED=
FW_ZONES=
FW_ZONES4=
FW_ZONES6=
FW_CONNTRACK_ZONES=
FW_NOTRACK_DISABLED=
FW_DEFAULTS_APPLIED=
FW_ADD_CUSTOM_CHAINS=
FW_ACCEPT_REDIRECTS=
FW_ACCEPT_SRC_ROUTE=
FW_DEFAULT_INPUT_POLICY=REJECT
FW_DEFAULT_OUTPUT_POLICY=REJECT
FW_DEFAULT_FORWARD_POLICY=REJECT
FW_DISABLE_IPV4=0
FW_DISABLE_IPV6=0
fw_load_defaults() {
fw_config_get_section "$1" defaults { \
string input $FW_DEFAULT_INPUT_POLICY \
string output $FW_DEFAULT_OUTPUT_POLICY \
string forward $FW_DEFAULT_FORWARD_POLICY \
boolean drop_invalid 0 \
boolean syn_flood 0 \
boolean synflood_protect 0 \
string synflood_rate 25 \
string synflood_burst 50 \
boolean tcp_syncookies 1 \
boolean tcp_ecn 0 \
boolean tcp_westwood 0 \
boolean tcp_window_scaling 1 \
boolean accept_redirects 0 \
boolean accept_source_route 0 \
boolean custom_chains 1 \
boolean disable_ipv6 0 \
} || return
[ -n "$FW_DEFAULTS_APPLIED" ] && {
fw_log error "duplicate defaults section detected, skipping"
return 1
}
FW_DEFAULTS_APPLIED=1
FW_DEFAULT_INPUT_POLICY=$defaults_input
FW_DEFAULT_OUTPUT_POLICY=$defaults_output
FW_DEFAULT_FORWARD_POLICY=$defaults_forward
FW_ADD_CUSTOM_CHAINS=$defaults_custom_chains
FW_ACCEPT_REDIRECTS=$defaults_accept_redirects
FW_ACCEPT_SRC_ROUTE=$defaults_accept_source_route
FW_DISABLE_IPV6=$defaults_disable_ipv6
fw_callback pre defaults
# Seems like there are only one sysctl for both IP versions.
for s in syncookies ecn westwood window_scaling; do
eval "sysctl -e -w net.ipv4.tcp_${s}=\$defaults_tcp_${s}" >/dev/null
done
fw_sysctl_interface all
fw add i f INPUT ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED }
fw add i f OUTPUT ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED }
fw add i f FORWARD ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED }
[ $defaults_drop_invalid == 1 ] && {
fw add i f INPUT DROP { -m conntrack --ctstate INVALID }
fw add i f OUTPUT DROP { -m conntrack --ctstate INVALID }
fw add i f FORWARD DROP { -m conntrack --ctstate INVALID }
FW_NOTRACK_DISABLED=1
}
fw add i f INPUT ACCEPT { -i lo }
fw add i f OUTPUT ACCEPT { -o lo }
# Compatibility to old 'syn_flood' parameter
[ $defaults_syn_flood == 1 ] && \
defaults_synflood_protect=1
[ "${defaults_synflood_rate%/*}" == "$defaults_synflood_rate" ] && \
defaults_synflood_rate="$defaults_synflood_rate/second"
[ $defaults_synflood_protect == 1 ] && {
echo "Loading synflood protection"
fw_callback pre synflood
fw add i f syn_flood
fw add i f syn_flood RETURN { \
-p tcp --syn \
-m limit --limit "${defaults_synflood_rate}" --limit-burst "${defaults_synflood_burst}" \
}
fw add i f syn_flood DROP
fw add i f INPUT syn_flood { -p tcp --syn }
fw_callback post synflood
}
[ $defaults_custom_chains == 1 ] && {
echo "Adding custom chains"
fw add i f input_rule
fw add i f output_rule
fw add i f forwarding_rule
fw add i n prerouting_rule
fw add i n postrouting_rule
fw add i f INPUT input_rule
fw add i f OUTPUT output_rule
fw add i f FORWARD forwarding_rule
fw add i n PREROUTING prerouting_rule
fw add i n POSTROUTING postrouting_rule
}
fw add i f delegate_input
fw add i f delegate_output
fw add i f delegate_forward
fw add i f INPUT delegate_input
fw add i f OUTPUT delegate_output
fw add i f FORWARD delegate_forward
fw add i f reject
fw add i f reject REJECT { --reject-with tcp-reset -p tcp }
fw add i f reject REJECT { --reject-with port-unreach }
fw_set_filter_policy
fw_callback post defaults
}
fw_config_get_zone() {
[ "${zone_NAME}" != "$1" ] || return
fw_config_get_section "$1" zone { \
string name "$1" \
string network "" \
string device "" \
string subnet "" \
string input "$FW_DEFAULT_INPUT_POLICY" \
string output "$FW_DEFAULT_OUTPUT_POLICY" \
string forward "$FW_DEFAULT_FORWARD_POLICY" \
boolean masq 0 \
string masq_src "" \
string masq_dest "" \
string extra "" \
string extra_src "" \
string extra_dest "" \
boolean conntrack 0 \
boolean mtu_fix 0 \
boolean custom_chains 0 \
boolean log 0 \
string log_limit 10 \
string family "" \
} || return
[ -n "$zone_name" ] || zone_name=$zone_NAME
[ -n "$zone_extra_src" ] || zone_extra_src="$zone_extra"
[ -n "$zone_extra_dest" ] || zone_extra_dest="$zone_extra"
[ -n "$zone_network$zone_subnet$zone_device$zone_extra_src$zone_extra_dest" ] || zone_network=$zone_name
}
fw_load_zone() {
fw_config_get_zone "$1"
list_contains FW_ZONES $zone_name && {
fw_log error "zone ${zone_name}: duplicated zone, skipping"
return 0
}
append FW_ZONES $zone_name
fw_callback pre zone
[ $zone_conntrack = 1 -o $zone_masq = 1 ] && \
append FW_CONNTRACK_ZONES "$zone_name"
local mode
case "$zone_family" in
*4)
mode=4
append FW_ZONES4 $zone_name
uci_set_state firewall core ${zone_name}_ipv4 1
;;
*6)
mode=6
append FW_ZONES6 $zone_name
uci_set_state firewall core ${zone_name}_ipv6 1
;;
*)
mode=i
append FW_ZONES4 $zone_name
append FW_ZONES6 $zone_name
uci_set_state firewall core ${zone_name}_ipv4 1
uci_set_state firewall core ${zone_name}_ipv6 1
;;
esac
local chain=zone_${zone_name}
fw add $mode f ${chain}_src_ACCEPT
fw add $mode f ${chain}_src_DROP
fw add $mode f ${chain}_src_REJECT
fw add $mode f ${chain}_dest_ACCEPT
fw add $mode f ${chain}_dest_DROP
fw add $mode f ${chain}_dest_REJECT
fw add $mode f ${chain}_input
fw add $mode f ${chain}_input ${chain}_src_${zone_input} $
fw add $mode f ${chain}_forward
fw add $mode f ${chain}_forward ${chain}_dest_${zone_forward} $
fw add $mode f ${chain}_output
fw add $mode f ${chain}_output ${chain}_dest_${zone_output} $
# TODO: Rename to ${chain}_MASQUERADE
fw add $mode n ${chain}_nat
fw add $mode n ${chain}_prerouting
fw add $mode r ${chain}_notrack
[ $zone_mtu_fix == 1 ] && {
fw add $mode m ${chain}_MSSFIX
fw add $mode m FORWARD ${chain}_MSSFIX ^
uci_set_state firewall core ${zone_name}_tcpmss 1
}
[ $zone_custom_chains == 1 ] && {
[ $FW_ADD_CUSTOM_CHAINS == 1 ] || \
fw_die "zone ${zone_name}: custom_chains globally disabled"
fw add $mode f input_${zone_name}
fw add $mode f ${chain}_input input_${zone_name} ^
fw add $mode f forwarding_${zone_name}
fw add $mode f ${chain}_forward forwarding_${zone_name} ^
fw add $mode n prerouting_${zone_name}
fw add $mode n ${chain}_prerouting prerouting_${zone_name} ^
}
[ "$zone_log" == 1 ] && {
[ "${zone_log_limit%/*}" == "$zone_log_limit" ] && \
zone_log_limit="$zone_log_limit/minute"
local t
for t in REJECT DROP; do
local d
for d in src dest; do
fw add $mode f ${chain}_${d}_${t} LOG ^ \
{ -m limit --limit $zone_log_limit --log-prefix "$t($d:$zone_name): " }
done
done
[ $zone_mtu_fix == 1 ] && \
fw add $mode m ${chain}_MSSFIX LOG ^ \
{ -p tcp --tcp-flags SYN,RST SYN -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " }
}
# NB: if MASQUERADING for IPv6 becomes available we'll need a family check here
if [ "$zone_masq" == 1 ]; then
local msrc mdst
for msrc in ${zone_masq_src:-0.0.0.0/0}; do
case "$msrc" in
*.*) fw_get_negation msrc '-s' "$msrc" ;;
*) fw_get_subnet4 msrc '-s' "$msrc" || break ;;
esac
for mdst in ${zone_masq_dest:-0.0.0.0/0}; do
case "$mdst" in
*.*) fw_get_negation mdst '-d' "$mdst" ;;
*) fw_get_subnet4 mdst '-d' "$mdst" || break ;;
esac
fw add $mode n ${chain}_nat MASQUERADE $ { $msrc $mdst }
done
done
fi
local dev
for dev in ${zone_device:-""}; do
local net
for net in ${zone_subnet:-""}; do
[ -n "$dev" ] || [ -n "$net" ] || continue
fw_do_interface_rules add "${zone_name}" "$dev" "$net" \
"${zone_extra_src}" "${zone_extra_dest}"
done
done
fw_callback post zone
}
fw_load_notrack_zone() {
fw_config_get_zone "$1"
list_contains FW_CONNTRACK_ZONES "${zone_name}" && return
fw_callback pre notrack
fw add i r zone_${zone_name}_notrack NOTRACK $
fw_callback post notrack
}
fw_load_include() {
local name="$1"
local path
config_get path ${name} path
[ -e $path ] && (
config() {
fw_log error "You cannot use UCI in firewall includes!" >&2
exit 1
}
. $path
)
}
fw_clear() {
local policy=$1
fw_set_filter_policy $policy
local tab
for tab in f n r; do
fw del i $tab
done
}
fw_set_filter_policy() {
local policy=$1
local chn tgt
for chn in INPUT OUTPUT FORWARD; do
eval "tgt=\${policy:-\${FW_DEFAULT_${chn}_POLICY}}"
[ $tgt == "REJECT" ] && tgt=reject
[ $tgt == "ACCEPT" -o $tgt == "DROP" ] || {
fw add i f $chn $tgt $
tgt=DROP
}
fw policy i f $chn $tgt
done
}
fw_callback() {
local pp=$1
local hk=$2
local libs lib
eval "libs=\$FW_CB_${pp}_${hk}"
[ -n "$libs" ] || return
for lib in $libs; do
${lib}_${pp}_${hk}_cb
done
}

View file

@ -1,214 +0,0 @@
# Copyright (C) 2009-2013 OpenWrt.org
fw__uci_state_add() {
local var="$1"
local item="$2"
local val="$(uci_get_state firewall core $var)"
local e1; for e1 in $item; do
local e2; for e2 in $val; do
[ "$e1" = "$e2" ] && e1=""
done
val="${val:+$val${e1:+ }}$e1"
done
uci_toggle_state firewall core $var "$val"
}
fw__uci_state_del() {
local var="$1"
local item="$2"
local rest=""
local val="$(uci_get_state firewall core $var)"
local e1; for e1 in $val; do
local e2; for e2 in $item; do
[ "$e1" = "$e2" ] && e1=""
done
rest="${rest:+$rest${e1:+ }}$e1"
done
uci_toggle_state firewall core $var "$rest"
}
fw_do_interface_rules() {
local action=$1
local zone=$2
local chain=zone_${zone}
local ifname=$3
local subnet=$4
local extra_src="$5"
local extra_dest="$6"
local idev odev inet onet mode
fw_get_family_mode mode x $zone i
fw_get_negation idev '-i' "$ifname"
fw_get_negation odev '-o' "$ifname"
case "$mode/$subnet" in
# Zone supports v6 only or dual, need v6
G6/*:*|i/*:*)
fw_get_negation inet '-s' "$subnet"
fw_get_negation onet '-d' "$subnet"
mode=6
;;
# Zone supports v4 only or dual, need v4
G4/*.*.*.*|i/*.*.*.*)
fw_get_negation inet '-s' "$subnet"
fw_get_negation onet '-d' "$subnet"
mode=4
;;
# Need v6 while zone is v4
*/*:*) fw_log info "zone $zone does not support IPv6 address family, skipping"; return ;;
# Need v4 while zone is v6
*/*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;;
# Strip prefix
*) mode="${mode#G}" ;;
esac
lock /var/run/firewall-interface.lock
fw $action $mode f ${chain}_dest_ACCEPT ACCEPT $ { $odev $onet $extra_dest }
fw $action $mode f ${chain}_src_ACCEPT ACCEPT $ { $idev $inet $extra_src }
fw $action $mode f ${chain}_dest_DROP DROP $ { $odev $onet $extra_dest }
fw $action $mode f ${chain}_src_DROP DROP $ { $idev $inet $extra_src }
fw $action $mode f ${chain}_dest_REJECT reject $ { $odev $onet $extra_dest }
fw $action $mode f ${chain}_src_REJECT reject $ { $idev $inet $extra_src }
[ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
{ $odev -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet $extra_dest }
fw $action $mode f delegate_input ${chain}_input $ { $idev $inet $extra_src }
fw $action $mode f delegate_forward ${chain}_forward $ { $idev $inet $extra_src }
fw $action $mode f delegate_output ${chain}_output $ { $odev $onet $extra_dest }
fw $action $mode n PREROUTING ${chain}_prerouting $ { $idev $inet $extra_src }
fw $action $mode r PREROUTING ${chain}_notrack $ { $idev $inet $extra_src }
fw $action $mode n POSTROUTING ${chain}_nat $ { $odev $onet $extra_dest }
# Flush conntrack table
echo f >/proc/net/nf_conntrack 2>/dev/null
lock -u /var/run/firewall-interface.lock
}
fw_configure_interface() {
local iface=$1
local action=$2
local ifname=$3
local aliasnet=$4
[ "$action" == "add" ] && {
local status=$(uci_get_state network "$iface" up 0)
[ "$status" == 1 ] || [ -n "$aliasnet" ] || return 0
}
[ -n "$ifname" ] || {
ifname=$(uci_get_state network "$iface" ifname)
ifname="${ifname%%:*}"
[ -z "$ifname" ] && return 0
}
[ "$ifname" == "lo" ] && return 0
fw_callback pre interface
local old_zones old_ifname old_subnets
config_get old_zones core "${iface}_zone"
[ -n "$old_zones" ] && {
config_get old_ifname core "${iface}_ifname"
config_get old_subnets core "${iface}_subnets"
local z
for z in $old_zones; do
local n
for n in ${old_subnets:-""}; do
fw_log info "removing $iface ($old_ifname${n:+ alias $n}) from zone $z"
fw_do_interface_rules del $z $old_ifname $n
done
[ -n "$old_subnets" ] || {
fw__uci_state_del "${z}_networks" "$iface"
env -i ACTION=remove ZONE="$z" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
}
done
local old_aliases
config_get old_aliases core "${iface}_aliases"
local a
for a in $old_aliases; do
fw_configure_interface "$a" del "$old_ifname"
done
uci_revert_state firewall core "${iface}_zone"
uci_revert_state firewall core "${iface}_ifname"
uci_revert_state firewall core "${iface}_subnets"
uci_revert_state firewall core "${iface}_aliases"
}
[ "$action" == del ] && return
[ -z "$aliasnet" ] && {
local aliases
config_get aliases "$iface" aliases
local a
for a in $aliases; do
local ipaddr netmask ip6addr
config_get ipaddr "$a" ipaddr
config_get netmask "$a" netmask
config_get ip6addr "$a" ip6addr
[ -n "$ipaddr" ] && fw_configure_interface "$a" add "" "$ipaddr${netmask:+/$netmask}"
[ -n "$ip6addr" ] && fw_configure_interface "$a" add "" "$ip6addr"
done
fw_sysctl_interface $ifname
fw_callback post interface
uci_toggle_state firewall core "${iface}_aliases" "$aliases"
} || {
local subnets=
config_get subnets core "${iface}_subnets"
append subnets "$aliasnet"
config_set core "${iface}_subnets" "$subnets"
uci_toggle_state firewall core "${iface}_subnets" "$subnets"
}
local new_zones=
load_zone() {
fw_config_get_zone "$1"
list_contains zone_network "$iface" || return
fw_log info "adding $iface ($ifname${aliasnet:+ alias $aliasnet}) to zone $zone_name"
fw_do_interface_rules add ${zone_name} "$ifname" "$aliasnet"
append new_zones $zone_name
[ -n "$aliasnet" ] || {
fw__uci_state_add "${zone_name}_networks" "${zone_network}"
env -i ACTION=add ZONE="$zone_name" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
}
}
config_foreach load_zone zone
uci_toggle_state firewall core "${iface}_zone" "$new_zones"
uci_toggle_state firewall core "${iface}_ifname" "$ifname"
}
fw_sysctl_interface() {
local ifname=$1
{
sysctl -w net.ipv4.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS
sysctl -w net.ipv6.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS
sysctl -w net.ipv4.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE
sysctl -w net.ipv6.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE
} >/dev/null 2>/dev/null
}

View file

@ -1,130 +0,0 @@
# Copyright (C) 2009-2010 OpenWrt.org
fw_config_get_redirect() {
[ "${redirect_NAME}" != "$1" ] || return
fw_config_get_section "$1" redirect { \
string _name "$1" \
string name "" \
string src "" \
ipaddr src_ip "" \
ipaddr src_dip "" \
string src_mac "" \
string src_port "" \
string src_dport "" \
string dest "" \
ipaddr dest_ip "" \
string dest_port "" \
string proto "tcpudp" \
string family "" \
string target "DNAT" \
string extra "" \
} || return
[ -n "$redirect_name" ] || redirect_name=$redirect__name
}
fw_load_redirect() {
fw_config_get_redirect "$1"
fw_callback pre redirect
local fwdchain natchain natopt nataddr natports srcdaddr srcdports
if [ "$redirect_target" == "DNAT" ]; then
[ -n "${redirect_src#*}" -a -n "$redirect_dest_ip$redirect_dest_port" ] || {
fw_log error "DNAT redirect ${redirect_name}: needs src and dest_ip or dest_port, skipping"
return 0
}
fwdopt=""
fwdchain=""
# Check whether only ports are given or whether the given dest ip is local,
# in this case match only DNATed traffic and allow it on input, not forward
if [ -z "$redirect_dest_ip" ] || /sbin/ifconfig | grep -qE "addr:${redirect_dest_ip//./\\.}\b"; then
fwdopt="-m conntrack --ctstate DNAT"
fwdchain="zone_${redirect_src}_input"
else
fwdchain="zone_${redirect_src}_forward"
fi
natopt="--to-destination"
natchain="zone_${redirect_src}_prerouting"
nataddr="$redirect_dest_ip"
fw_get_port_range natports "${redirect_dest_port#!}" "-"
fw_get_negation srcdaddr '-d' "${redirect_src_dip:+$redirect_src_dip/$redirect_src_dip_prefixlen}"
fw_get_port_range srcdports "$redirect_src_dport" ":"
fw_get_negation srcdports '--dport' "$srcdports"
list_contains FW_CONNTRACK_ZONES $redirect_src || \
append FW_CONNTRACK_ZONES $redirect_src
elif [ "$redirect_target" == "SNAT" ]; then
[ -n "${redirect_dest#*}" -a -n "$redirect_src_dip" ] || {
fw_log error "SNAT redirect ${redirect_name}: needs dest and src_dip, skipping"
return 0
}
fwdchain="${redirect_src:+zone_${redirect_src}_forward}"
natopt="--to-source"
natchain="zone_${redirect_dest}_nat"
nataddr="$redirect_src_dip"
fw_get_port_range natports "${redirect_src_dport#!}" "-"
fw_get_negation srcdaddr '-d' "${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}"
fw_get_port_range srcdports "$redirect_dest_port" ":"
fw_get_negation srcdports '--dport' "$srcdports"
list_contains FW_CONNTRACK_ZONES $redirect_dest || \
append FW_CONNTRACK_ZONES $redirect_dest
else
fw_log error "redirect ${redirect_name}: target must be either DNAT or SNAT, skipping"
return 0
fi
local mode
fw_get_family_mode mode ${redirect_family:-x} ${redirect_src:-$redirect_dest} I
local srcaddr
fw_get_negation srcaddr '-s' "${redirect_src_ip:+$redirect_src_ip/$redirect_src_ip_prefixlen}"
local srcports
fw_get_port_range srcports "$redirect_src_port" ":"
fw_get_negation srcports '--sport' "$srcports"
local destaddr
fw_get_negation destaddr '-d' "${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}"
local destports
fw_get_port_range destports "${redirect_dest_port:-$redirect_src_dport}" ":"
fw_get_negation destports '--dport' "$destports"
[ "$redirect_proto" == "tcpudp" ] && redirect_proto="tcp udp"
local pr; for pr in $redirect_proto; do
fw_get_negation pr '-p' "$pr"
local sm; for sm in ${redirect_src_mac:-""}; do
fw_get_negation sm '--mac-source' "$sm"
fw add $mode n $natchain $redirect_target + \
{ $redirect_src_ip $redirect_dest_ip } { \
$srcaddr $srcdaddr $pr \
$srcports $srcdports \
${sm:+-m mac $sm} \
$natopt $nataddr${natports:+:$natports} \
$redirect_options \
}
fw add $mode f ${fwdchain:-delegate_forward} ACCEPT + \
{ $redirect_src_ip $redirect_dest_ip } { \
$srcaddr $destaddr \
$pr \
$srcports $destports \
${sm:+-m mac $sm} \
$fwdopt \
$redirect_extra \
}
done
done
fw_callback post redirect
}

View file

@ -1,117 +0,0 @@
# Copyright (C) 2009-2010 OpenWrt.org
fw_config_get_rule() {
[ "${rule_NAME}" != "$1" ] || return
fw_config_get_section "$1" rule { \
string _name "$1" \
string name "" \
string src "" \
ipaddr src_ip "" \
string src_mac "" \
string src_port "" \
string dest "" \
ipaddr dest_ip "" \
string dest_port "" \
string icmp_type "" \
string proto "tcpudp" \
string target "" \
string family "" \
string limit "" \
string limit_burst "" \
string extra "" \
} || return
[ -n "$rule_name" ] || rule_name=$rule__name
}
fw_load_rule() {
fw_config_get_rule "$1"
[ "$rule_target" != "NOTRACK" ] || [ -n "$rule_src" ] || [ "$rule_src" != "*" ] || {
fw_log error "NOTRACK rule ${rule_name}: needs src, skipping"
return 0
}
fw_callback pre rule
local table=f
local chain=delegate_output
local target="${rule_target:-REJECT}"
if [ "$target" == "NOTRACK" ]; then
table=r
chain="zone_${rule_src}_notrack"
else
if [ -n "$rule_src" ]; then
if [ "$rule_src" != "*" ]; then
if [ -n "$rule_dest" ]; then
chain="zone_${rule_src}_forward"
else
chain="zone_${rule_src}_input"
fi
else
chain="${rule_dest:+delegate_forward}"
chain="${chain:-delegate_input}"
fi
fi
if [ -n "$rule_dest" ]; then
if [ "$rule_dest" != "*" ]; then
target="zone_${rule_dest}_dest_${target}"
if [ -z "$rule_src" ]; then
chain="zone_${rule_dest}_output"
fi
elif [ "$target" = REJECT ]; then
target=reject
fi
fi
fi
local mode
fw_get_family_mode mode ${rule_family:-x} "$rule_src" I
local src_spec dest_spec
fw_get_negation src_spec '-s' "${rule_src_ip:+$rule_src_ip/$rule_src_ip_prefixlen}"
fw_get_negation dest_spec '-d' "${rule_dest_ip:+$rule_dest_ip/$rule_dest_ip_prefixlen}"
[ "$rule_proto" == "tcpudp" ] && rule_proto="tcp udp"
local pr; for pr in $rule_proto; do
local sports dports itypes
case "$pr" in
icmp|icmpv6|1|58)
sports=""; dports=""
itypes="$rule_icmp_type"
;;
*)
sports="$rule_src_port"
dports="$rule_dest_port"
itypes=""
;;
esac
fw_get_negation pr '-p' "$pr"
local sp; for sp in ${sports:-""}; do
fw_get_port_range sp $sp
fw_get_negation sp '--sport' "$sp"
local dp; for dp in ${dports:-""}; do
fw_get_port_range dp $dp
fw_get_negation dp '--dport' "$dp"
local sm; for sm in ${rule_src_mac:-""}; do
fw_get_negation sm '--mac-source' "$sm"
local it; for it in ${itypes:-""}; do
fw_get_negation it '--icmp-type' "$it"
fw add $mode $table $chain $target + \
{ $rule_src_ip $rule_dest_ip } { \
$src_spec $dest_spec \
$pr $sp $dp $it \
${sm:+-m mac $sm} \
${rule_limit:+-m limit --limit $rule_limit \
${rule_limit_burst:+--limit-burst $rule_limit_burst}} \
$rule_extra \
}
done
done
done
done
done
fw_callback post rule
}

View file

@ -1,324 +0,0 @@
# Copyright (C) 2009-2010 OpenWrt.org
# Copyright (C) 2009 Malte S. Stretz
export FW_4_ERROR=0
export FW_6_ERROR=0
export FW_i_ERROR=0
export FW_e_ERROR=0
export FW_a_ERROR=0
#TODO: remove this
[ "${-#*x}" == "$-" ] && {
fw() {
fw__exec "$@"
}
} || {
fw() {
local os=$-
set +x
fw__exec "$@"
local rc=$?
set -$os
return $rc
}
}
fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
local cmd fam tab chn tgt pos
local i
for i in cmd fam tab chn tgt pos; do
if [ "$1" -a "$1" != '{' ]; then
eval "$i='$1'"
shift
else
eval "$i=-"
fi
done
fw__rc() {
export FW_${fam#G}_ERROR=$1
return $1
}
fw__dualip() {
fw $cmd 4 $tab $chn $tgt $pos "$@"
fw $cmd 6 $tab $chn $tgt $pos "$@"
fw__rc $((FW_4_ERROR | FW_6_ERROR))
}
fw__autoip() {
local ip4 ip6
shift
while [ "$1" != '}' ]; do
case "$1" in
*:*) ip6=1 ;;
*.*.*.*) ip4=1 ;;
esac
shift
done
shift
if [ "${ip4:-4}" == "${ip6:-6}" ]; then
echo "fw: can't mix ip4 and ip6" >&2
return 1
fi
local ver=${ip4:+4}${ip6:+6}
fam=i
fw $cmd ${ver:-i} $tab $chn $tgt $pos "$@"
fw__rc $?
}
fw__has() {
local tab=${1:-$tab}
if [ $tab == '-' ]; then
type $app > /dev/null 2> /dev/null
fw__rc $(($? & 1))
return
fi
[ "$app" != ip6tables ] || [ "$tab" != nat ]
fw__rc $?
}
fw__err() {
local err
eval "err=\$FW_${fam}_ERROR"
fw__rc $err
}
local app=
local pol=
case "$fam" in
*4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables || return ;;
*6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
i) fw__dualip "$@"; return ;;
I) fw__autoip "$@"; return ;;
e) app=ebtables ;;
a) app=arptables ;;
-) fw $cmd i $tab $chn $tgt $pos "$@"; return ;;
*) return 254 ;;
esac
case "$tab" in
f) tab=filter ;;
m) tab=mangle ;;
n) tab=nat ;;
r) tab=raw ;;
-) tab=filter ;;
esac
case "$cmd:$chn:$tgt:$pos" in
add:*:-:*) cmd=new-chain ;;
add:*:*:-) cmd=append ;;
add:*:*:$) cmd=append ;;
add:*:*:*) cmd=insert ;;
del:-:*:*) cmd=delete-chain; fw flush $fam $tab ;;
del:*:-:*) cmd=delete-chain; fw flush $fam $tab $chn ;;
del:*:*:*) cmd=delete ;;
flush:*) ;;
policy:*) pol=$tgt; tgt=- ;;
has:*) fw__has; return ;;
err:*) fw__err; return ;;
list:*) cmd="numeric --verbose --$cmd" ;;
*) return 254 ;;
esac
case "$chn" in
-) chn= ;;
esac
case "$tgt" in
-) tgt= ;;
esac
local rule_offset
case "$pos" in
^) pos=1 ;;
$) pos= ;;
-) pos= ;;
+) eval "rule_offset=\${FW__RULE_OFS_${app}_${tab}_${chn}:-1}" ;;
esac
if ! fw__has - family || ! fw__has $tab ; then
export FW_${fam}_ERROR=0
return 0
fi
case "$fam" in
G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;;
esac
if [ $# -gt 0 ]; then
shift
if [ $cmd == delete ]; then
pos=
fi
fi
local cmdline="$app --table ${tab} --${cmd} ${chn} ${pol} ${rule_offset:-${pos}} ${tgt:+--jump "$tgt"}"
while [ $# -gt 1 ]; do
# special parameter handling
case "$1:$2" in
-p:icmp*|-p:1|-p:58|--protocol:icmp*|--protocol:1|--protocol:58)
[ "$app" = ip6tables ] && \
cmdline="$cmdline -p icmpv6" || \
cmdline="$cmdline -p icmp"
shift
;;
--icmp-type:*|--icmpv6-type:*)
local icmp_type
if [ "$app" = ip6tables ] && fw_check_icmptype6 icmp_type "$2"; then
cmdline="$cmdline $icmp_type"
elif [ "$app" = iptables ] && fw_check_icmptype4 icmp_type "$2"; then
cmdline="$cmdline $icmp_type"
else
local fam=IPv4; [ "$app" = ip6tables ] && fam=IPv6
fw_log info "ICMP type '$2' is not valid for $fam address family, skipping rule"
return 1
fi
shift
;;
*) cmdline="$cmdline $1" ;;
esac
shift
done
[ -n "$FW_TRACE" ] && echo $cmdline >&2
$cmdline
local rv=$?
[ $rv -eq 0 ] && [ -n "$rule_offset" ] && \
export -- "FW__RULE_OFS_${app}_${tab}_${chn}=$(($rule_offset + 1))"
fw__rc $rv
}
fw_get_port_range() {
local _var=$1
local _ports=$2
local _delim=${3:-:}
if [ "$4" ]; then
fw_get_port_range $_var "${_ports}-${4}" $_delim
return
fi
local _first=${_ports%-*}
local _last=${_ports#*-}
if [ "${_first#!}" != "${_last#!}" ]; then
export -- "$_var=$_first$_delim${_last#!}"
else
export -- "$_var=$_first"
fi
}
fw_get_family_mode() {
local _var="$1"
local _hint="$2"
local _zone="$3"
local _mode="$4"
local _ipv4 _ipv6
[ "$_zone" != "*" ] && {
[ -n "$FW_ZONES4$FW_ZONES6" ] && {
list_contains FW_ZONES4 "$_zone" && _ipv4=1 || _ipv4=0
list_contains FW_ZONES6 "$_zone" && _ipv6=1 || _ipv6=0
} || {
_ipv4=$(uci_get_state firewall core "${_zone}_ipv4" 0)
_ipv6=$(uci_get_state firewall core "${_zone}_ipv6" 0)
}
} || {
_ipv4=1
_ipv6=1
}
case "$_hint:$_ipv4:$_ipv6" in
*4:1:*|*:1:0) export -n -- "$_var=G4" ;;
*6:*:1|*:0:1) export -n -- "$_var=G6" ;;
*) export -n -- "$_var=$_mode" ;;
esac
}
fw_get_negation() {
local _var="$1"
local _flag="$2"
local _value="$3"
[ "${_value#!}" != "$_value" ] && \
export -n -- "$_var=! $_flag ${_value#!}" || \
export -n -- "$_var=${_value:+$_flag $_value}"
}
fw_get_subnet4() {
local _var="$1"
local _flag="$2"
local _name="$3"
local _ipaddr="$(uci_get_state network "${_name#!}" ipaddr)"
local _netmask="$(uci_get_state network "${_name#!}" netmask)"
case "$_ipaddr" in
*.*.*.*)
[ "${_name#!}" != "$_name" ] && \
export -n -- "$_var=! $_flag $_ipaddr/${_netmask:-255.255.255.255}" || \
export -n -- "$_var=$_flag $_ipaddr/${_netmask:-255.255.255.255}"
return 0
;;
esac
export -n -- "$_var="
return 1
}
fw_check_icmptype4() {
local _var="$1"
local _type="$2"
case "$_type" in
![0-9]*) export -n -- "$_var=! --icmp-type ${_type#!}"; return 0 ;;
[0-9]*) export -n -- "$_var=--icmp-type $_type"; return 0 ;;
esac
[ -z "$FW_ICMP4_TYPES" ] && \
export FW_ICMP4_TYPES=$(
iptables -p icmp -h 2>/dev/null | \
sed -n -e '/^Valid ICMP Types:/ {
n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
}' | sort -u
)
local _check
for _check in $FW_ICMP4_TYPES; do
if [ "$_check" = "${_type#!}" ]; then
[ "${_type#!}" != "$_type" ] && \
export -n -- "$_var=! --icmp-type ${_type#!}" || \
export -n -- "$_var=--icmp-type $_type"
return 0
fi
done
export -n -- "$_var="
return 1
}
fw_check_icmptype6() {
local _var="$1"
local _type="$2"
case "$_type" in
![0-9]*) export -n -- "$_var=! --icmpv6-type ${_type#!}"; return 0 ;;
[0-9]*) export -n -- "$_var=--icmpv6-type $_type"; return 0 ;;
esac
[ -z "$FW_ICMP6_TYPES" ] && \
export FW_ICMP6_TYPES=$(
ip6tables -p icmpv6 -h 2>/dev/null | \
sed -n -e '/^Valid ICMPv6 Types:/ {
n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
}' | sort -u
)
local _check
for _check in $FW_ICMP6_TYPES; do
if [ "$_check" = "${_type#!}" ]; then
[ "${_type#!}" != "$_type" ] && \
export -n -- "$_var=! --icmpv6-type ${_type#!}" || \
export -n -- "$_var=--icmpv6-type $_type"
return 0
fi
done
export -n -- "$_var="
return 1
}

View file

@ -1,5 +0,0 @@
# This file is here for backwards compatibility and to override the
# uci_firewall.sh from an earlier version.
type fw_is_loaded >/dev/null || {
. /lib/firewall/core.sh
}

View file

@ -1,169 +0,0 @@
#!/bin/sh
. /lib/functions.sh
. /lib/functions/network.sh
if [ "$ACTION" = "remove" ]; then
delete_rules_by_comment() {
local table="$1"
local chain="$2"
local comment="$3"
iptables -t "$table" --line-numbers -nL "$chain" 2>/dev/null | \
sed -e '
1d;
1! {
\#^[0-9]\+ .* /\* '"$comment"' \*/.*$# {
s/ .*$//;
G; h;
}
};
$!d;
' | xargs -n1 iptables -t "$table" -D "$chain" 2>/dev/null
}
delete_rules_by_comment nat nat_reflection_in "$INTERFACE"
delete_rules_by_comment nat nat_reflection_out "$INTERFACE"
delete_rules_by_comment filter nat_reflection_fwd "$INTERFACE"
elif [ "$ACTION" = "add" ]; then
prepare_chains() {
iptables -t nat -N nat_reflection_in 2>/dev/null && {
iptables -t nat -A prerouting_rule -j nat_reflection_in
}
iptables -t nat -N nat_reflection_out 2>/dev/null && {
iptables -t nat -A postrouting_rule -j nat_reflection_out
}
iptables -t filter -N nat_reflection_fwd 2>/dev/null && {
iptables -t filter -A forwarding_rule -j nat_reflection_fwd
}
}
find_networks() {
find_networks_cb() {
local cfg="$1"
local zone="$2"
local need_masq="${3:-0}"
local name
config_get name "$cfg" name
local masq
config_get_bool masq "$cfg" masq 0
[ "$name" = "$zone" ] && [ "$masq" -ge "$need_masq" ] && {
local network
config_get network "$cfg" network
echo ${network:-$zone}
return 1
}
}
config_foreach find_networks_cb zone "$@"
}
setup_fwd() {
local cfg="$1"
local reflection
config_get_bool reflection "$cfg" reflection 1
[ "$reflection" == 1 ] || return
local src
config_get src "$cfg" src
[ "$src" == "$ZONE" ] || return
local dest
config_get dest "$cfg" dest
[ "$dest" != "*" ] || return
local target
config_get target "$cfg" target DNAT
[ "$target" = DNAT ] || return
prepare_chains
local net
for net in $(find_networks "$dest" 0); do
local intnet
network_get_subnet intnet "$net" || continue
local proto
config_get proto "$cfg" proto
local epmin epmax extport
config_get extport "$cfg" src_dport "1-65535"
[ -n "$extport" ] || return
epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
[ "${epmin#!}" != "$epmax" ] || epmax=""
local ipmin ipmax intport
config_get intport "$cfg" dest_port "$extport"
ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
[ "${ipmin#!}" != "$ipmax" ] || ipmax=""
local exthost
config_get exthost "$cfg" src_dip "$extip"
local inthost
config_get inthost "$cfg" dest_ip
[ -n "$inthost" ] || return
[ "$proto" = all ] && proto="tcp udp"
[ "$proto" = tcpudp ] && proto="tcp udp"
[ "${inthost#!}" = "$inthost" ] || return 0
[ "${exthost#!}" = "$exthost" ] || return 0
[ "${epmin#!}" != "$epmin" ] && \
extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \
extport="--dport $epmin${epmax:+:$epmax}"
[ "${ipmin#!}" != "$ipmin" ] && \
intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \
intport="--dport $ipmin${ipmax:+:$ipmax}"
local p
for p in ${proto:-tcp udp}; do
case "$p" in
tcp|udp|6|17)
iptables -t nat -A nat_reflection_in \
-s $intnet -d $exthost \
-p $p $extport \
-m comment --comment "$INTERFACE" \
-j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax}
iptables -t nat -A nat_reflection_out \
-s $intnet -d $inthost \
-p $p $intport \
-m comment --comment "$INTERFACE" \
-j SNAT --to-source ${intnet%%/*}
iptables -t filter -A nat_reflection_fwd \
-s $intnet -d $inthost \
-p $p $intport \
-m comment --comment "$INTERFACE" \
-j ACCEPT
;;
esac
done
done
}
config_load firewall
local is_masq_zone="$(find_networks "$ZONE" 1)"
[ -n "$is_masq_zone" ] || exit 0
local extip
network_get_ipaddr extip "$INTERFACE" || exit 0
config_foreach setup_fwd redirect
fi