add new rc.common for standardized init scripts, convert existing init scripts

SVN-Revision: 4915
This commit is contained in:
Felix Fietkau 2006-10-04 20:05:48 +00:00
parent 1bb321cbec
commit af5f6ac550
16 changed files with 1152 additions and 1024 deletions

View file

@ -1,8 +1,12 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# ADAM2 patcher for Netgear DG834 and compatible
MD5="$(md5sum /dev/mtdblock/0 | awk '{print $1}')"
[ "$MD5" = "0530bfdf00ec155f4182afd70da028c1" ] && {
mtd unlock adam2
/sbin/adam2patcher /dev/mtdblock/0
# Copyright (C) 2006 OpenWrt.org
start() {
MD5="$(md5sum /dev/mtdblock/0 | awk '{print $1}')"
[ "$MD5" = "0530bfdf00ec155f4182afd70da028c1" ] && {
mtd unlock adam2
/sbin/adam2patcher /dev/mtdblock/0
}
rm -f /etc/init.d/S00adam2 /sbin/adam2patcher >&- 2>&-
}
rm -f /etc/init.d/S00adam2 /sbin/adam2patcher >&- 2>&-

View file

@ -1,86 +1,87 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
[ -e /etc/config/network ] && exit 0
start() {
[ -e /etc/config/network ] && exit 0
mkdir -p /etc/config
mkdir -p /etc/config
(
if grep -E 'mtd0: 000(6|a)0000' /proc/mtd 2>&- >&-; then
# WGT634u
echo boardtype=wgt634u
else
strings /dev/mtdblock/3
fi
) | awk '
function p(cfgname, name) {
if (c[name] != "") print " option " cfgname " \"" c[name] "\""
}
BEGIN {
FS="="
c["lan_ifname"]="eth0.0 wl0"
c["wan_ifname"]="eth0.1"
c["vlan0ports"]="1 2 3 4 5*"
c["vlan1ports"]="0 5"
}
($1 == "boardnum") || ($1 == "boardtype") || ($1 == "boardflags") {
nvram[$1] = $2
}
END {
# v1 hardware
if (nvram["boardtype"] == "bcm94710dev") {
# Asus WL-500g
if (nvram["boardnum"] == "asusX") {
c["lan_ifname"]="eth0 eth1 wl0" # FIXME
(
if grep -E 'mtd0: 000(6|a)0000' /proc/mtd 2>&- >&-; then
# WGT634u
echo boardtype=wgt634u
else
strings /dev/mtdblock/3
fi
) | awk '
function p(cfgname, name) {
if (c[name] != "") print " option " cfgname " \"" c[name] "\""
}
BEGIN {
FS="="
c["lan_ifname"]="eth0.0 wl0"
c["wan_ifname"]="eth0.1"
c["vlan0ports"]="1 2 3 4 5*"
c["vlan1ports"]="0 5"
}
($1 == "boardnum") || ($1 == "boardtype") || ($1 == "boardflags") {
nvram[$1] = $2
}
END {
# v1 hardware
if (nvram["boardtype"] == "bcm94710dev") {
# Asus WL-500g
if (nvram["boardnum"] == "asusX") {
c["lan_ifname"]="eth0 eth1 wl0" # FIXME
c["wan_ifname"]=""
}
}
if (nvram["boardtype"] == "wgt634u") {
c["vlan0ports"] = "0 1 2 3 5*"
c["vlan1ports"] = "4 5"
c["lan_ifname"] = "eth0.0 ath0"
}
if ((nvram["boardtype"] == "0x0467") || (nvram["boardtype"] == "0x042f")) {
c["vlan0ports"] = "0 1 2 3 5*"
c["vlan1ports"] = "4 5"
}
# WAP54G
if ((nvram["boardnum"] == "2") || \
(nvram["boardnum"] == "1024")) {
c["lan_ifname"]="eth0 wl0"
c["wan_ifname"]=""
}
}
if (nvram["boardtype"] == "wgt634u") {
c["vlan0ports"] = "0 1 2 3 5*"
c["vlan1ports"] = "4 5"
c["lan_ifname"] = "eth0.0 ath0"
}
if ((nvram["boardtype"] == "0x0467") || (nvram["boardtype"] == "0x042f")) {
c["vlan0ports"] = "0 1 2 3 5*"
c["vlan1ports"] = "4 5"
}
# WAP54G
if ((nvram["boardnum"] == "2") || \
(nvram["boardnum"] == "1024")) {
c["lan_ifname"]="eth0 wl0"
c["wan_ifname"]=""
}
print "#### VLAN configuration "
print "config switch eth0"
p("vlan0", "vlan0ports")
p("vlan1", "vlan1ports")
print ""
print ""
print "#### Loopback configuration"
print "config interface loopback"
print " option ifname \"lo\""
print " option proto static"
print " option ipaddr 127.0.0.1"
print " option netmask 255.0.0.0"
print ""
print ""
print "#### LAN configuration"
print "config interface lan"
print " option type bridge"
p("ifname", "lan_ifname")
print " option proto static"
print " option ipaddr 192.168.1.1"
print " option netmask 255.255.255.0"
print ""
print ""
print "#### WAN configuration"
print "config interface wan"
p("ifname", "wan_ifname")
print " option proto dhcp"
print "#### VLAN configuration "
print "config switch eth0"
p("vlan0", "vlan0ports")
p("vlan1", "vlan1ports")
print ""
print ""
print "#### Loopback configuration"
print "config interface loopback"
print " option ifname \"lo\""
print " option proto static"
print " option ipaddr 127.0.0.1"
print " option netmask 255.0.0.0"
print ""
print ""
print "#### LAN configuration"
print "config interface lan"
print " option type bridge"
p("ifname", "lan_ifname")
print " option proto static"
print " option ipaddr 192.168.1.1"
print " option netmask 255.255.255.0"
print ""
print ""
print "#### WAN configuration"
print "config interface wan"
p("ifname", "wan_ifname")
print " option proto dhcp"
}' > /etc/config/network
}
' > /etc/config/network

View file

@ -1,86 +1,87 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
[ -e /etc/config/network ] && exit 0
mkdir -p /etc/config
(
if grep -E 'mtd0: 000(6|a)0000' /proc/mtd 2>&- >&-; then
# WGT634u
echo boardtype=wgt634u
else
strings /dev/mtdblock/3
fi
) | awk '
function p(cfgname, name) {
if (c[name] != "") print " option " cfgname " \"" c[name] "\""
}
BEGIN {
FS="="
c["lan_ifname"]="eth0.0 wl0"
c["wan_ifname"]="eth0.1"
c["vlan0ports"]="1 2 3 4 5*"
c["vlan1ports"]="0 5"
}
($1 == "boardnum") || ($1 == "boardtype") || ($1 == "boardflags") {
nvram[$1] = $2
}
END {
# v1 hardware
if (nvram["boardtype"] == "bcm94710dev") {
# Asus WL-500g
if (nvram["boardnum"] == "asusX") {
c["lan_ifname"]="eth0 eth1 wl0" # FIXME
start() {
[ -e /etc/config/network ] && exit 0
mkdir -p /etc/config
(
if grep -E 'mtd0: 000(6|a)0000' /proc/mtd 2>&- >&-; then
# WGT634u
echo boardtype=wgt634u
else
strings /dev/mtdblock/3
fi
) | awk '
function p(cfgname, name) {
if (c[name] != "") print " option " cfgname " \"" c[name] "\""
}
BEGIN {
FS="="
c["lan_ifname"]="eth0.0 wl0"
c["wan_ifname"]="eth0.1"
c["vlan0ports"]="1 2 3 4 5*"
c["vlan1ports"]="0 5"
}
($1 == "boardnum") || ($1 == "boardtype") || ($1 == "boardflags") {
nvram[$1] = $2
}
END {
# v1 hardware
if (nvram["boardtype"] == "bcm94710dev") {
# Asus WL-500g
if (nvram["boardnum"] == "asusX") {
c["lan_ifname"]="eth0 eth1 wl0" # FIXME
c["wan_ifname"]=""
}
}
if (nvram["boardtype"] == "wgt634u") {
c["vlan0ports"] = "0 1 2 3 5*"
c["vlan1ports"] = "4 5"
c["lan_ifname"] = "eth0.0 ath0"
}
if ((nvram["boardtype"] == "0x0467") || (nvram["boardtype"] == "0x042f")) {
c["vlan0ports"] = "0 1 2 3 5*"
c["vlan1ports"] = "4 5"
}
# WAP54G
if ((nvram["boardnum"] == "2") || \
(nvram["boardnum"] == "1024")) {
c["lan_ifname"]="eth0 wl0"
c["wan_ifname"]=""
}
}
if (nvram["boardtype"] == "wgt634u") {
c["vlan0ports"] = "0 1 2 3 5*"
c["vlan1ports"] = "4 5"
c["lan_ifname"] = "eth0.0 ath0"
}
if ((nvram["boardtype"] == "0x0467") || (nvram["boardtype"] == "0x042f")) {
c["vlan0ports"] = "0 1 2 3 5*"
c["vlan1ports"] = "4 5"
}
# WAP54G
if ((nvram["boardnum"] == "2") || \
(nvram["boardnum"] == "1024")) {
c["lan_ifname"]="eth0 wl0"
c["wan_ifname"]=""
}
print "#### VLAN configuration "
print "config switch eth0"
p("vlan0", "vlan0ports")
p("vlan1", "vlan1ports")
print ""
print ""
print "#### Loopback configuration"
print "config interface loopback"
print " option ifname \"lo\""
print " option proto static"
print " option ipaddr 127.0.0.1"
print " option netmask 255.0.0.0"
print ""
print ""
print "#### LAN configuration"
print "config interface lan"
print " option type bridge"
p("ifname", "lan_ifname")
print " option proto static"
print " option ipaddr 192.168.1.1"
print " option netmask 255.255.255.0"
print ""
print ""
print "#### WAN configuration"
print "config interface wan"
p("ifname", "wan_ifname")
print " option proto dhcp"
print "#### VLAN configuration "
print "config switch eth0"
p("vlan0", "vlan0ports")
p("vlan1", "vlan1ports")
print ""
print ""
print "#### Loopback configuration"
print "config interface loopback"
print " option ifname \"lo\""
print " option proto static"
print " option ipaddr 127.0.0.1"
print " option netmask 255.0.0.0"
print ""
print ""
print "#### LAN configuration"
print "config interface lan"
print " option type bridge"
p("ifname", "lan_ifname")
print " option proto static"
print " option ipaddr 192.168.1.1"
print " option netmask 255.255.255.0"
print ""
print ""
print "#### WAN configuration"
print "config interface wan"
p("ifname", "wan_ifname")
print " option proto dhcp"
}' > /etc/config/network
}
' > /etc/config/network

View file

@ -1,25 +1,25 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
. /etc/functions.sh
[ -f /proc/mounts ] || /sbin/mount_root
[ -f /proc/jffs2_bbc ] && echo "S" > /proc/jffs2_bbc
vconfig set_name_type DEV_PLUS_VID_NO_PAD
HOSTNAME=${wan_hostname%%.*}
echo ${HOSTNAME:=OpenWrt}>/proc/sys/kernel/hostname
mkdir -p /var/run
mkdir -p /var/log
mkdir -p /var/lock
touch /var/log/wtmp
touch /var/log/lastlog
[ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe
# manually trigger hotplug before loading modules
for iface in $(awk -F: '/:/ {print $1}' /proc/net/dev); do
/usr/bin/env -i ACTION=add INTERFACE="$iface" /sbin/hotplug net
done
load_modules /etc/modules /etc/modules.d/*
start() {
[ -f /proc/mounts ] || /sbin/mount_root
[ -f /proc/jffs2_bbc ] && echo "S" > /proc/jffs2_bbc
vconfig set_name_type DEV_PLUS_VID_NO_PAD
HOSTNAME=${wan_hostname%%.*}
echo ${HOSTNAME:=OpenWrt}>/proc/sys/kernel/hostname
mkdir -p /var/run
mkdir -p /var/log
mkdir -p /var/lock
touch /var/log/wtmp
touch /var/log/lastlog
[ "$FAILSAFE" = "true" ] && touch /tmp/.failsafe
# manually trigger hotplug before loading modules
for iface in $(awk -F: '/:/ {print $1}' /proc/net/dev); do
/usr/bin/env -i ACTION=add INTERFACE="$iface" /sbin/hotplug net
done
load_modules /etc/modules /etc/modules.d/*
}

View file

@ -1,9 +1,11 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
setup_switch() { return 0; }
start() {
setup_switch() { return 0; }
include /lib/network
setup_switch
/sbin/wifi
}
. /etc/functions.sh
include /lib/network
setup_switch
/sbin/wifi

View file

@ -1,4 +1,10 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
[ -d /www ] && httpd -p 80 -h /www -r OpenWrt
start() {
[ -d /www ] && httpd -p 80 -h /www -r OpenWrt
}
stop() {
killall httpd
}

View file

@ -1,4 +1,10 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
if awk -F: '/^root:/ && $2 !~ /\!/ {exit 1}' /etc/passwd 2>/dev/null; then telnetd -l /bin/login; fi
start() {
if awk -F: '/^root:/ && $2 !~ /\!/ {exit 1}' /etc/passwd 2>/dev/null; then telnetd -l /bin/login; fi
}
stop() {
killall telnetd
}

View file

@ -1,6 +1,12 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
mkdir -p /var/spool/cron
ln -s /etc/crontabs /var/spool/cron/crontabs
crond -c /etc/crontabs
start () {
mkdir -p /var/spool/cron
ln -s /etc/crontabs /var/spool/cron/crontabs
crond -c /etc/crontabs
}
stop() {
killall crond
}

View file

@ -1,11 +0,0 @@
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
sysctl -p >&-
# automagically run firstboot
{ mount|grep "on / type tmpfs" 1>&-; } && {
lock /tmp/.switch2jffs
firstboot switch2jffs
lock -u /tmp/.switch2jffs
}

View file

@ -10,6 +10,17 @@ ${FAILSAFE:+exit}
syslogd -C 16 #${log_ipaddr:+-L -R $log_ipaddr}
klogd
for i in /etc/init.d/S*; do
$i start 2>&1
done | logger -s -p 6 -t '' &
(
for i in /etc/init.d/S*; do
$i start 2>&1
done
sysctl -p >&-
# automagically run firstboot
{ mount|grep "on / type tmpfs" 1>&-; } && {
lock /tmp/.switch2jffs
firstboot switch2jffs
lock -u /tmp/.switch2jffs
}
) | logger -s -p 6 -t '' &

View file

@ -0,0 +1,77 @@
#!/bin/sh
. /etc/functions.sh
start() {
return 0
}
stop() {
return 0
}
reload() {
return 1
}
restart() {
stop
start
}
boot() {
start
}
shutdown() {
return 0
}
disable() {
rm -f /etc/rc.d/${initscript##*/}
}
enable() {
disable
ln -s /etc/init.d/${initscript##*/} /etc/rc.d/${initscript##*/}
}
depends() {
return 0
}
help() {
cat <<EOF
Syntax: $0 [command]
Available commands:
start Start the service
stop Stop the service
restart Restart the service
reload Reload configuration files (or restart if that fails)
enable Enable the service (load at boot time)
disable Disable the service
$EXTRA_HELP
EOF
}
initscript="$1"
action="$2"
. "$initscript"
cmds=
for cmd in $EXTRA_COMMANDS; do
cmds="$cmd) $cmd;;"
done
eval "case \"\$action\" in
start) start;;
stop) stop;;
reload) reload || restart;;
restart) restart;;
enable) enable;;
disable) disable;;
boot) boot;;
shutdown) shutdown;;
$cmds
*) help;;
esac"

View file

@ -1,50 +1,57 @@
#!/bin/sh
. /etc/functions.sh
include /lib/network
scan_interfaces
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
# The following is to automatically configure the DHCP settings
# based on config settings. Feel free to replace all this crap
# with a simple "dnsmasq" and manage everything via the
# /etc/dnsmasq.conf config file
start() {
include /lib/network
scan_interfaces
# The following is to automatically configure the DHCP settings
# based on config settings. Feel free to replace all this crap
# with a simple "dnsmasq" and manage everything via the
# /etc/dnsmasq.conf config file
[ -f /etc/dnsmasq.conf ] || exit
args=""
iface=lan
config_get ifname "$iface" ifname
config_get proto "$iface" proto
[ "$proto" = static ] && dhcp_enable="${dhcp_enable:-1}"
dhcp_start="${dhcp_start:-100}"
dhcp_num="${dhcp_num:-50}"
dhcp_lease="${dhcp_lease:-12h}"
# if dhcp_enable is unset and there is a dhcp server on the network already, default to dhcp_enable=0
[ -z "$dhcp_enable" ] && udhcpc -n -q -R -s /bin/true -i $ifname >&- && dhcp_enable="${dhcp_enable:-0}"
# dhcp_enable=0 disables the dhcp server
(
[ -z "$dhcp_enable" -o "$dhcp_enable" -eq 1 ] && {
# no existing DHCP server?
# calculate settings
config_get ipaddr "$iface" ipaddr
config_get netmask "$iface" netmask
eval $(ipcalc $ipaddr $netmask ${dhcp_start:-100} ${dhcp_num:-150})
# and pass the args via config parser defines
echo "${dhcp_enable:+@define dhcp_enable 1}"
echo "@define netmask $NETMASK"
echo "@define start $START"
echo "@define end $END"
echo "@define lease ${dhcp_lease:-12h}"
}
# ignore requests from wan interface
config_get wan_proto wan proto
config_get wan_ifname wan ifname
[ -z "$wan_proto" -o "$wan_proto" = "none" ] || echo "@define wan_ifname $wan_ifname"
cat /etc/dnsmasq.conf
) | awk -f /usr/lib/parse-config.awk | dnsmasq -C /proc/self/fd/0
}
[ -f /etc/dnsmasq.conf ] || exit
args=""
iface=lan
config_get ifname "$iface" ifname
config_get proto "$iface" proto
[ "$proto" = static ] && dhcp_enable="${dhcp_enable:-1}"
dhcp_start="${dhcp_start:-100}"
dhcp_num="${dhcp_num:-50}"
dhcp_lease="${dhcp_lease:-12h}"
# if dhcp_enable is unset and there is a dhcp server on the network already, default to dhcp_enable=0
[ -z "$dhcp_enable" ] && udhcpc -n -q -R -s /bin/true -i $ifname >&- && dhcp_enable="${dhcp_enable:-0}"
# dhcp_enable=0 disables the dhcp server
(
[ -z "$dhcp_enable" -o "$dhcp_enable" -eq 1 ] && {
# no existing DHCP server?
# calculate settings
config_get ipaddr "$iface" ipaddr
config_get netmask "$iface" netmask
eval $(ipcalc $ipaddr $netmask ${dhcp_start:-100} ${dhcp_num:-150})
# and pass the args via config parser defines
echo "${dhcp_enable:+@define dhcp_enable 1}"
echo "@define netmask $NETMASK"
echo "@define start $START"
echo "@define end $END"
echo "@define lease ${dhcp_lease:-12h}"
}
# ignore requests from wan interface
config_get wan_proto wan proto
config_get wan_ifname wan ifname
[ -z "$wan_proto" -o "$wan_proto" = "none" ] || echo "@define wan_ifname $wan_ifname"
cat /etc/dnsmasq.conf
) | awk -f /usr/lib/parse-config.awk | dnsmasq -C /proc/self/fd/0
stop() {
killall dnsmasq
}

View file

@ -1,16 +1,19 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
for type in rsa dss; do {
# check for keys
key=/etc/dropbear/dropbear_${type}_host_key
[ ! -f $key ] && {
# generate missing keys
mkdir -p /etc/dropbear
[ -x /usr/bin/dropbearkey ] && {
/usr/bin/dropbearkey -t $type -f $key 2>&- >&- && exec $0 $*
} &
exit 0
}
}; done
/usr/sbin/dropbear
start() {
for type in rsa dss; do {
# check for keys
key=/etc/dropbear/dropbear_${type}_host_key
[ ! -f $key ] && {
# generate missing keys
mkdir -p /etc/dropbear
[ -x /usr/bin/dropbearkey ] && {
/usr/bin/dropbearkey -t $type -f $key 2>&- >&- && exec $0 $*
} &
exit 0
}
}; done
/usr/sbin/dropbear
}

View file

@ -1,103 +1,115 @@
#!/bin/sh
#!/bin/sh /etc/rc.common
# Copyright (C) 2006 OpenWrt.org
## Please make changes in /etc/firewall.user
. /etc/functions.sh
include /lib/network
scan_interfaces
config_get WAN wan ifname
config_get LAN lan ifname
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
# allow
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
# allow
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
[ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -n "$WAN" -a -e /etc/config/firewall ] && {
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
start() {
include /lib/network
scan_interfaces
config_get WAN wan ifname
config_get LAN lan ifname
## CLEAR TABLES
for T in filter nat; do
iptables -t $T -F
iptables -t $T -X
done
iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -N LAN_ACCEPT
[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
iptables -A LAN_ACCEPT -j ACCEPT
### INPUT
### (connections with the router as destination)
# base case
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A INPUT -j input_rule
# allow
iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces
iptables -A INPUT -p icmp -j ACCEPT # allow ICMP
iptables -A INPUT -p gre -j ACCEPT # allow GRE
# reject (what to do with anything not allowed earlier)
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
### OUTPUT
### (connections with the router as source)
# base case
iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A OUTPUT -j output_rule
# allow
iptables -A OUTPUT -j ACCEPT #allow everything out
# reject (what to do with anything not allowed earlier)
iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
### FORWARDING
### (connections routed through the router)
# base case
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# insert accept rule or to jump to new accept-check table here
#
iptables -A FORWARD -j forwarding_rule
# allow
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
# reject (what to do with anything not allowed earlier)
# uses the default -P DROP
### MASQ
iptables -t nat -A PREROUTING -j prerouting_rule
iptables -t nat -A POSTROUTING -j postrouting_rule
[ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -n "$WAN" -a -e /etc/config/firewall ] && {
awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
}
}
stop() {
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F
}

View file

@ -1,2 +1,4 @@
#!/bin/sh
iwpriv ath0 mode 3
#!/bin/sh /etc/rc.common
start() {
iwpriv ath0 mode 3
}

File diff suppressed because it is too large Load diff