[package] firewall: make ESTABLISHED,RELATED rules match before INVALID, use conntrac...
[openwrt.git] / package / firewall / files / lib / core.sh
1 # Copyright (C) 2009-2010 OpenWrt.org
2
3 FW_LIBDIR=${FW_LIBDIR:-/lib/firewall}
4
5 . $FW_LIBDIR/fw.sh
6 include /lib/network
7
8 fw_start() {
9 fw_init
10
11 FW_DEFAULTS_APPLIED=
12
13 fw_is_loaded && {
14 echo "firewall already loaded" >&2
15 exit 1
16 }
17
18 uci_set_state firewall core "" firewall_state
19
20 fw_clear DROP
21
22 fw_callback pre core
23
24 echo "Loading defaults"
25 fw_config_once fw_load_defaults defaults
26
27 echo "Loading zones"
28 config_foreach fw_load_zone zone
29
30 echo "Loading forwardings"
31 config_foreach fw_load_forwarding forwarding
32
33 echo "Loading redirects"
34 config_foreach fw_load_redirect redirect
35
36 echo "Loading rules"
37 config_foreach fw_load_rule rule
38
39 echo "Loading includes"
40 config_foreach fw_load_include include
41
42 [ -z "$FW_NOTRACK_DISABLED" ] && {
43 echo "Optimizing conntrack"
44 config_foreach fw_load_notrack_zone zone
45 }
46
47 echo "Loading interfaces"
48 config_foreach fw_configure_interface interface add
49
50 fw_callback post core
51
52 uci_set_state firewall core zones "$FW_ZONES"
53 uci_set_state firewall core loaded 1
54 }
55
56 fw_stop() {
57 fw_init
58
59 fw_callback pre stop
60
61 local z n i
62 config_get z core zones
63 for z in $z; do
64 config_get n core "${z}_networks"
65 for n in $n; do
66 config_get i core "${n}_ifname"
67 [ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
68 INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
69 done
70 done
71
72 fw_clear ACCEPT
73
74 fw_callback post stop
75
76 uci_revert_state firewall
77 config_clear
78
79 local h
80 for h in $FW_HOOKS; do unset $h; done
81
82 unset FW_HOOKS
83 unset FW_INITIALIZED
84 }
85
86 fw_restart() {
87 fw_stop
88 fw_start
89 }
90
91 fw_reload() {
92 fw_restart
93 }
94
95 fw_is_loaded() {
96 local bool=$(uci_get_state firewall.core.loaded)
97 return $((! ${bool:-0}))
98 }
99
100
101 fw_die() {
102 echo "Error:" "$@" >&2
103 fw_log error "$@"
104 fw_stop
105 exit 1
106 }
107
108 fw_log() {
109 local level="$1"
110 [ -n "$2" ] && shift || level=notice
111 [ "$level" != error ] || echo "Error: $@" >&2
112 logger -t firewall -p user.$level "$@"
113 }
114
115
116 fw_init() {
117 [ -z "$FW_INITIALIZED" ] || return 0
118
119 . $FW_LIBDIR/config.sh
120
121 scan_interfaces
122 fw_config_append firewall
123
124 local hooks="core stop defaults zone notrack synflood"
125 local file lib hk pp
126 for file in $FW_LIBDIR/core_*.sh; do
127 . $file
128 hk=$(basename $file .sh)
129 hk=${hk#core_}
130 append hooks $hk
131 done
132 for file in $FW_LIBDIR/*.sh; do
133 lib=$(basename $file .sh)
134 lib=${lib##[0-9][0-9]_}
135 case $lib in
136 core*|fw|config|uci_firewall) continue ;;
137 esac
138 . $file
139 for hk in $hooks; do
140 for pp in pre post; do
141 type ${lib}_${pp}_${hk}_cb >/dev/null && {
142 append FW_CB_${pp}_${hk} ${lib}
143 append FW_HOOKS FW_CB_${pp}_${hk}
144 }
145 done
146 done
147 done
148
149 fw_callback post init
150
151 FW_INITIALIZED=1
152 return 0
153 }
This page took 0.047365 seconds and 5 git commands to generate.