projects / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[package] firewall: add support for "local" port forwards which target an internal...
[openwrt.git] / package / firewall / files / lib / fw.sh
1 # Copyright (C) 2009-2010 OpenWrt.org
2 # Copyright (C) 2009 Malte S. Stretz
3
4 export FW_4_ERROR=0
5 export FW_6_ERROR=0
6 export FW_i_ERROR=0
7 export FW_e_ERROR=0
8 export FW_a_ERROR=0
9
10 #TODO: remove this
11 [ "${-#*x}" == "$-" ] && {
12 fw() {
13 fw__exec "$@"
14 }
15 } || {
16 fw() {
17 local os=$-
18 set +x
19 fw__exec "$@"
20 local rc=$?
21 set -$os
22 return $rc
23 }
24 }
25
26 fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
27 local cmd fam tab chn tgt pos
28 local i
29 for i in cmd fam tab chn tgt pos; do
30 if [ "$1" -a "$1" != '{' ]; then
31 eval "$i='$1'"
32 shift
33 else
34 eval "$i=-"
35 fi
36 done
37
38 fw__rc() {
39 export FW_${fam#G}_ERROR=$1
40 return $1
41 }
42
43 fw__dualip() {
44 fw $cmd 4 $tab $chn $tgt $pos "$@"
45 fw $cmd 6 $tab $chn $tgt $pos "$@"
46 fw__rc $((FW_4_ERROR | FW_6_ERROR))
47 }
48
49 fw__autoip() {
50 local ip4 ip6
51 shift
52 while [ "$1" != '}' ]; do
53 case "$1" in
54 *:*) ip6=1 ;;
55 *.*.*.*) ip4=1 ;;
56 esac
57 shift
58 done
59 shift
60 if [ "${ip4:-4}" == "${ip6:-6}" ]; then
61 echo "fw: can't mix ip4 and ip6" >&2
62 return 1
63 fi
64 local ver=${ip4:+4}${ip6:+6}
65 fam=i
66 fw $cmd ${ver:-i} $tab $chn $tgt $pos "$@"
67 fw__rc $?
68 }
69
70 fw__has() {
71 local tab=${1:-$tab}
72 if [ $tab == '-' ]; then
73 type $app > /dev/null 2> /dev/null
74 fw__rc $(($? & 1))
75 return
76 fi
77 [ "$app" != ip6tables ] || [ "$tab" != nat ]
78 fw__rc $?
79 }
80
81 fw__err() {
82 local err
83 eval "err=\$FW_${fam}_ERROR"
84 fw__rc $err
85 }
86
87 local app=
88 local pol=
89 case "$fam" in
90 *4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables || return ;;
91 *6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
92 i) fw__dualip "$@"; return ;;
93 I) fw__autoip "$@"; return ;;
94 e) app=ebtables ;;
95 a) app=arptables ;;
96 -) fw $cmd i $tab $chn $tgt $pos "$@"; return ;;
97 *) return 254 ;;
98 esac
99 case "$tab" in
100 f) tab=filter ;;
101 m) tab=mangle ;;
102 n) tab=nat ;;
103 r) tab=raw ;;
104 -) tab=filter ;;
105 esac
106 case "$cmd:$chn:$tgt:$pos" in
107 add:*:-:*) cmd=new-chain ;;
108 add:*:*:-) cmd=append ;;
109 add:*:*:$) cmd=append ;;
110 add:*:*:*) cmd=insert ;;
111 del:-:*:*) cmd=delete-chain; fw flush $fam $tab ;;
112 del:*:-:*) cmd=delete-chain; fw flush $fam $tab $chn ;;
113 del:*:*:*) cmd=delete ;;
114 flush:*) ;;
115 policy:*) pol=$tgt; tgt=- ;;
116 has:*) fw__has; return ;;
117 err:*) fw__err; return ;;
118 list:*) cmd="numeric --verbose --$cmd" ;;
119 *) return 254 ;;
120 esac
121 case "$chn" in
122 -) chn= ;;
123 esac
124 case "$tgt" in
125 -) tgt= ;;
126 esac
127
128 local rule_offset
129 case "$pos" in
130 ^) pos=1 ;;
131 $) pos= ;;
132 -) pos= ;;
133 +) eval "rule_offset=\${FW__RULE_OFS_${app}_${tab}_${chn}:-1}" ;;
134 esac
135
136 if ! fw__has - family || ! fw__has $tab ; then
137 export FW_${fam}_ERROR=0
138 return 0
139 fi
140
141 case "$fam" in
142 G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;;
143 esac
144
145 if [ $# -gt 0 ]; then
146 shift
147 if [ $cmd == delete ]; then
148 pos=
149 fi
150 fi
151
152 local cmdline="$app --table ${tab} --${cmd} ${chn} ${pol} ${rule_offset:-${pos}} ${tgt:+--jump "$tgt"}"
153 while [ $# -gt 1 ]; do
154 # special parameter handling
155 case "$1:$2" in
156 -p:icmp*|-p:1|-p:58|--protocol:icmp*|--protocol:1|--protocol:58)
157 [ "$app" = ip6tables ] && \
158 cmdline="$cmdline -p icmpv6" || \
159 cmdline="$cmdline -p icmp"
160 shift
161 ;;
162 --icmp-type:*|--icmpv6-type:*)
163 local icmp_type
164 if [ "$app" = ip6tables ] && fw_check_icmptype6 icmp_type "$2"; then
165 cmdline="$cmdline $icmp_type"
166 elif [ "$app" = iptables ] && fw_check_icmptype4 icmp_type "$2"; then
167 cmdline="$cmdline $icmp_type"
168 else
169 local fam=IPv4; [ "$app" = ip6tables ] && fam=IPv6
170 fw_log info "ICMP type '$2' is not valid for $fam address family, skipping rule"
171 return 1
172 fi
173 shift
174 ;;
175 *) cmdline="$cmdline $1" ;;
176 esac
177 shift
178 done
179
180 [ -n "$FW_TRACE" ] && echo $cmdline >&2
181
182 $cmdline
183
184 local rv=$?
185 [ $rv -eq 0 ] && [ -n "$rule_offset" ] && \
186 export -- "FW__RULE_OFS_${app}_${tab}_${chn}=$(($rule_offset + 1))"
187 fw__rc $rv
188 }
189
190 fw_get_port_range() {
191 local _var=$1
192 local _ports=$2
193 local _delim=${3:-:}
194 if [ "$4" ]; then
195 fw_get_port_range $_var "${_ports}-${4}" $_delim
196 return
197 fi
198
199 local _first=${_ports%-*}
200 local _last=${_ports#*-}
201 if [ "${_first#!}" != "${_last#!}" ]; then
202 export -- "$_var=$_first$_delim${_last#!}"
203 else
204 export -- "$_var=$_first"
205 fi
206 }
207
208 fw_get_family_mode() {
209 local _var="$1"
210 local _hint="$2"
211 local _zone="$3"
212 local _mode="$4"
213
214 local _ipv4 _ipv6
215 [ "$_zone" != "*" ] && {
216 [ -n "$FW_ZONES4$FW_ZONES6" ] && {
217 list_contains FW_ZONES4 "$_zone" && _ipv4=1 || _ipv4=0
218 list_contains FW_ZONES6 "$_zone" && _ipv6=1 || _ipv6=0
219 } || {
220 _ipv4=$(uci_get_state firewall core "${_zone}_ipv4" 0)
221 _ipv6=$(uci_get_state firewall core "${_zone}_ipv6" 0)
222 }
223 } || {
224 _ipv4=1
225 _ipv6=1
226 }
227
228 case "$_hint:$_ipv4:$_ipv6" in
229 *4:1:*|*:1:0) export -n -- "$_var=G4" ;;
230 *6:*:1|*:0:1) export -n -- "$_var=G6" ;;
231 *) export -n -- "$_var=$_mode" ;;
232 esac
233 }
234
235 fw_get_negation() {
236 local _var="$1"
237 local _flag="$2"
238 local _value="$3"
239
240 [ "${_value#!}" != "$_value" ] && \
241 export -n -- "$_var=! $_flag ${_value#!}" || \
242 export -n -- "$_var=${_value:+$_flag $_value}"
243 }
244
245 fw_get_subnet4() {
246 local _var="$1"
247 local _flag="$2"
248 local _name="$3"
249
250 local _ipaddr="$(uci_get_state network "${_name#!}" ipaddr)"
251 local _netmask="$(uci_get_state network "${_name#!}" netmask)"
252
253 case "$_ipaddr" in
254 *.*.*.*)
255 [ "${_name#!}" != "$_name" ] && \
256 export -n -- "$_var=! $_flag $_ipaddr/${_netmask:-255.255.255.255}" || \
257 export -n -- "$_var=$_flag $_ipaddr/${_netmask:-255.255.255.255}"
258 return 0
259 ;;
260 esac
261
262 export -n -- "$_var="
263 return 1
264 }
265
266 fw_check_icmptype4() {
267 local _var="$1"
268 local _type="$2"
269 case "$_type" in
270 ![0-9]*) export -n -- "$_var=! --icmp-type ${_type#!}"; return 0 ;;
271 [0-9]*) export -n -- "$_var=--icmp-type $_type"; return 0 ;;
272 esac
273
274 [ -z "$FW_ICMP4_TYPES" ] && \
275 export FW_ICMP4_TYPES=$(
276 iptables -p icmp -h 2>/dev/null | \
277 sed -n -e '/^Valid ICMP Types:/ {
278 n; :r;
279 /router-advertisement/d;
280 /router-solicitation/d;
281 s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
282 }' | sort -u
283 )
284
285 local _check
286 for _check in $FW_ICMP4_TYPES; do
287 if [ "$_check" = "${_type#!}" ]; then
288 [ "${_type#!}" != "$_type" ] && \
289 export -n -- "$_var=! --icmp-type ${_type#!}" || \
290 export -n -- "$_var=--icmp-type $_type"
291 return 0
292 fi
293 done
294
295 export -n -- "$_var="
296 return 1
297 }
298
299 fw_check_icmptype6() {
300 local _var="$1"
301 local _type="$2"
302 case "$_type" in
303 ![0-9]*) export -n -- "$_var=! --icmpv6-type ${_type#!}"; return 0 ;;
304 [0-9]*) export -n -- "$_var=--icmpv6-type $_type"; return 0 ;;
305 esac
306
307 [ -z "$FW_ICMP6_TYPES" ] && \
308 export FW_ICMP6_TYPES=$(
309 ip6tables -p icmpv6 -h 2>/dev/null | \
310 sed -n -e '/^Valid ICMPv6 Types:/ {
311 n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
312 }' | sort -u
313 )
314
315 local _check
316 for _check in $FW_ICMP6_TYPES; do
317 if [ "$_check" = "${_type#!}" ]; then
318 [ "${_type#!}" != "$_type" ] && \
319 export -n -- "$_var=! --icmpv6-type ${_type#!}" || \
320 export -n -- "$_var=--icmpv6-type $_type"
321 return 0
322 fi
323 done
324
325 export -n -- "$_var="
326 return 1
327 }
Personal OpenWRT clone
This page took 0.064923 seconds and 5 git commands to generate.