DEF_INPUT=DROP
DEF_OUTPUT=DROP
DEF_FORWARD=DROP
+CONNTRACK_ZONES=
+NOTRACK_DISABLED=
+
+find_item() {
+ local item="$1"; shift
+ for i in "$@"; do
+ [ "$i" = "$item" ] && return 0
+ done
+ return 1
+}
load_policy() {
config_get input $1 input
$IPTABLES -A output -j zone_$1_$4
$IPTABLES -N zone_$1_nat -t nat
$IPTABLES -N zone_$1_prerouting -t nat
+ $IPTABLES -t raw -N zone_$1_notrack
[ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$1_nat
}
addif() {
- local dev
- config_get dev core $2
- [ -n "$dev" -a "$dev" != "$1" ] && delif "$dev" "$2"
- [ -n "$dev" -a "$dev" == "$1" ] && return
- logger "adding $1 to firewall zone $2"
- $IPTABLES -A input -i $1 -j zone_$2
- $IPTABLES -I zone_$2_MSSFIX 1 -o $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- $IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT
- $IPTABLES -I zone_$2_DROP 1 -o $1 -j DROP
- $IPTABLES -I zone_$2_REJECT 1 -o $1 -j reject
- $IPTABLES -I zone_$2_ACCEPT 1 -i $1 -j ACCEPT
- $IPTABLES -I zone_$2_DROP 1 -i $1 -j DROP
- $IPTABLES -I zone_$2_REJECT 1 -i $1 -j reject
- $IPTABLES -I zone_$2_nat 1 -t nat -o $1 -j MASQUERADE
- $IPTABLES -I PREROUTING 1 -t nat -i $1 -j zone_$2_prerouting
- $IPTABLES -A forward -i $1 -j zone_$2_forward
- uci_set_state firewall core "$2" "$1"
+ local network="$1"
+ local ifname="$2"
+ local zone="$3"
+
+ local n_if n_zone
+ config_get n_if core "${network}_ifname"
+ config_get n_zone core "${network}_zone"
+ [ -n "$n_zone" ] && {
+ if [ "$n_zone" != "$zone" ]; then
+ delif "$network" "$n_if" "$n_zone"
+ else
+ return
+ fi
+ }
+
+ logger "adding $network ($ifname) to firewall zone $zone"
+ $IPTABLES -A input -i "$ifname" -j zone_${zone}
+ $IPTABLES -I zone_${zone}_MSSFIX 1 -o "$ifname" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ $IPTABLES -I zone_${zone}_ACCEPT 1 -o "$ifname" -j ACCEPT
+ $IPTABLES -I zone_${zone}_DROP 1 -o "$ifname" -j DROP
+ $IPTABLES -I zone_${zone}_REJECT 1 -o "$ifname" -j reject
+ $IPTABLES -I zone_${zone}_ACCEPT 1 -i "$ifname" -j ACCEPT
+ $IPTABLES -I zone_${zone}_DROP 1 -i "$ifname" -j DROP
+ $IPTABLES -I zone_${zone}_REJECT 1 -i "$ifname" -j reject
+ $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -j MASQUERADE
+ $IPTABLES -I PREROUTING 1 -t nat -i "$ifname" -j zone_${zone}_prerouting
+ $IPTABLES -A forward -i "$ifname" -j zone_${zone}_forward
+ $IPTABLES -t raw -I PREROUTING 1 -i "$ifname" -j zone_${zone}_notrack
+ uci_set_state firewall core "${network}_ifname" "$ifname"
+ uci_set_state firewall core "${network}_zone" "$zone"
}
delif() {
- logger "removing $1 from firewall zone $2"
- $IPTABLES -D input -i $1 -j zone_$2
- $IPTABLES -D zone_$2_ACCEPT -o $1 -j ACCEPT
- $IPTABLES -D zone_$2_DROP -o $1 -j DROP
- $IPTABLES -D zone_$2_REJECT -o $1 -j reject
- $IPTABLES -D zone_$2_ACCEPT -i $1 -j ACCEPT
- $IPTABLES -D zone_$2_DROP -i $1 -j DROP
- $IPTABLES -D zone_$2_REJECT -i $1 -j reject
- $IPTABLES -D zone_$2_nat -t nat -o $1 -j MASQUERADE
- $IPTABLES -D PREROUTING -t nat -i $1 -j zone_$2_prerouting
- $IPTABLES -D forward -i $1 -j zone_$2_forward
- uci_revert_state firewall core "$2"
+ local network="$1"
+ local ifname="$2"
+ local zone="$3"
+
+ logger "removing $network ($ifname) from firewall zone $zone"
+ $IPTABLES -D input -i "$ifname" -j zone_$zone
+ $IPTABLES -D zone_${zone}_MSSFIX -o "$ifname" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ $IPTABLES -D zone_${zone}_ACCEPT -o "$ifname" -j ACCEPT
+ $IPTABLES -D zone_${zone}_DROP -o "$ifname" -j DROP
+ $IPTABLES -D zone_${zone}_REJECT -o "$ifname" -j reject
+ $IPTABLES -D zone_${zone}_ACCEPT -i "$ifname" -j ACCEPT
+ $IPTABLES -D zone_${zone}_DROP -i "$ifname" -j DROP
+ $IPTABLES -D zone_${zone}_REJECT -i "$ifname" -j reject
+ $IPTABLES -D zone_${zone}_nat -t nat -o "$ifname" -j MASQUERADE
+ $IPTABLES -D PREROUTING -t nat -i "$ifname" -j zone_${zone}_prerouting
+ $IPTABLES -D forward -i "$ifname" -j zone_${zone}_forward
+ uci_revert_state firewall core "${network}_ifname"
+ uci_revert_state firewall core "${network}_zone"
}
load_synflood() {
$IPTABLES -P $chain $target
}
+fw_clear() {
+ $IPTABLES -F
+ $IPTABLES -t nat -F
+ $IPTABLES -t nat -X
+ $IPTABLES -t raw -F
+ $IPTABLES -t raw -X
+ $IPTABLES -X
+}
+
fw_defaults() {
[ -n "$DEFAULTS_APPLIED" ] && {
echo "Error: multiple defaults sections detected"
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
- $IPTABLES -F
- $IPTABLES -t mangle -F
- $IPTABLES -t nat -F
- $IPTABLES -t mangle -X
- $IPTABLES -t nat -X
- $IPTABLES -X
-
- $IPTABLES -A INPUT -m state --state INVALID -j DROP
+ fw_clear
+ config_get_bool drop_invalid $1 drop_invalid 0
+
+ [ "$drop_invalid" -gt 0 ] && {
+ $IPTABLES -A INPUT -m state --state INVALID -j DROP
+ $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
+ $IPTABLES -A FORWARD -m state --state INVALID -j DROP
+ NOTRACK_DISABLED=1
+ }
+
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
- $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
- $IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-
+
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
config_get name $1 name
config_get network $1 network
- config_get masq $1 masq
- load_policy $1
+ config_get_bool masq $1 masq "0"
+ config_get_bool conntrack $1 conntrack "0"
+ load_policy $1
+ [ "$conntrack" = "1" -o "$masq" = "1" ] && append CONNTRACK_ZONES "$name"
[ -z "$network" ] && network=$name
create_zone "$name" "$network" "$input" "$output" "$forward" "$masq"
fw_custom_chains_zone "$name"
local dest_ip
local dest_port
local proto
+ local icmp_type
local target
local ruleset
config_get dest_ip $1 dest_ip
config_get dest_port $1 dest_port
config_get proto $1 proto
+ config_get icmp_type $1 icmp_type
config_get target $1 target
config_get ruleset $1 ruleset
add_rule() {
$IPTABLES -I $ZONE 1 \
${proto:+-p $proto} \
+ ${icmp_type:+--icmp-type $icmp_type} \
${src_ip:+-s $src_ip} \
${src_port:+--sport $src_port} \
${src_mac:+-m mac --mac-source $src_mac} \
[ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT
$IPTABLES -I $z_src 1 -j $z_dest
[ "$mtu_fix" -gt 0 -a -n "$dest" ] && $IPTABLES -I $z_src 1 -j zone_${dest}_MSSFIX
+
+ # propagate masq zone flag
+ find_item "$src" $CONNTRACK_ZONES && append CONNTRACK_ZONES $dest
+ find_item "$dest" $CONNTRACK_ZONES && append CONNTRACK_ZONES $src
}
fw_redirect() {
$IPTABLES -I zone_${zone}_prerouting 1 -t nat -j prerouting_${zone}
}
+fw_check_notrack() {
+ local zone="$1"
+ config_get name "$zone" name
+ [ -n "$NOTRACK_DISABLED" ] || \
+ find_item "$name" $CONNTRACK_ZONES || \
+ $IPTABLES -t raw -A zone_${name}_notrack -j NOTRACK
+}
+
fw_init() {
DEFAULTS_APPLIED=
config_foreach fw_defaults defaults
echo "Loading zones"
config_foreach fw_zone zone
- echo "Loading rules"
- config_foreach fw_rule rule
echo "Loading forwarding"
config_foreach fw_forwarding forwarding
echo "Loading redirects"
config_foreach fw_redirect redirect
+ echo "Loading rules"
+ config_foreach fw_rule rule
echo "Loading includes"
config_foreach fw_include include
uci_set_state firewall core loaded 1
+ config_foreach fw_check_notrack zone
unset CONFIG_APPEND
config_load network
config_foreach fw_addif interface
}
fw_stop() {
- $IPTABLES -F
- $IPTABLES -t mangle -F
- $IPTABLES -t nat -F
- $IPTABLES -t mangle -X
- $IPTABLES -t nat -X
- $IPTABLES -X
+ fw_clear
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
- uci_revert_state firewall core
+ uci_revert_state firewall
}