X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/24931686cd4b89f6a038d3820218578db8ba92ee..ec40024c13729034674107632ca48de6771c8eaf:/package/firewall/files/lib/core_init.sh diff --git a/package/firewall/files/lib/core_init.sh b/package/firewall/files/lib/core_init.sh index 92d117160..e93de1613 100644 --- a/package/firewall/files/lib/core_init.sh +++ b/package/firewall/files/lib/core_init.sh @@ -1,4 +1,4 @@ -# Copyright (C) 2009-2010 OpenWrt.org +# Copyright (C) 2009-2011 OpenWrt.org # Copyright (C) 2008 John Crispin FW_INITIALIZED= @@ -42,7 +42,7 @@ fw_load_defaults() { boolean disable_ipv6 0 \ } || return [ -n "$FW_DEFAULTS_APPLIED" ] && { - echo "Error: multiple defaults sections detected" + fw_log error "duplicate defaults section detected, skipping" return 1 } FW_DEFAULTS_APPLIED=1 @@ -66,17 +66,17 @@ fw_load_defaults() { done fw_sysctl_interface all + fw add i f INPUT ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED } + fw add i f OUTPUT ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED } + fw add i f FORWARD ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED } + [ $defaults_drop_invalid == 1 ] && { - fw add i f INPUT DROP { -m state --state INVALID } - fw add i f OUTPUT DROP { -m state --state INVALID } - fw add i f FORWARD DROP { -m state --state INVALID } + fw add i f INPUT DROP { -m conntrack --ctstate INVALID } + fw add i f OUTPUT DROP { -m conntrack --ctstate INVALID } + fw add i f FORWARD DROP { -m conntrack --ctstate INVALID } FW_NOTRACK_DISABLED=1 } - fw add i f INPUT ACCEPT { -m state --state RELATED,ESTABLISHED } - fw add i f OUTPUT ACCEPT { -m state --state RELATED,ESTABLISHED } - fw add i f FORWARD ACCEPT { -m state --state RELATED,ESTABLISHED } - fw add i f INPUT ACCEPT { -i lo } fw add i f OUTPUT ACCEPT { -o lo } @@ -84,13 +84,16 @@ fw_load_defaults() { [ $defaults_syn_flood == 1 ] && \ defaults_synflood_protect=1 + [ "${defaults_synflood_rate%/*}" == "$defaults_synflood_rate" ] && \ + defaults_synflood_rate="$defaults_synflood_rate/second" + [ $defaults_synflood_protect == 1 ] && { echo "Loading synflood protection" fw_callback pre synflood fw add i f syn_flood fw add i f syn_flood RETURN { \ -p tcp --syn \ - -m limit --limit "${defaults_synflood_rate}/second" --limit-burst "${defaults_synflood_burst}" \ + -m limit --limit "${defaults_synflood_rate}" --limit-burst "${defaults_synflood_burst}" \ } fw add i f syn_flood DROP fw add i f INPUT syn_flood { -p tcp --syn } @@ -139,9 +142,13 @@ fw_config_get_zone() { string output "$FW_DEFAULT_OUTPUT_POLICY" \ string forward "$FW_DEFAULT_FORWARD_POLICY" \ boolean masq 0 \ + string masq_src "" \ + string masq_dest "" \ boolean conntrack 0 \ boolean mtu_fix 0 \ boolean custom_chains "$FW_ADD_CUSTOM_CHAINS" \ + boolean log 0 \ + string log_limit 10 \ string family "" \ } || return [ -n "$zone_name" ] || zone_name=$zone_NAME @@ -152,14 +159,15 @@ fw_load_zone() { fw_config_get_zone "$1" list_contains FW_ZONES $zone_name && { - fw_die "zone ${zone_name}: duplicated zone" + fw_log error "zone ${zone_name}: duplicated zone, skipping" + return 0 } append FW_ZONES $zone_name fw_callback pre zone [ $zone_conntrack = 1 -o $zone_masq = 1 ] && \ - append FW_CONNTRACK_ZONES "$zone_NAME" + append FW_CONNTRACK_ZONES "$zone_name" local mode case "$zone_family" in @@ -187,7 +195,6 @@ fw_load_zone() { fw add $mode f ${chain}_ACCEPT fw add $mode f ${chain}_DROP fw add $mode f ${chain}_REJECT - fw add $mode f ${chain}_MSSFIX # TODO: Rename to ${chain}_input fw add $mode f ${chain} @@ -204,11 +211,12 @@ fw_load_zone() { fw add $mode n ${chain}_prerouting fw add $mode r ${chain}_notrack - [ $zone_masq == 1 ] && \ - fw add $mode n POSTROUTING ${chain}_nat $ - [ $zone_mtu_fix == 1 ] && \ - fw add $mode f FORWARD ${chain}_MSSFIX ^ + [ $zone_mtu_fix == 1 ] && { + fw add $mode m ${chain}_MSSFIX + fw add $mode m FORWARD ${chain}_MSSFIX ^ + uci_set_state firewall core ${zone_name}_tcpmss 1 + } [ $zone_custom_chains == 1 ] && { [ $FW_ADD_CUSTOM_CHAINS == 1 ] || \ @@ -224,17 +232,51 @@ fw_load_zone() { fw add $mode n ${chain}_prerouting prerouting_${zone_name} ^ } + [ "$zone_log" == 1 ] && { + [ "${zone_log_limit%/*}" == "$zone_log_limit" ] && \ + zone_log_limit="$zone_log_limit/minute" + + local t + for t in REJECT DROP; do + fw add $mode f ${chain}_${t} LOG ^ \ + { -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " } + done + + [ $zone_mtu_fix == 1 ] && \ + fw add $mode m ${chain}_MSSFIX LOG ^ \ + { -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " } + } + + # NB: if MASQUERADING for IPv6 becomes available we'll need a family check here + if [ "$zone_masq" == 1 ]; then + local msrc mdst + for msrc in ${zone_masq_src:-0.0.0.0/0}; do + case "$msrc" in + *.*) fw_get_negation msrc '-s' "$msrc" ;; + *) fw_get_subnet4 msrc '-s' "$msrc" || break ;; + esac + + for mdst in ${zone_masq_dest:-0.0.0.0/0}; do + case "$mdst" in + *.*) fw_get_negation mdst '-d' "$mdst" ;; + *) fw_get_subnet4 mdst '-d' "$mdst" || break ;; + esac + + fw add $mode n ${chain}_nat MASQUERADE $ { $msrc $mdst } + done + done + fi + fw_callback post zone } fw_load_notrack_zone() { - list_contains FW_CONNTRACK_ZONES "$1" && return - fw_config_get_zone "$1" + list_contains FW_CONNTRACK_ZONES "${zone_name}" && return fw_callback pre notrack - fw add i f zone_${zone_name}_notrack NOTRACK $ + fw add i r zone_${zone_name}_notrack NOTRACK $ fw_callback post notrack } @@ -243,8 +285,10 @@ fw_load_notrack_zone() { fw_load_include() { local name="$1" - local path; config_get path ${name} path - [ -e $path ] && . $path + local path + config_get path ${name} path + + [ -e $path ] && ( . $path ) }