X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/4927575ba56532eef9bf01072f562e7f40f7dd70..213b89f9dd985ab728f9f0f485bc6402d0e4c256:/package/firewall/files/uci_firewall.sh diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh index f6e82bcb6..0ce878b7f 100755 --- a/package/firewall/files/uci_firewall.sh +++ b/package/firewall/files/uci_firewall.sh @@ -53,6 +53,10 @@ create_zone() { } addif() { + local dev + config_get dev core $2 + [ -n "$dev" -a "$dev" != "$1" ] && delif "$dev" "$2" + [ -n "$dev" -a "$dev" == "$1" ] && return logger "adding $1 to firewall zone $2" $IPTABLES -A INPUT -i $1 -j zone_$2 $IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT @@ -64,6 +68,7 @@ addif() { $IPTABLES -I zone_$2_nat 1 -t nat -o $1 -j MASQUERADE $IPTABLES -I PREROUTING 1 -t nat -i $1 -j zone_$2_prerouting $IPTABLES -A FORWARD -i $1 -j zone_$2_forward + uci_set_state firewall core "$2" "$1" } delif() { @@ -78,6 +83,7 @@ delif() { $IPTABLES -D zone_$2_nat -t nat -o $1 -j MASQUERADE $IPTABLES -D PREROUTING -t nat -i $1 -j zone_$2_prerouting $IPTABLES -D FORWARD -i $1 -j zone_$2_forward + uci_revert_state firewall core "$2" } load_synflood() { @@ -106,6 +112,9 @@ fw_defaults() { do echo 0 > $f done + + uci_revert_state firewall core + uci_set_state firewall core "" firewall_state $IPTABLES -F $IPTABLES -t nat -F @@ -179,18 +188,24 @@ fw_rule() { [ -z "$target" ] && target=DROP [ -n "$src" ] && ZONE=zone_$src || ZONE=INPUT [ -n "$dest" ] && TARGET=zone_${dest}_$target || TARGET=$target - [ -n "$dest_port" -a -z "$proto" ] && { \ - echo "dport may only be used it proto is defined"; return; } - [ -n "$src_port" -a -z "$proto" ] && { \ - echo "sport may only be used it proto is defined"; return; } - $IPTABLES -I $ZONE 1 \ - ${proto:+-p $proto} \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - ${dest_ip:+-d $dest_ip} \ - ${dest_port:+--dport $dest_port} \ - -j $TARGET + add_rule() { + $IPTABLES -I $ZONE 1 \ + ${proto:+-p $proto} \ + ${src_ip:+-s $src_ip} \ + ${src_port:+--sport $src_port} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + ${dest_ip:+-d $dest_ip} \ + ${dest_port:+--dport $dest_port} \ + -j $TARGET + } + [ "$proto" == "tcpudp" -o -z "$proto" ] && { + proto=tcp + add_rule + proto=udp + add_rule + return + } + add_rule } fw_forwarding() { @@ -212,7 +227,7 @@ fw_redirect() { local src_dport local src_mac local dest_ip - local dest_port + local dest_port dest_port2 local proto config_get src $1 src @@ -225,25 +240,49 @@ fw_redirect() { config_get proto $1 proto [ -z "$src" -o -z "$dest_ip" ] && { \ echo "redirect needs src and dest_ip"; return ; } - [ -n "$dest_port" -a -z "$proto" ] && { \ - echo "dport may only be used it proto is defined"; return; } - [ -n "$src_port" -a -z "$proto" ] && { \ - echo "sport may only be used it proto is defined"; return; } - $IPTABLES -A zone_${src}_prerouting -t nat \ - ${proto:+-p $proto} \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${src_dport:+--dport $src_dport} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} - $IPTABLES -I zone_${src}_forward 1 \ - ${proto:+-p $proto} \ - -d $dest_ip \ - ${src_ip:+-s $src_ip} \ - ${src_port:+--sport $src_port} \ - ${dest_port:+--dport $dest_port} \ - ${src_mac:+-m mac --mac-source $src_mac} \ - -j ACCEPT + + src_port_first=${src_port%-*} + src_port_last=${src_port#*-} + [ "$src_port_first" -ne "$src_port_last" ] && { \ + src_port="$src_port_first:$src_port_last"; } + + src_dport_first=${src_dport%-*} + src_dport_last=${src_dport#*-} + [ "$src_dport_first" -ne "$src_dport_last" ] && { \ + src_dport="$src_dport_first:$src_dport_last"; } + + destport2=destport + dest_port_first=${dest_port2%-*} + dest_port_last=${dest_port2#*-} + [ "$dest_port_first" -ne "$dest_port_last" ] && { \ + dest_port2="$dest_port_first:$dest_port_last"; } + + add_rule() { + $IPTABLES -A zone_${src}_prerouting -t nat \ + ${proto:+-p $proto} \ + ${src_ip:+-s $src_ip} \ + ${src_port:+--sport $src_port} \ + ${src_dport:+--dport $src_dport} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} + + $IPTABLES -I zone_${src}_forward 1 \ + ${proto:+-p $proto} \ + -d $dest_ip \ + ${src_ip:+-s $src_ip} \ + ${src_port:+--sport $src_port} \ + ${dest_port2:+--dport $dest_port2} \ + ${src_mac:+-m mac --mac-source $src_mac} \ + -j ACCEPT + } + [ "$proto" == "tcpudp" -o -z "$proto" ] && { + proto=tcp + add_rule + proto=udp + add_rule + return + } + add_rule } fw_include() { @@ -264,14 +303,21 @@ fw_addif() { fw_custom_chains() { $IPTABLES -N input_rule $IPTABLES -N output_rule - $IPTABLES -N forward_rule + $IPTABLES -N forwarding_rule $IPTABLES -N prerouting_rule -t nat $IPTABLES -N postrouting_rule -t nat + $IPTABLES -N input_wan + $IPTABLES -N forwarding_wan + $IPTABLES -N prerouting_wan -t nat + $IPTABLES -A INPUT -j input_rule $IPTABLES -A OUTPUT -j output_rule - $IPTABLES -A FORWARD -j forward_rule + $IPTABLES -A FORWARD -j forwarding_rule $IPTABLES -A PREROUTING -t nat -j prerouting_rule $IPTABLES -A POSTROUTING -t nat -j postrouting_rule + $IPTABLES -A zone_wan -j input_wan + $IPTABLES -A zone_wan_forward -j forwarding_wan + $IPTABLES -A zone_wan_prerouting -t nat -j prerouting_wan } fw_init() { @@ -285,12 +331,10 @@ fw_init() { config_foreach fw_forwarding forwarding echo "Loading redirects" config_foreach fw_redirect redirect - echo "Loading includes" - config_foreach fw_include include echo "Adding custom chains" fw_custom_chains - - uci_set_state firewall core "" firewall_state + echo "Loading includes" + config_foreach fw_include include uci_set_state firewall core loaded 1 unset CONFIG_APPEND config_load network @@ -306,4 +350,5 @@ fw_stop() { $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT + uci_revert_state firewall core }