summaryrefslogtreecommitdiffstats
path: root/package/firewall/files/lib
diff options
context:
space:
mode:
Diffstat (limited to 'package/firewall/files/lib')
-rw-r--r--package/firewall/files/lib/core_init.sh19
-rw-r--r--package/firewall/files/lib/core_interface.sh62
-rw-r--r--package/firewall/files/lib/fw.sh22
3 files changed, 62 insertions, 41 deletions
diff --git a/package/firewall/files/lib/core_init.sh b/package/firewall/files/lib/core_init.sh
index a549bd9a0..72cef2f8c 100644
--- a/package/firewall/files/lib/core_init.sh
+++ b/package/firewall/files/lib/core_init.sh
@@ -84,13 +84,16 @@ fw_load_defaults() {
[ $defaults_syn_flood == 1 ] && \
defaults_synflood_protect=1
+ [ "${defaults_synflood_rate%/*}" == "$defaults_synflood_rate" ] && \
+ defaults_synflood_rate="$defaults_synflood_rate/second"
+
[ $defaults_synflood_protect == 1 ] && {
echo "Loading synflood protection"
fw_callback pre synflood
fw add i f syn_flood
fw add i f syn_flood RETURN { \
-p tcp --syn \
- -m limit --limit "${defaults_synflood_rate}/second" --limit-burst "${defaults_synflood_burst}" \
+ -m limit --limit "${defaults_synflood_rate}" --limit-burst "${defaults_synflood_burst}" \
}
fw add i f syn_flood DROP
fw add i f INPUT syn_flood { -p tcp --syn }
@@ -142,6 +145,8 @@ fw_config_get_zone() {
boolean conntrack 0 \
boolean mtu_fix 0 \
boolean custom_chains "$FW_ADD_CUSTOM_CHAINS" \
+ boolean log 0 \
+ string log_limit 10 \
string family "" \
} || return
[ -n "$zone_name" ] || zone_name=$zone_NAME
@@ -204,6 +209,7 @@ fw_load_zone() {
fw add $mode n ${chain}_prerouting
fw add $mode r ${chain}_notrack
+
[ $zone_masq == 1 ] && \
fw add $mode n POSTROUTING ${chain}_nat $
@@ -224,6 +230,17 @@ fw_load_zone() {
fw add $mode n ${chain}_prerouting prerouting_${zone_name} ^
}
+ [ "$zone_log" == 1 ] && {
+ [ "${zone_log_limit%/*}" == "$zone_log_limit" ] && \
+ zone_log_limit="$zone_log_limit/minute"
+
+ local t
+ for t in REJECT DROP MSSFIX; do
+ fw add $mode f ${chain}_${t} LOG ^ \
+ { -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " }
+ done
+ }
+
fw_callback post zone
}
diff --git a/package/firewall/files/lib/core_interface.sh b/package/firewall/files/lib/core_interface.sh
index e6630a5ca..69ddc343a 100644
--- a/package/firewall/files/lib/core_interface.sh
+++ b/package/firewall/files/lib/core_interface.sh
@@ -32,16 +32,16 @@ fw_configure_interface() {
case "$mode/$subnet" in
# Zone supports v6 only or dual, need v6
- 6/*:*|i/*:*)
- inet="{ -s $subnet -d ::/0 }"
- onet="{ -s ::/0 -d $subnet }"
+ G6/*:*|i/*:*)
+ inet="-s $subnet -d ::/0"
+ onet="-s ::/0 -d $subnet"
mode=6
;;
# Zone supports v4 only or dual, need v4
- 4/*.*.*.*|i/*.*.*.*)
- inet="{ -s $subnet -d 0.0.0.0/0 }"
- onet="{ -s 0.0.0.0/0 -d $subnet }"
+ G4/*.*.*.*|i/*.*.*.*)
+ inet="-s $subnet -d 0.0.0.0/0"
+ onet="-s 0.0.0.0/0 -d $subnet"
mode=4
;;
@@ -52,20 +52,20 @@ fw_configure_interface() {
*/*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;;
esac
- fw $action $mode f ${chain}_ACCEPT ACCEPT ^ $onet { -o "$ifname" }
- fw $action $mode f ${chain}_ACCEPT ACCEPT ^ $inet { -i "$ifname" }
- fw $action $mode f ${chain}_DROP DROP ^ $onet { -o "$ifname" }
- fw $action $mode f ${chain}_DROP DROP ^ $inet { -i "$ifname" }
- fw $action $mode f ${chain}_REJECT reject ^ $onet { -o "$ifname" }
- fw $action $mode f ${chain}_REJECT reject ^ $inet { -i "$ifname" }
+ fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -o "$ifname" $onet }
+ fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -i "$ifname" $inet }
+ fw $action $mode f ${chain}_DROP DROP $ { -o "$ifname" $onet }
+ fw $action $mode f ${chain}_DROP DROP $ { -i "$ifname" $inet }
+ fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
+ fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }
- fw $action $mode n ${chain}_nat MASQUERADE ^ $onet { -o "$ifname" }
- fw $action $mode f ${chain}_MSSFIX TCPMSS ^ $onet { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu }
+ fw $action $mode n ${chain}_nat MASQUERADE $ { -o "$ifname" $onet }
+ fw $action $mode f ${chain}_MSSFIX TCPMSS $ { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
- fw $action $mode f input ${chain} $ $inet { -i "$ifname" }
- fw $action $mode f forward ${chain}_forward $ $inet { -i "$ifname" }
- fw $action $mode n PREROUTING ${chain}_prerouting ^ $inet { -i "$ifname" }
- fw $action $mode r PREROUTING ${chain}_notrack ^ $inet { -i "$ifname" }
+ fw $action $mode f input ${chain} $ { -i "$ifname" $inet }
+ fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }
+ fw $action $mode n PREROUTING ${chain}_prerouting $ { -i "$ifname" $inet }
+ fw $action $mode r PREROUTING ${chain}_notrack $ { -i "$ifname" $inet }
}
local old_zones old_ifname old_subnets
@@ -101,19 +101,6 @@ fw_configure_interface() {
[ "$action" == del ] && return
- local new_zones=
- load_zone() {
- fw_config_get_zone "$1"
- list_contains zone_network "$iface" || return
-
- fw_log info "adding $iface ($ifname${aliasnet:+ alias $aliasnet}) to zone $zone_name"
- fw__do_rules add ${zone_name} "$ifname" $aliasnet
- append new_zones $zone_name
-
- [ -n "$aliasnet" ] || ACTION=add ZONE="$zone_name" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
- }
- config_foreach load_zone zone
-
[ -z "$aliasnet" ] && {
local aliases
config_get aliases "$iface" aliases
@@ -142,6 +129,19 @@ fw_configure_interface() {
uci_set_state firewall core "${iface}_subnets" "$subnets"
}
+ local new_zones=
+ load_zone() {
+ fw_config_get_zone "$1"
+ list_contains zone_network "$iface" || return
+
+ fw_log info "adding $iface ($ifname${aliasnet:+ alias $aliasnet}) to zone $zone_name"
+ fw__do_rules add ${zone_name} "$ifname" $aliasnet
+ append new_zones $zone_name
+
+ [ -n "$aliasnet" ] || ACTION=add ZONE="$zone_name" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
+ }
+ config_foreach load_zone zone
+
uci_set_state firewall core "${iface}_zone" "$new_zones"
uci_set_state firewall core "${iface}_ifname" "$ifname"
}
diff --git a/package/firewall/files/lib/fw.sh b/package/firewall/files/lib/fw.sh
index 86e817182..819aa48ea 100644
--- a/package/firewall/files/lib/fw.sh
+++ b/package/firewall/files/lib/fw.sh
@@ -36,7 +36,7 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
done
fw__rc() {
- export FW_${fam}_ERROR=$1
+ export FW_${fam#G}_ERROR=$1
return $1
}
@@ -75,14 +75,14 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
return
fi
local mod
- eval "mod=\$FW_${fam}_${tab}"
+ eval "mod=\$FW_${fam#G}_${tab}"
if [ "$mod" ]; then
fw__rc $mod
return
fi
case "$fam" in
- 4) mod=iptable_${tab} ;;
- 6) mod=ip6table_${tab} ;;
+ *4) mod=iptable_${tab} ;;
+ *6) mod=ip6table_${tab} ;;
*) mod=. ;;
esac
grep -q "^${mod} " /proc/modules
@@ -100,8 +100,8 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
local app=
local pol=
case "$fam" in
- 4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables || return ;;
- 6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
+ *4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables || return ;;
+ *6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
i) fw__dualip "$@"; return ;;
I) fw__autoip "$@"; return ;;
e) app=ebtables ;;
@@ -148,19 +148,23 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
return 0
fi
+ case "$fam" in
+ G*) shift; while [ "$1" != "{" ]; do shift; done ;;
+ esac
+
if [ $# -gt 0 ]; then
shift
if [ $cmd == delete ]; then
pos=
fi
fi
+
while [ $# -gt 1 ]; do
case "$app:$1" in
ip6tables:--icmp-type) echo -n "--icmpv6-type" ;;
ip6tables:icmp|ip6tables:ICMP) echo -n "icmpv6" ;;
iptables:--icmpv6-type) echo -n "--icmp-type" ;;
iptables:icmpv6) echo -n "icmp" ;;
- *:}|*:{) shift; continue ;;
*) echo -n "$1" ;;
esac
echo -ne "\0"
@@ -202,8 +206,8 @@ fw_get_family_mode() {
}
case "$hint:$ipv4:$ipv6" in
- *4:1:*|*:1:0) echo 4 ;;
- *6:*:1|*:0:1) echo 6 ;;
+ *4:1:*|*:1:0) echo G4 ;;
+ *6:*:1|*:0:1) echo G6 ;;
*) echo $mode ;;
esac
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-04 03:33:17 +0000