summaryrefslogtreecommitdiffstats
path: root/package/firewall/files/lib
diff options
context:
space:
mode:
Diffstat (limited to 'package/firewall/files/lib')
-rw-r--r--package/firewall/files/lib/config.sh101
-rw-r--r--package/firewall/files/lib/core.sh159
-rw-r--r--package/firewall/files/lib/core_forwarding.sh44
-rw-r--r--package/firewall/files/lib/core_init.sh338
-rw-r--r--package/firewall/files/lib/core_interface.sh205
-rw-r--r--package/firewall/files/lib/core_redirect.sh130
-rw-r--r--package/firewall/files/lib/core_rule.sh110
-rw-r--r--package/firewall/files/lib/fw.sh324
-rw-r--r--package/firewall/files/lib/uci_firewall.sh5
9 files changed, 0 insertions, 1416 deletions
diff --git a/package/firewall/files/lib/config.sh b/package/firewall/files/lib/config.sh
deleted file mode 100644
index 8b2399fc8..000000000
--- a/package/firewall/files/lib/config.sh
+++ /dev/null
@@ -1,101 +0,0 @@
-# Copyright (C) 2009-2010 OpenWrt.org
-# Copyright (C) 2009 Malte S. Stretz <http://msquadrat.de>
-#
-# This is a temporary file, I hope to have some of this stuff merged into
-# /lib/functions.sh (without the fw_ prefix of course) one day.
-
-fw_config_append() { # <package>
- CONFIG_APPEND=1 config_load "$@"
- unset CONFIG_APPEND
-}
-
-fw_config_once() { # <function> <type>
- local func=$1
- local type=$2
- shift 2
-
- local config=cfg00nil
- fw_config__once() {
- config=$1
- }
- config_foreach fw_config__once "$type"
-
- $func $config "$@"
-}
-
-fw_config_get_section() { # <config> <prefix> <type> <name> <default> ...
- local config=$1
- local prefix=$2
- shift 2
-
- [ -n "$config" ] || return 1
- [ -n "$prefix" ] && {
- prefix="${prefix}_"
- export ${NO_EXPORT:+-n} -- "${prefix}NAME"="${config}"
- config_get "${prefix}TYPE" "$config" TYPE
- }
-
- local enabled
- config_get_bool enabled "$config" enabled 1
- [ $enabled -eq 1 ] || return 1
-
- [ "$1" == '{' ] && shift
- while [ $# -ge 3 ]; do
- local type=$1
- local name=$2
- local dflt=$3
- shift 3
- # TODO: Move handling of defaults to /lib/functions.sh
- # and get replace the case block with the following
- # two lines:
- # type=${type#string}
- # config_get${type:+_${type}} "${prefix}${name}" "$config" "$name" "$dflt" || return
- case "$type" in
- string)
- local tmp
- config_get tmp "$config" "$name" || return
- [ -z "$tmp" ] && tmp=$dflt
- export ${NO_EXPORT:+-n} -- "${prefix}${name}=${tmp}"
- continue
- ;;
- boolean)
- type=bool
- ;;
- esac;
-
- local cmd=${prefix}config_get_${type}
- type $cmd > /dev/null || {
- cmd=config_get_${type}
- }
- type $cmd > /dev/null || {
- echo "config type $type (for $name) not supported" >&2
- return 1
- }
- $cmd "${prefix}${name}" "$config" "$name" "$dflt" || return
- done
-}
-
-config_get_ipaddr() {
- local varn=$1
- local conf=$2
- local name=$3
- local dflt=$4
-
- local addr
- config_get addr "$conf" "$name" || return
- [ -n "$addr" ] || addr=$dflt
-
- local mask=${addr#*/}
- [ "$mask" != "$addr" ] || mask=
- addr=${addr%/*}
-
- local vers=
- case "$addr" in
- *:*) vers=6; mask="${mask:-128}" ;;
- *.*) vers=4; mask="${mask:-32}" ;;
- esac
-
- export ${NO_EXPORT:+-n} -- "${varn}=${addr}"
- export ${NO_EXPORT:+-n} -- "${varn}_prefixlen=${mask}"
- export ${NO_EXPORT:+-n} -- "${varn}_version=${vers}"
-}
diff --git a/package/firewall/files/lib/core.sh b/package/firewall/files/lib/core.sh
deleted file mode 100644
index 93d4d2e29..000000000
--- a/package/firewall/files/lib/core.sh
+++ /dev/null
@@ -1,159 +0,0 @@
-# Copyright (C) 2009-2010 OpenWrt.org
-
-FW_LIBDIR=${FW_LIBDIR:-/lib/firewall}
-
-. $FW_LIBDIR/fw.sh
-include /lib/network
-
-fw_start() {
- fw_init
-
- FW_DEFAULTS_APPLIED=
-
- fw_is_loaded && {
- echo "firewall already loaded" >&2
- exit 1
- }
-
- uci_set_state firewall core "" firewall_state
-
- fw_clear DROP
-
- fw_callback pre core
-
- echo "Loading defaults"
- fw_config_once fw_load_defaults defaults
-
- echo "Loading zones"
- config_foreach fw_load_zone zone
-
- echo "Loading forwardings"
- config_foreach fw_load_forwarding forwarding
-
- echo "Loading rules"
- config_foreach fw_load_rule rule
-
- echo "Loading redirects"
- config_foreach fw_load_redirect redirect
-
- echo "Loading includes"
- config_foreach fw_load_include include
-
- [ -z "$FW_NOTRACK_DISABLED" ] && {
- echo "Optimizing conntrack"
- config_foreach fw_load_notrack_zone zone
- }
-
- echo "Loading interfaces"
- config_foreach fw_configure_interface interface add
-
- fw_callback post core
-
- uci_set_state firewall core zones "$FW_ZONES"
- uci_set_state firewall core loaded 1
-}
-
-fw_stop() {
- fw_init
-
- fw_callback pre stop
-
- local z n i
- config_get z core zones
- for z in $z; do
- config_get n core "${z}_networks"
- for n in $n; do
- config_get i core "${n}_ifname"
- [ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
- INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
- done
-
- config_get i core "${z}_tcpmss"
- [ "$i" == 1 ] && {
- fw del i m FORWARD zone_${z}_MSSFIX
- fw del i m zone_${z}_MSSFIX
- }
- done
-
- fw_clear ACCEPT
-
- fw_callback post stop
-
- uci_revert_state firewall
- config_clear
-
- local h
- for h in $FW_HOOKS; do unset $h; done
-
- unset FW_HOOKS
- unset FW_INITIALIZED
-}
-
-fw_restart() {
- fw_stop
- fw_start
-}
-
-fw_reload() {
- fw_restart
-}
-
-fw_is_loaded() {
- local bool=$(uci_get_state firewall.core.loaded)
- return $((! ${bool:-0}))
-}
-
-
-fw_die() {
- echo "Error:" "$@" >&2
- fw_log error "$@"
- fw_stop
- exit 1
-}
-
-fw_log() {
- local level="$1"
- [ -n "$2" ] && shift || level=notice
- [ "$level" != error ] || echo "Error: $@" >&2
- logger -t firewall -p user.$level "$@"
-}
-
-
-fw_init() {
- [ -z "$FW_INITIALIZED" ] || return 0
-
- . $FW_LIBDIR/config.sh
-
- scan_interfaces
- fw_config_append firewall
-
- local hooks="core stop defaults zone notrack synflood"
- local file lib hk pp
- for file in $FW_LIBDIR/core_*.sh; do
- . $file
- hk=$(basename $file .sh)
- hk=${hk#core_}
- append hooks $hk
- done
- for file in $FW_LIBDIR/*.sh; do
- lib=$(basename $file .sh)
- lib=${lib##[0-9][0-9]_}
- case $lib in
- core*|fw|config|uci_firewall) continue ;;
- esac
- . $file
- for hk in $hooks; do
- for pp in pre post; do
- type ${lib}_${pp}_${hk}_cb >/dev/null && {
- append FW_CB_${pp}_${hk} ${lib}
- append FW_HOOKS FW_CB_${pp}_${hk}
- }
- done
- done
- done
-
- fw_callback post init
-
- FW_INITIALIZED=1
- return 0
-}
diff --git a/package/firewall/files/lib/core_forwarding.sh b/package/firewall/files/lib/core_forwarding.sh
deleted file mode 100644
index c4a968143..000000000
--- a/package/firewall/files/lib/core_forwarding.sh
+++ /dev/null
@@ -1,44 +0,0 @@
-# Copyright (C) 2009-2010 OpenWrt.org
-
-fw_config_get_forwarding() {
- [ "${forwarding_NAME}" != "$1" ] || return
- fw_config_get_section "$1" forwarding { \
- string _name "$1" \
- string name "" \
- string src "" \
- string dest "" \
- string family "" \
- } || return
- [ -n "$forwarding_name" ] || forwarding_name=$forwarding__name
-}
-
-fw_load_forwarding() {
- fw_config_get_forwarding "$1"
-
- fw_callback pre forwarding
-
- local chain=forward
- [ -n "$forwarding_src" ] && {
- chain=zone_${forwarding_src}_forward
- }
-
- local target=ACCEPT
- [ -n "$forwarding_dest" ] && {
- target=zone_${forwarding_dest}_ACCEPT
- }
-
- local mode
- fw_get_family_mode mode ${forwarding_family:-x} ${forwarding_dest:-${forwarding_src:--}} i
-
- fw add $mode f $chain $target ^
-
- # propagate masq zone flag
- [ -n "$forwarding_src" ] && list_contains FW_CONNTRACK_ZONES $forwarding_src && {
- append FW_CONNTRACK_ZONES $forwarding_dest
- }
- [ -n "$forwarding_dest" ] && list_contains FW_CONNTRACK_ZONES $forwarding_dest && {
- append FW_CONNTRACK_ZONES $forwarding_src
- }
-
- fw_callback post forwarding
-}
diff --git a/package/firewall/files/lib/core_init.sh b/package/firewall/files/lib/core_init.sh
deleted file mode 100644
index 035647998..000000000
--- a/package/firewall/files/lib/core_init.sh
+++ /dev/null
@@ -1,338 +0,0 @@
-# Copyright (C) 2009-2011 OpenWrt.org
-# Copyright (C) 2008 John Crispin <blogic@openwrt.org>
-
-FW_INITIALIZED=
-
-FW_ZONES=
-FW_ZONES4=
-FW_ZONES6=
-FW_CONNTRACK_ZONES=
-FW_NOTRACK_DISABLED=
-
-FW_DEFAULTS_APPLIED=
-FW_ADD_CUSTOM_CHAINS=
-FW_ACCEPT_REDIRECTS=
-FW_ACCEPT_SRC_ROUTE=
-
-FW_DEFAULT_INPUT_POLICY=REJECT
-FW_DEFAULT_OUTPUT_POLICY=REJECT
-FW_DEFAULT_FORWARD_POLICY=REJECT
-
-FW_DISABLE_IPV4=0
-FW_DISABLE_IPV6=0
-
-
-fw_load_defaults() {
- fw_config_get_section "$1" defaults { \
- string input $FW_DEFAULT_INPUT_POLICY \
- string output $FW_DEFAULT_OUTPUT_POLICY \
- string forward $FW_DEFAULT_FORWARD_POLICY \
- boolean drop_invalid 0 \
- boolean syn_flood 0 \
- boolean synflood_protect 0 \
- string synflood_rate 25 \
- string synflood_burst 50 \
- boolean tcp_syncookies 1 \
- boolean tcp_ecn 0 \
- boolean tcp_westwood 0 \
- boolean tcp_window_scaling 1 \
- boolean accept_redirects 0 \
- boolean accept_source_route 0 \
- boolean custom_chains 1 \
- boolean disable_ipv6 0 \
- } || return
- [ -n "$FW_DEFAULTS_APPLIED" ] && {
- fw_log error "duplicate defaults section detected, skipping"
- return 1
- }
- FW_DEFAULTS_APPLIED=1
-
- FW_DEFAULT_INPUT_POLICY=$defaults_input
- FW_DEFAULT_OUTPUT_POLICY=$defaults_output
- FW_DEFAULT_FORWARD_POLICY=$defaults_forward
-
- FW_ADD_CUSTOM_CHAINS=$defaults_custom_chains
-
- FW_ACCEPT_REDIRECTS=$defaults_accept_redirects
- FW_ACCEPT_SRC_ROUTE=$defaults_accept_source_route
-
- FW_DISABLE_IPV6=$defaults_disable_ipv6
-
- fw_callback pre defaults
-
- # Seems like there are only one sysctl for both IP versions.
- for s in syncookies ecn westwood window_scaling; do
- eval "sysctl -e -w net.ipv4.tcp_${s}=\$defaults_tcp_${s}" >/dev/null
- done
- fw_sysctl_interface all
-
- fw add i f INPUT ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED }
- fw add i f OUTPUT ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED }
- fw add i f FORWARD ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED }
-
- [ $defaults_drop_invalid == 1 ] && {
- fw add i f INPUT DROP { -m conntrack --ctstate INVALID }
- fw add i f OUTPUT DROP { -m conntrack --ctstate INVALID }
- fw add i f FORWARD DROP { -m conntrack --ctstate INVALID }
- FW_NOTRACK_DISABLED=1
- }
-
- fw add i f INPUT ACCEPT { -i lo }
- fw add i f OUTPUT ACCEPT { -o lo }
-
- # Compatibility to old 'syn_flood' parameter
- [ $defaults_syn_flood == 1 ] && \
- defaults_synflood_protect=1
-
- [ "${defaults_synflood_rate%/*}" == "$defaults_synflood_rate" ] && \
- defaults_synflood_rate="$defaults_synflood_rate/second"
-
- [ $defaults_synflood_protect == 1 ] && {
- echo "Loading synflood protection"
- fw_callback pre synflood
- fw add i f syn_flood
- fw add i f syn_flood RETURN { \
- -p tcp --syn \
- -m limit --limit "${defaults_synflood_rate}" --limit-burst "${defaults_synflood_burst}" \
- }
- fw add i f syn_flood DROP
- fw add i f INPUT syn_flood { -p tcp --syn }
- fw_callback post synflood
- }
-
- [ $defaults_custom_chains == 1 ] && {
- echo "Adding custom chains"
- fw add i f input_rule
- fw add i f output_rule
- fw add i f forwarding_rule
- fw add i n prerouting_rule
- fw add i n postrouting_rule
-
- fw add i f INPUT input_rule
- fw add i f OUTPUT output_rule
- fw add i f FORWARD forwarding_rule
- fw add i n PREROUTING prerouting_rule
- fw add i n POSTROUTING postrouting_rule
- }
-
- fw add i f input
- fw add i f output
- fw add i f forward
-
- fw add i f INPUT input
- fw add i f OUTPUT output
- fw add i f FORWARD forward
-
- fw add i f reject
- fw add i f reject REJECT { --reject-with tcp-reset -p tcp }
- fw add i f reject REJECT { --reject-with port-unreach }
-
- fw_set_filter_policy
-
- fw_callback post defaults
-}
-
-
-fw_config_get_zone() {
- [ "${zone_NAME}" != "$1" ] || return
- fw_config_get_section "$1" zone { \
- string name "$1" \
- string network "" \
- string input "$FW_DEFAULT_INPUT_POLICY" \
- string output "$FW_DEFAULT_OUTPUT_POLICY" \
- string forward "$FW_DEFAULT_FORWARD_POLICY" \
- boolean masq 0 \
- string masq_src "" \
- string masq_dest "" \
- boolean conntrack 0 \
- boolean mtu_fix 0 \
- boolean custom_chains "$FW_ADD_CUSTOM_CHAINS" \
- boolean log 0 \
- string log_limit 10 \
- string family "" \
- } || return
- [ -n "$zone_name" ] || zone_name=$zone_NAME
- [ -n "$zone_network" ] || zone_network=$zone_name
-}
-
-fw_load_zone() {
- fw_config_get_zone "$1"
-
- list_contains FW_ZONES $zone_name && {
- fw_log error "zone ${zone_name}: duplicated zone, skipping"
- return 0
- }
- append FW_ZONES $zone_name
-
- fw_callback pre zone
-
- [ $zone_conntrack = 1 -o $zone_masq = 1 ] && \
- append FW_CONNTRACK_ZONES "$zone_name"
-
- local mode
- case "$zone_family" in
- *4)
- mode=4
- append FW_ZONES4 $zone_name
- uci_set_state firewall core ${zone_name}_ipv4 1
- ;;
- *6)
- mode=6
- append FW_ZONES6 $zone_name
- uci_set_state firewall core ${zone_name}_ipv6 1
- ;;
- *)
- mode=i
- append FW_ZONES4 $zone_name
- append FW_ZONES6 $zone_name
- uci_set_state firewall core ${zone_name}_ipv4 1
- uci_set_state firewall core ${zone_name}_ipv6 1
- ;;
- esac
-
- local chain=zone_${zone_name}
-
- fw add $mode f ${chain}_ACCEPT
- fw add $mode f ${chain}_DROP
- fw add $mode f ${chain}_REJECT
-
- # TODO: Rename to ${chain}_input
- fw add $mode f ${chain}
- fw add $mode f ${chain} ${chain}_${zone_input} $
-
- fw add $mode f ${chain}_forward
- fw add $mode f ${chain}_forward ${chain}_${zone_forward} $
-
- # TODO: add ${chain}_output
- fw add $mode f output ${chain}_${zone_output} $
-
- # TODO: Rename to ${chain}_MASQUERADE
- fw add $mode n ${chain}_nat
- fw add $mode n ${chain}_prerouting
-
- fw add $mode r ${chain}_notrack
-
- [ $zone_mtu_fix == 1 ] && {
- fw add $mode m ${chain}_MSSFIX
- fw add $mode m FORWARD ${chain}_MSSFIX ^
- uci_set_state firewall core ${zone_name}_tcpmss 1
- }
-
- [ $zone_custom_chains == 1 ] && {
- [ $FW_ADD_CUSTOM_CHAINS == 1 ] || \
- fw_die "zone ${zone_name}: custom_chains globally disabled"
-
- fw add $mode f input_${zone_name}
- fw add $mode f ${chain} input_${zone_name} ^
-
- fw add $mode f forwarding_${zone_name}
- fw add $mode f ${chain}_forward forwarding_${zone_name} ^
-
- fw add $mode n prerouting_${zone_name}
- fw add $mode n ${chain}_prerouting prerouting_${zone_name} ^
- }
-
- [ "$zone_log" == 1 ] && {
- [ "${zone_log_limit%/*}" == "$zone_log_limit" ] && \
- zone_log_limit="$zone_log_limit/minute"
-
- local t
- for t in REJECT DROP; do
- fw add $mode f ${chain}_${t} LOG ^ \
- { -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " }
- done
-
- [ $zone_mtu_fix == 1 ] && \
- fw add $mode m ${chain}_MSSFIX LOG ^ \
- { -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " }
- }
-
- # NB: if MASQUERADING for IPv6 becomes available we'll need a family check here
- if [ "$zone_masq" == 1 ]; then
- local msrc mdst
- for msrc in ${zone_masq_src:-0.0.0.0/0}; do
- case "$msrc" in
- *.*) fw_get_negation msrc '-s' "$msrc" ;;
- *) fw_get_subnet4 msrc '-s' "$msrc" || break ;;
- esac
-
- for mdst in ${zone_masq_dest:-0.0.0.0/0}; do
- case "$mdst" in
- *.*) fw_get_negation mdst '-d' "$mdst" ;;
- *) fw_get_subnet4 mdst '-d' "$mdst" || break ;;
- esac
-
- fw add $mode n ${chain}_nat MASQUERADE $ { $msrc $mdst }
- done
- done
- fi
-
- fw_callback post zone
-}
-
-fw_load_notrack_zone() {
- fw_config_get_zone "$1"
- list_contains FW_CONNTRACK_ZONES "${zone_name}" && return
-
- fw_callback pre notrack
-
- fw add i r zone_${zone_name}_notrack NOTRACK $
-
- fw_callback post notrack
-}
-
-
-fw_load_include() {
- local name="$1"
-
- local path
- config_get path ${name} path
-
- [ -e $path ] && (
- config() {
- fw_log error "You cannot use UCI in firewall includes!" >&2
- exit 1
- }
- . $path
- )
-}
-
-
-fw_clear() {
- local policy=$1
-
- fw_set_filter_policy $policy
-
- local tab
- for tab in f n r; do
- fw del i $tab
- done
-}
-
-fw_set_filter_policy() {
- local policy=$1
-
- local chn tgt
- for chn in INPUT OUTPUT FORWARD; do
- eval "tgt=\${policy:-\${FW_DEFAULT_${chn}_POLICY}}"
- [ $tgt == "REJECT" ] && tgt=reject
- [ $tgt == "ACCEPT" -o $tgt == "DROP" ] || {
- fw add i f $chn $tgt $
- tgt=DROP
- }
- fw policy i f $chn $tgt
- done
-}
-
-
-fw_callback() {
- local pp=$1
- local hk=$2
-
- local libs lib
- eval "libs=\$FW_CB_${pp}_${hk}"
- [ -n "$libs" ] || return
- for lib in $libs; do
- ${lib}_${pp}_${hk}_cb
- done
-}
diff --git a/package/firewall/files/lib/core_interface.sh b/package/firewall/files/lib/core_interface.sh
deleted file mode 100644
index 3d6718431..000000000
--- a/package/firewall/files/lib/core_interface.sh
+++ /dev/null
@@ -1,205 +0,0 @@
-# Copyright (C) 2009-2012 OpenWrt.org
-
-fw__uci_state_add() {
- local var="$1"
- local item="$2"
-
- local val="$(uci_get_state firewall core $var)"
- local e1; for e1 in $item; do
- local e2; for e2 in $val; do
- [ "$e1" = "$e2" ] && e1=""
- done
- val="${val:+$val${e1:+ }}$e1"
- done
-
- uci_toggle_state firewall core $var "$val"
-}
-
-fw__uci_state_del() {
- local var="$1"
- local item="$2"
-
- local rest=""
- local val="$(uci_get_state firewall core $var)"
- local e1; for e1 in $val; do
- local e2; for e2 in $item; do
- [ "$e1" = "$e2" ] && e1=""
- done
- rest="${rest:+$rest${e1:+ }}$e1"
- done
-
- uci_toggle_state firewall core $var "$rest"
-}
-
-fw_configure_interface() {
- local iface=$1
- local action=$2
- local ifname=$3
- local aliasnet=$4
-
- [ "$action" == "add" ] && {
- local status=$(uci_get_state network "$iface" up 0)
- [ "$status" == 1 ] || [ -n "$aliasnet" ] || return 0
- }
-
- [ -n "$ifname" ] || {
- ifname=$(uci_get_state network "$iface" ifname)
- ifname="${ifname%%:*}"
- [ -z "$ifname" ] && return 0
- }
-
- [ "$ifname" == "lo" ] && return 0
-
- fw_callback pre interface
-
- fw__do_rules() {
- local action=$1
- local zone=$2
- local chain=zone_${zone}
- local ifname=$3
- local subnet=$4
-
- local inet onet mode
- fw_get_family_mode mode x $zone i
-
- case "$mode/$subnet" in
- # Zone supports v6 only or dual, need v6
- G6/*:*|i/*:*)
- inet="-s $subnet -d ::/0"
- onet="-s ::/0 -d $subnet"
- mode=6
- ;;
-
- # Zone supports v4 only or dual, need v4
- G4/*.*.*.*|i/*.*.*.*)
- inet="-s $subnet -d 0.0.0.0/0"
- onet="-s 0.0.0.0/0 -d $subnet"
- mode=4
- ;;
-
- # Need v6 while zone is v4
- */*:*) fw_log info "zone $zone does not support IPv6 address family, skipping"; return ;;
-
- # Need v4 while zone is v6
- */*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;;
-
- # Strip prefix
- *) mode="${mode#G}" ;;
- esac
-
- lock /var/run/firewall-interface.lock
-
- fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -o "$ifname" $onet }
- fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -i "$ifname" $inet }
- fw $action $mode f ${chain}_DROP DROP $ { -o "$ifname" $onet }
- fw $action $mode f ${chain}_DROP DROP $ { -i "$ifname" $inet }
- fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
- fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }
-
- [ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
- fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
- { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
-
- fw $action $mode f input ${chain} $ { -i "$ifname" $inet }
- fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }
- fw $action $mode n PREROUTING ${chain}_prerouting $ { -i "$ifname" $inet }
- fw $action $mode r PREROUTING ${chain}_notrack $ { -i "$ifname" $inet }
- fw $action $mode n POSTROUTING ${chain}_nat $ { -o "$ifname" $onet }
-
- lock -u /var/run/firewall-interface.lock
- }
-
- local old_zones old_ifname old_subnets
- config_get old_zones core "${iface}_zone"
- [ -n "$old_zones" ] && {
- config_get old_ifname core "${iface}_ifname"
- config_get old_subnets core "${iface}_subnets"
-
- local z
- for z in $old_zones; do
- local n
- for n in ${old_subnets:-""}; do
- fw_log info "removing $iface ($old_ifname${n:+ alias $n}) from zone $z"
- fw__do_rules del $z $old_ifname $n
- done
-
- [ -n "$old_subnets" ] || {
- fw__uci_state_del "${z}_networks" "$iface"
- env -i ACTION=remove ZONE="$z" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
- }
- done
-
- local old_aliases
- config_get old_aliases core "${iface}_aliases"
-
- local a
- for a in $old_aliases; do
- fw_configure_interface "$a" del "$old_ifname"
- done
-
- uci_revert_state firewall core "${iface}_zone"
- uci_revert_state firewall core "${iface}_ifname"
- uci_revert_state firewall core "${iface}_subnets"
- uci_revert_state firewall core "${iface}_aliases"
- }
-
- [ "$action" == del ] && return
-
- [ -z "$aliasnet" ] && {
- local aliases
- config_get aliases "$iface" aliases
-
- local a
- for a in $aliases; do
- local ipaddr netmask ip6addr
- config_get ipaddr "$a" ipaddr
- config_get netmask "$a" netmask
- config_get ip6addr "$a" ip6addr
-
- [ -n "$ipaddr" ] && fw_configure_interface "$a" add "" "$ipaddr${netmask:+/$netmask}"
- [ -n "$ip6addr" ] && fw_configure_interface "$a" add "" "$ip6addr"
- done
-
- fw_sysctl_interface $ifname
- fw_callback post interface
-
- uci_toggle_state firewall core "${iface}_aliases" "$aliases"
- } || {
- local subnets=
- config_get subnets core "${iface}_subnets"
- append subnets "$aliasnet"
-
- config_set core "${iface}_subnets" "$subnets"
- uci_toggle_state firewall core "${iface}_subnets" "$subnets"
- }
-
- local new_zones=
- load_zone() {
- fw_config_get_zone "$1"
- list_contains zone_network "$iface" || return
-
- fw_log info "adding $iface ($ifname${aliasnet:+ alias $aliasnet}) to zone $zone_name"
- fw__do_rules add ${zone_name} "$ifname" "$aliasnet"
- append new_zones $zone_name
-
- [ -n "$aliasnet" ] || {
- fw__uci_state_add "${zone_name}_networks" "${zone_network}"
- env -i ACTION=add ZONE="$zone_name" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
- }
- }
- config_foreach load_zone zone
-
- uci_toggle_state firewall core "${iface}_zone" "$new_zones"
- uci_toggle_state firewall core "${iface}_ifname" "$ifname"
-}
-
-fw_sysctl_interface() {
- local ifname=$1
- {
- sysctl -w net.ipv4.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS
- sysctl -w net.ipv6.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS
- sysctl -w net.ipv4.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE
- sysctl -w net.ipv6.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE
- } >/dev/null 2>/dev/null
-}
-
diff --git a/package/firewall/files/lib/core_redirect.sh b/package/firewall/files/lib/core_redirect.sh
deleted file mode 100644
index fe396c1c1..000000000
--- a/package/firewall/files/lib/core_redirect.sh
+++ /dev/null
@@ -1,130 +0,0 @@
-# Copyright (C) 2009-2010 OpenWrt.org
-
-fw_config_get_redirect() {
- [ "${redirect_NAME}" != "$1" ] || return
- fw_config_get_section "$1" redirect { \
- string _name "$1" \
- string name "" \
- string src "" \
- ipaddr src_ip "" \
- ipaddr src_dip "" \
- string src_mac "" \
- string src_port "" \
- string src_dport "" \
- string dest "" \
- ipaddr dest_ip "" \
- string dest_port "" \
- string proto "tcpudp" \
- string family "" \
- string target "DNAT" \
- string extra "" \
- } || return
- [ -n "$redirect_name" ] || redirect_name=$redirect__name
-}
-
-fw_load_redirect() {
- fw_config_get_redirect "$1"
-
- fw_callback pre redirect
-
- local fwdchain natchain natopt nataddr natports srcdaddr srcdports
- if [ "$redirect_target" == "DNAT" ]; then
- [ -n "${redirect_src#*}" -a -n "$redirect_dest_ip$redirect_dest_port" ] || {
- fw_log error "DNAT redirect ${redirect_name}: needs src and dest_ip or dest_port, skipping"
- return 0
- }
-
- fwdopt=""
- fwdchain=""
-
- # Check whether only ports are given or whether the given dest ip is local,
- # in this case match only DNATed traffic and allow it on input, not forward
- if [ -z "$redirect_dest_ip" ] || /sbin/ifconfig | grep -qE "addr:${redirect_dest_ip//./\\.}\b"; then
- fwdopt="-m conntrack --ctstate DNAT"
- fwdchain="zone_${redirect_src}"
- else
- fwdchain="zone_${redirect_src}_forward"
- fi
-
- natopt="--to-destination"
- natchain="zone_${redirect_src}_prerouting"
- nataddr="$redirect_dest_ip"
- fw_get_port_range natports "${redirect_dest_port#!}" "-"
-
- fw_get_negation srcdaddr '-d' "${redirect_src_dip:+$redirect_src_dip/$redirect_src_dip_prefixlen}"
- fw_get_port_range srcdports "$redirect_src_dport" ":"
- fw_get_negation srcdports '--dport' "$srcdports"
-
- list_contains FW_CONNTRACK_ZONES $redirect_src || \
- append FW_CONNTRACK_ZONES $redirect_src
-
- elif [ "$redirect_target" == "SNAT" ]; then
- [ -n "${redirect_dest#*}" -a -n "$redirect_src_dip" ] || {
- fw_log error "SNAT redirect ${redirect_name}: needs dest and src_dip, skipping"
- return 0
- }
-
- fwdchain="${redirect_src:+zone_${redirect_src}_forward}"
-
- natopt="--to-source"
- natchain="zone_${redirect_dest}_nat"
- nataddr="$redirect_src_dip"
- fw_get_port_range natports "${redirect_src_dport#!}" "-"
-
- fw_get_negation srcdaddr '-d' "${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}"
- fw_get_port_range srcdports "$redirect_dest_port" ":"
- fw_get_negation srcdports '--dport' "$srcdports"
-
- list_contains FW_CONNTRACK_ZONES $redirect_dest || \
- append FW_CONNTRACK_ZONES $redirect_dest
-
- else
- fw_log error "redirect ${redirect_name}: target must be either DNAT or SNAT, skipping"
- return 0
- fi
-
- local mode
- fw_get_family_mode mode ${redirect_family:-x} ${redirect_src:-$redirect_dest} I
-
- local srcaddr
- fw_get_negation srcaddr '-s' "${redirect_src_ip:+$redirect_src_ip/$redirect_src_ip_prefixlen}"
-
- local srcports
- fw_get_port_range srcports "$redirect_src_port" ":"
- fw_get_negation srcports '--sport' "$srcports"
-
- local destaddr
- fw_get_negation destaddr '-d' "${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}"
-
- local destports
- fw_get_port_range destports "${redirect_dest_port:-$redirect_src_dport}" ":"
- fw_get_negation destports '--dport' "$destports"
-
- [ "$redirect_proto" == "tcpudp" ] && redirect_proto="tcp udp"
- local pr; for pr in $redirect_proto; do
- fw_get_negation pr '-p' "$pr"
- local sm; for sm in ${redirect_src_mac:-""}; do
- fw_get_negation sm '--mac-source' "$sm"
- fw add $mode n $natchain $redirect_target + \
- { $redirect_src_ip $redirect_dest_ip } { \
- $srcaddr $srcdaddr $pr \
- $srcports $srcdports \
- ${sm:+-m mac $sm} \
- $natopt $nataddr${natports:+:$natports} \
- $redirect_options \
- }
-
- fw add $mode f ${fwdchain:-forward} ACCEPT + \
- { $redirect_src_ip $redirect_dest_ip } { \
- $srcaddr $destaddr \
- $pr \
- $srcports $destports \
- ${sm:+-m mac $sm} \
- $fwdopt \
- $redirect_extra \
- }
- done
- done
-
- fw_callback post redirect
-}
diff --git a/package/firewall/files/lib/core_rule.sh b/package/firewall/files/lib/core_rule.sh
deleted file mode 100644
index f49c42af5..000000000
--- a/package/firewall/files/lib/core_rule.sh
+++ /dev/null
@@ -1,110 +0,0 @@
-# Copyright (C) 2009-2010 OpenWrt.org
-
-fw_config_get_rule() {
- [ "${rule_NAME}" != "$1" ] || return
- fw_config_get_section "$1" rule { \
- string _name "$1" \
- string name "" \
- string src "" \
- ipaddr src_ip "" \
- string src_mac "" \
- string src_port "" \
- string dest "" \
- ipaddr dest_ip "" \
- string dest_port "" \
- string icmp_type "" \
- string proto "tcpudp" \
- string target "" \
- string family "" \
- string limit "" \
- string limit_burst "" \
- string extra "" \
- } || return
- [ -n "$rule_name" ] || rule_name=$rule__name
-}
-
-fw_load_rule() {
- fw_config_get_rule "$1"
-
- [ "$rule_target" != "NOTRACK" ] || [ -n "$rule_src" ] || [ "$rule_src" != "*" ] || {
- fw_log error "NOTRACK rule ${rule_name}: needs src, skipping"
- return 0
- }
-
- fw_callback pre rule
-
- local table=f
- local chain=input
- local target="${rule_target:-REJECT}"
- if [ "$target" == "NOTRACK" ]; then
- table=r
- chain="zone_${rule_src}_notrack"
- else
- if [ -n "$rule_src" ]; then
- if [ "$rule_src" != "*" ]; then
- chain="zone_${rule_src}${rule_dest:+_forward}"
- else
- chain="${rule_dest:+forward}"
- chain="${chain:-input}"
- fi
- fi
-
- if [ -n "$rule_dest" ]; then
- if [ "$rule_dest" != "*" ]; then
- target="zone_${rule_dest}_${target}"
- elif [ "$target" = REJECT ]; then
- target=reject
- fi
- fi
- fi
-
- local mode
- fw_get_family_mode mode ${rule_family:-x} "$rule_src" I
-
- local src_spec dest_spec
- fw_get_negation src_spec '-s' "${rule_src_ip:+$rule_src_ip/$rule_src_ip_prefixlen}"
- fw_get_negation dest_spec '-d' "${rule_dest_ip:+$rule_dest_ip/$rule_dest_ip_prefixlen}"
-
- [ "$rule_proto" == "tcpudp" ] && rule_proto="tcp udp"
- local pr; for pr in $rule_proto; do
- local sports dports itypes
- case "$pr" in
- icmp|icmpv6|1|58)
- sports=""; dports=""
- itypes="$rule_icmp_type"
- ;;
- *)
- sports="$rule_src_port"
- dports="$rule_dest_port"
- itypes=""
- ;;
- esac
-
- fw_get_negation pr '-p' "$pr"
- local sp; for sp in ${sports:-""}; do
- fw_get_port_range sp $sp
- fw_get_negation sp '--sport' "$sp"
- local dp; for dp in ${dports:-""}; do
- fw_get_port_range dp $dp
- fw_get_negation dp '--dport' "$dp"
- local sm; for sm in ${rule_src_mac:-""}; do
- fw_get_negation sm '--mac-source' "$sm"
- local it; for it in ${itypes:-""}; do
- fw_get_negation it '--icmp-type' "$it"
- fw add $mode $table $chain $target + \
- { $rule_src_ip $rule_dest_ip } { \
- $src_spec $dest_spec \
- $pr $sp $dp $it \
- ${sm:+-m mac $sm} \
- ${rule_limit:+-m limit --limit $rule_limit \
- ${rule_limit_burst:+--limit-burst $rule_limit_burst}} \
- $rule_extra \
- }
- done
- done
- done
- done
- done
-
- fw_callback post rule
-}
diff --git a/package/firewall/files/lib/fw.sh b/package/firewall/files/lib/fw.sh
deleted file mode 100644
index 76e294f56..000000000
--- a/package/firewall/files/lib/fw.sh
+++ /dev/null
@@ -1,324 +0,0 @@
-# Copyright (C) 2009-2010 OpenWrt.org
-# Copyright (C) 2009 Malte S. Stretz
-
-export FW_4_ERROR=0
-export FW_6_ERROR=0
-export FW_i_ERROR=0
-export FW_e_ERROR=0
-export FW_a_ERROR=0
-
-#TODO: remove this
-[ "${-#*x}" == "$-" ] && {
- fw() {
- fw__exec "$@"
- }
-} || {
- fw() {
- local os=$-
- set +x
- fw__exec "$@"
- local rc=$?
- set -$os
- return $rc
- }
-}
-
-fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
- local cmd fam tab chn tgt pos
- local i
- for i in cmd fam tab chn tgt pos; do
- if [ "$1" -a "$1" != '{' ]; then
- eval "$i='$1'"
- shift
- else
- eval "$i=-"
- fi
- done
-
- fw__rc() {
- export FW_${fam#G}_ERROR=$1
- return $1
- }
-
- fw__dualip() {
- fw $cmd 4 $tab $chn $tgt $pos "$@"
- fw $cmd 6 $tab $chn $tgt $pos "$@"
- fw__rc $((FW_4_ERROR | FW_6_ERROR))
- }
-
- fw__autoip() {
- local ip4 ip6
- shift
- while [ "$1" != '}' ]; do
- case "$1" in
- *:*) ip6=1 ;;
- *.*.*.*) ip4=1 ;;
- esac
- shift
- done
- shift
- if [ "${ip4:-4}" == "${ip6:-6}" ]; then
- echo "fw: can't mix ip4 and ip6" >&2
- return 1
- fi
- local ver=${ip4:+4}${ip6:+6}
- fam=i
- fw $cmd ${ver:-i} $tab $chn $tgt $pos "$@"
- fw__rc $?
- }
-
- fw__has() {
- local tab=${1:-$tab}
- if [ $tab == '-' ]; then
- type $app > /dev/null 2> /dev/null
- fw__rc $(($? & 1))
- return
- fi
- [ "$app" != ip6tables ] || [ "$tab" != nat ]
- fw__rc $?
- }
-
- fw__err() {
- local err
- eval "err=\$FW_${fam}_ERROR"
- fw__rc $err
- }
-
- local app=
- local pol=
- case "$fam" in
- *4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables || return ;;
- *6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
- i) fw__dualip "$@"; return ;;
- I) fw__autoip "$@"; return ;;
- e) app=ebtables ;;
- a) app=arptables ;;
- -) fw $cmd i $tab $chn $tgt $pos "$@"; return ;;
- *) return 254 ;;
- esac
- case "$tab" in
- f) tab=filter ;;
- m) tab=mangle ;;
- n) tab=nat ;;
- r) tab=raw ;;
- -) tab=filter ;;
- esac
- case "$cmd:$chn:$tgt:$pos" in
- add:*:-:*) cmd=new-chain ;;
- add:*:*:-) cmd=append ;;
- add:*:*:$) cmd=append ;;
- add:*:*:*) cmd=insert ;;
- del:-:*:*) cmd=delete-chain; fw flush $fam $tab ;;
- del:*:-:*) cmd=delete-chain; fw flush $fam $tab $chn ;;
- del:*:*:*) cmd=delete ;;
- flush:*) ;;
- policy:*) pol=$tgt; tgt=- ;;
- has:*) fw__has; return ;;
- err:*) fw__err; return ;;
- list:*) cmd="numeric --verbose --$cmd" ;;
- *) return 254 ;;
- esac
- case "$chn" in
- -) chn= ;;
- esac
- case "$tgt" in
- -) tgt= ;;
- esac
-
- local rule_offset
- case "$pos" in
- ^) pos=1 ;;
- $) pos= ;;
- -) pos= ;;
- +) eval "rule_offset=\${FW__RULE_OFS_${app}_${tab}_${chn}:-1}" ;;
- esac
-
- if ! fw__has - family || ! fw__has $tab ; then
- export FW_${fam}_ERROR=0
- return 0
- fi
-
- case "$fam" in
- G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;;
- esac
-
- if [ $# -gt 0 ]; then
- shift
- if [ $cmd == delete ]; then
- pos=
- fi
- fi
-
- local cmdline="$app --table ${tab} --${cmd} ${chn} ${pol} ${rule_offset:-${pos}} ${tgt:+--jump "$tgt"}"
- while [ $# -gt 1 ]; do
- # special parameter handling
- case "$1:$2" in
- -p:icmp*|-p:1|-p:58|--protocol:icmp*|--protocol:1|--protocol:58)
- [ "$app" = ip6tables ] && \
- cmdline="$cmdline -p icmpv6" || \
- cmdline="$cmdline -p icmp"
- shift
- ;;
- --icmp-type:*|--icmpv6-type:*)
- local icmp_type
- if [ "$app" = ip6tables ] && fw_check_icmptype6 icmp_type "$2"; then
- cmdline="$cmdline $icmp_type"
- elif [ "$app" = iptables ] && fw_check_icmptype4 icmp_type "$2"; then
- cmdline="$cmdline $icmp_type"
- else
- local fam=IPv4; [ "$app" = ip6tables ] && fam=IPv6
- fw_log info "ICMP type '$2' is not valid for $fam address family, skipping rule"
- return 1
- fi
- shift
- ;;
- *) cmdline="$cmdline $1" ;;
- esac
- shift
- done
-
- [ -n "$FW_TRACE" ] && echo $cmdline >&2
-
- $cmdline
-
- local rv=$?
- [ $rv -eq 0 ] && [ -n "$rule_offset" ] && \
- export -- "FW__RULE_OFS_${app}_${tab}_${chn}=$(($rule_offset + 1))"
- fw__rc $rv
-}
-
-fw_get_port_range() {
- local _var=$1
- local _ports=$2
- local _delim=${3:-:}
- if [ "$4" ]; then
- fw_get_port_range $_var "${_ports}-${4}" $_delim
- return
- fi
-
- local _first=${_ports%-*}
- local _last=${_ports#*-}
- if [ "${_first#!}" != "${_last#!}" ]; then
- export -- "$_var=$_first$_delim${_last#!}"
- else
- export -- "$_var=$_first"
- fi
-}
-
-fw_get_family_mode() {
- local _var="$1"
- local _hint="$2"
- local _zone="$3"
- local _mode="$4"
-
- local _ipv4 _ipv6
- [ "$_zone" != "*" ] && {
- [ -n "$FW_ZONES4$FW_ZONES6" ] && {
- list_contains FW_ZONES4 "$_zone" && _ipv4=1 || _ipv4=0
- list_contains FW_ZONES6 "$_zone" && _ipv6=1 || _ipv6=0
- } || {
- _ipv4=$(uci_get_state firewall core "${_zone}_ipv4" 0)
- _ipv6=$(uci_get_state firewall core "${_zone}_ipv6" 0)
- }
- } || {
- _ipv4=1
- _ipv6=1
- }
-
- case "$_hint:$_ipv4:$_ipv6" in
- *4:1:*|*:1:0) export -n -- "$_var=G4" ;;
- *6:*:1|*:0:1) export -n -- "$_var=G6" ;;
- *) export -n -- "$_var=$_mode" ;;
- esac
-}
-
-fw_get_negation() {
- local _var="$1"
- local _flag="$2"
- local _value="$3"
-
- [ "${_value#!}" != "$_value" ] && \
- export -n -- "$_var=! $_flag ${_value#!}" || \
- export -n -- "$_var=${_value:+$_flag $_value}"
-}
-
-fw_get_subnet4() {
- local _var="$1"
- local _flag="$2"
- local _name="$3"
-
- local _ipaddr="$(uci_get_state network "${_name#!}" ipaddr)"
- local _netmask="$(uci_get_state network "${_name#!}" netmask)"
-
- case "$_ipaddr" in
- *.*.*.*)
- [ "${_name#!}" != "$_name" ] && \
- export -n -- "$_var=! $_flag $_ipaddr/${_netmask:-255.255.255.255}" || \
- export -n -- "$_var=$_flag $_ipaddr/${_netmask:-255.255.255.255}"
- return 0
- ;;
- esac
-
- export -n -- "$_var="
- return 1
-}
-
-fw_check_icmptype4() {
- local _var="$1"
- local _type="$2"
- case "$_type" in
- ![0-9]*) export -n -- "$_var=! --icmp-type ${_type#!}"; return 0 ;;
- [0-9]*) export -n -- "$_var=--icmp-type $_type"; return 0 ;;
- esac
-
- [ -z "$FW_ICMP4_TYPES" ] && \
- export FW_ICMP4_TYPES=$(
- iptables -p icmp -h 2>/dev/null | \
- sed -n -e '/^Valid ICMP Types:/ {
- n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
- }' | sort -u
- )
-
- local _check
- for _check in $FW_ICMP4_TYPES; do
- if [ "$_check" = "${_type#!}" ]; then
- [ "${_type#!}" != "$_type" ] && \
- export -n -- "$_var=! --icmp-type ${_type#!}" || \
- export -n -- "$_var=--icmp-type $_type"
- return 0
- fi
- done
-
- export -n -- "$_var="
- return 1
-}
-
-fw_check_icmptype6() {
- local _var="$1"
- local _type="$2"
- case "$_type" in
- ![0-9]*) export -n -- "$_var=! --icmpv6-type ${_type#!}"; return 0 ;;
- [0-9]*) export -n -- "$_var=--icmpv6-type $_type"; return 0 ;;
- esac
-
- [ -z "$FW_ICMP6_TYPES" ] && \
- export FW_ICMP6_TYPES=$(
- ip6tables -p icmpv6 -h 2>/dev/null | \
- sed -n -e '/^Valid ICMPv6 Types:/ {
- n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
- }' | sort -u
- )
-
- local _check
- for _check in $FW_ICMP6_TYPES; do
- if [ "$_check" = "${_type#!}" ]; then
- [ "${_type#!}" != "$_type" ] && \
- export -n -- "$_var=! --icmpv6-type ${_type#!}" || \
- export -n -- "$_var=--icmpv6-type $_type"
- return 0
- fi
- done
-
- export -n -- "$_var="
- return 1
-}
diff --git a/package/firewall/files/lib/uci_firewall.sh b/package/firewall/files/lib/uci_firewall.sh
deleted file mode 100644
index 7c95a7a93..000000000
--- a/package/firewall/files/lib/uci_firewall.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-# This file is here for backwards compatibility and to override the
-# uci_firewall.sh from an earlier version.
-type fw_is_loaded >/dev/null || {
- . /lib/firewall/core.sh
-}
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 16:53:01 +0000