package/firewall/files/lib/fw.sh

   1 # Copyright (C) 2009-2010 OpenWrt.org
   2 # Copyright (C) 2009 Malte S. Stretz
   3
   4 export FW_4_ERROR=0
   5 export FW_6_ERROR=0
   6 export FW_i_ERROR=0
   7 export FW_e_ERROR=0
   8 export FW_a_ERROR=0
   9
  10 #TODO: remove this
  11 [ "${-#*x}" == "$-" ] && {
  12         fw() {
  13                 fw__exec "$@"
  14         }
  15 } || {
  16         fw() {
  17                 local os=$-
  18                 set +x
  19                 fw__exec "$@"
  20                 local rc=$?
  21                 set -$os
  22                 return $rc
  23         }
  24 }
  25
  26 fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
  27         local cmd fam tab chn tgt pos
  28         local i
  29         for i in cmd fam tab chn tgt pos; do
  30                 if [ "$1" -a "$1" != '{' ]; then
  31                         eval "$i='$1'"
  32                         shift
  33                 else
  34                         eval "$i=-"
  35                 fi
  36         done
  37
  38         fw__rc() {
  39                 export FW_${fam#G}_ERROR=$1
  40                 return $1
  41         }
  42
  43         fw__dualip() {
  44                 fw $cmd 4 $tab $chn $tgt $pos "$@"
  45                 fw $cmd 6 $tab $chn $tgt $pos "$@"
  46                 fw__rc $((FW_4_ERROR | FW_6_ERROR))
  47         }
  48
  49         fw__autoip() {
  50                 local ip4 ip6
  51                 shift
  52                 while [ "$1" != '}' ]; do
  53                         case "$1" in
  54                                 *:*) ip6=1 ;;
  55                                 *.*.*.*) ip4=1 ;;
  56                         esac
  57                         shift
  58                 done
  59                 shift
  60                 if [ "${ip4:-4}" == "${ip6:-6}" ]; then
  61                         echo "fw: can't mix ip4 and ip6" >&2
  62                         return 1
  63                 fi
  64                 local ver=${ip4:+4}${ip6:+6}
  65                 fam=i
  66                 fw $cmd ${ver:-i} $tab $chn $tgt $pos "$@"
  67                 fw__rc $?
  68         }
  69
  70         fw__has() {
  71                 local tab=${1:-$tab}
  72                 if [ $tab == '-' ]; then
  73                         type $app > /dev/null 2> /dev/null
  74                         fw__rc $(($? & 1))
  75                         return
  76                 fi
  77                 fw__rc 0
  78         }
  79
  80         fw__err() {
  81                 local err
  82                 eval "err=\$FW_${fam}_ERROR"
  83                 fw__rc $err
  84         }
  85
  86         local app=
  87         local pol=
  88         case "$fam" in
  89                 *4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables  || return ;;
  90                 *6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
  91                 i) fw__dualip "$@"; return ;;
  92                 I) fw__autoip "$@"; return ;;
  93                 e) app=ebtables ;;
  94                 a) app=arptables ;;
  95                 -) fw $cmd i $tab $chn $tgt $pos "$@"; return ;;
  96                 *) return 254 ;;
  97         esac
  98         case "$tab" in
  99                 f) tab=filter ;;
 100                 m) tab=mangle ;;
 101                 n) tab=nat ;;
 102                 r) tab=raw ;;
 103                 -) tab=filter ;;
 104         esac
 105         case "$cmd:$chn:$tgt:$pos" in
 106                 add:*:-:*) cmd=new-chain ;;
 107                 add:*:*:-) cmd=append ;;
 108                 add:*:*:$) cmd=append ;;
 109                 add:*:*:*) cmd=insert ;;
 110                 del:-:*:*) cmd=delete-chain; fw flush $fam $tab ;;
 111                 del:*:-:*) cmd=delete-chain; fw flush $fam $tab $chn ;;
 112                 del:*:*:*) cmd=delete ;;
 113                 flush:*) ;;
 114                 policy:*) pol=$tgt; tgt=- ;;
 115                 has:*) fw__has; return ;;
 116                 err:*) fw__err; return ;;
 117                 list:*) cmd="numeric --verbose --$cmd" ;;
 118                 *) return 254 ;;
 119         esac
 120         case "$chn" in
 121                 -) chn= ;;
 122         esac
 123         case "$tgt" in
 124                 -) tgt= ;;
 125         esac
 126
 127         local rule_offset
 128         case "$pos" in
 129                 ^) pos=1 ;;
 130                 $) pos= ;;
 131                 -) pos= ;;
 132                 +) eval "rule_offset=\${FW__RULE_OFS_${app}_${tab}_${chn}:-1}" ;;
 133         esac
 134
 135         if ! fw__has - family || ! fw__has $tab ; then
 136                 export FW_${fam}_ERROR=0
 137                 return 0
 138         fi
 139
 140         case "$fam" in
 141                 G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;;
 142         esac
 143
 144         if [ $# -gt 0 ]; then
 145                 shift
 146                 if [ $cmd == delete ]; then
 147                         pos=
 148                 fi
 149         fi
 150
 151         local cmdline="$app --table ${tab} --${cmd} ${chn} ${pol} ${rule_offset:-${pos}} ${tgt:+--jump "$tgt"}"
 152         while [ $# -gt 1 ]; do
 153                 # special parameter handling
 154                 case "$1:$2" in
 155                         -p:icmp*|-p:1|-p:58|--protocol:icmp*|--protocol:1|--protocol:58)
 156                                 [ "$app" = ip6tables ] && \
 157                                         cmdline="$cmdline -p icmpv6" || \
 158                                         cmdline="$cmdline -p icmp"
 159                                 shift
 160                         ;;
 161                         --icmp-type:*|--icmpv6-type:*)
 162                                 local icmp_type
 163                                 if [ "$app" = ip6tables ] && fw_check_icmptype6 icmp_type "$2"; then
 164                                         cmdline="$cmdline $icmp_type"
 165                                 elif [ "$app" = iptables ] && fw_check_icmptype4 icmp_type "$2"; then
 166                                         cmdline="$cmdline $icmp_type"
 167                                 else
 168                                         local fam=IPv4; [ "$app" = ip6tables ] && fam=IPv6
 169                                         fw_log info "ICMP type '$2' is not valid for $fam address family, skipping rule"
 170                                         return 1
 171                                 fi
 172                                 shift
 173                         ;;
 174                         *) cmdline="$cmdline $1" ;;
 175                 esac
 176                 shift
 177         done
 178
 179         [ -n "$FW_TRACE" ] && echo $cmdline >&2
 180
 181         $cmdline
 182
 183         local rv=$?
 184         [ $rv -eq 0 ] && [ -n "$rule_offset" ] && \
 185                 export -- "FW__RULE_OFS_${app}_${tab}_${chn}=$(($rule_offset + 1))"
 186         fw__rc $rv
 187 }
 188
 189 fw_get_port_range() {
 190         local _var=$1
 191         local _ports=$2
 192         local _delim=${3:-:}
 193         if [ "$4" ]; then
 194                 fw_get_port_range $_var "${_ports}-${4}" $_delim
 195                 return
 196         fi
 197
 198         local _first=${_ports%-*}
 199         local _last=${_ports#*-}
 200         if [ "${_first#!}" != "${_last#!}" ]; then
 201                 export -- "$_var=$_first$_delim${_last#!}"
 202         else
 203                 export -- "$_var=$_first"
 204         fi
 205 }
 206
 207 fw_get_family_mode() {
 208         local _var="$1"
 209         local _hint="$2"
 210         local _zone="$3"
 211         local _mode="$4"
 212
 213         local _ipv4 _ipv6
 214         [ "$_zone" != "*" ] && {
 215                 [ -n "$FW_ZONES4$FW_ZONES6" ] && {
 216                         list_contains FW_ZONES4 "$_zone" && _ipv4=1 || _ipv4=0
 217                         list_contains FW_ZONES6 "$_zone" && _ipv6=1 || _ipv6=0
 218                 } || {
 219                         _ipv4=$(uci_get_state firewall core "${_zone}_ipv4" 0)
 220                         _ipv6=$(uci_get_state firewall core "${_zone}_ipv6" 0)
 221                 }
 222         } || {
 223                 _ipv4=1
 224                 _ipv6=1
 225         }
 226
 227         case "$_hint:$_ipv4:$_ipv6" in
 228                 *4:1:*|*:1:0) export -n -- "$_var=G4" ;;
 229                 *6:*:1|*:0:1) export -n -- "$_var=G6" ;;
 230                 *) export -n -- "$_var=$_mode" ;;
 231         esac
 232 }
 233
 234 fw_get_negation() {
 235         local _var="$1"
 236         local _flag="$2"
 237         local _value="$3"
 238
 239         [ "${_value#!}" != "$_value" ] && \
 240                 export -n -- "$_var=! $_flag ${_value#!}" || \
 241                 export -n -- "$_var=${_value:+$_flag $_value}"
 242 }
 243
 244 fw_get_subnet4() {
 245         local _var="$1"
 246         local _flag="$2"
 247         local _name="$3"
 248
 249         local _ipaddr="$(uci_get_state network "${_name#!}" ipaddr)"
 250         local _netmask="$(uci_get_state network "${_name#!}" netmask)"
 251
 252         case "$_ipaddr" in
 253                 *.*.*.*)
 254                         [ "${_name#!}" != "$_name" ] && \
 255                                 export -n -- "$_var=! $_flag $_ipaddr/${_netmask:-255.255.255.255}" || \
 256                                 export -n -- "$_var=$_flag $_ipaddr/${_netmask:-255.255.255.255}"
 257                 ;;
 258                 *) export -n -- "$_var=" ;;
 259         esac
 260 }
 261
 262 fw_check_icmptype4() {
 263         local _var="$1"
 264         local _type="$2"
 265         case "$_type" in
 266                 ![0-9]*) export -n -- "$_var=! --icmp-type ${_type#!}"; return 0 ;;
 267                 [0-9]*)  export -n -- "$_var=--icmp-type $_type";       return 0 ;;
 268         esac
 269
 270         [ -z "$FW_ICMP4_TYPES" ] && \
 271                 export FW_ICMP4_TYPES=$(
 272                         iptables -p icmp -h 2>/dev/null | \
 273                         sed -n -e '/^Valid ICMP Types:/ {
 274                                 n; :r;
 275                                 /router-advertisement/d;
 276                                 /router-solicitation/d;
 277                                 s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
 278                         }' | sort -u
 279                 )
 280
 281         local _check
 282         for _check in $FW_ICMP4_TYPES; do
 283                 if [ "$_check" = "${_type#!}" ]; then
 284                         [ "${_type#!}" != "$_type" ] && \
 285                                 export -n -- "$_var=! --icmp-type ${_type#!}" || \
 286                                 export -n -- "$_var=--icmp-type $_type"
 287                         return 0
 288                 fi
 289         done
 290
 291         export -n -- "$_var="
 292         return 1
 293 }
 294
 295 fw_check_icmptype6() {
 296         local _var="$1"
 297         local _type="$2"
 298         case "$_type" in
 299                 ![0-9]*) export -n -- "$_var=! --icmpv6-type ${_type#!}"; return 0 ;;
 300                 [0-9]*)  export -n -- "$_var=--icmpv6-type $_type";       return 0 ;;
 301         esac
 302
 303         [ -z "$FW_ICMP6_TYPES" ] && \
 304                 export FW_ICMP6_TYPES=$(
 305                         ip6tables -p icmpv6 -h 2>/dev/null | \
 306                         sed -n -e '/^Valid ICMPv6 Types:/ {
 307                                 n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
 308                         }' | sort -u
 309                 )
 310
 311         local _check
 312         for _check in $FW_ICMP6_TYPES; do
 313                 if [ "$_check" = "${_type#!}" ]; then
 314                         [ "${_type#!}" != "$_type" ] && \
 315                                 export -n -- "$_var=! --icmpv6-type ${_type#!}" || \
 316                                 export -n -- "$_var=--icmpv6-type $_type"
 317                         return 0
 318                 fi
 319         done
 320
 321         export -n -- "$_var="
 322         return 1
 323 }