-# Copyright (C) 2009-2012 OpenWrt.org
+# Copyright (C) 2009-2013 OpenWrt.org
fw__uci_state_add() {
local var="$1"
uci_toggle_state firewall core $var "$rest"
}
+fw_do_interface_rules() {
+ local action=$1
+ local zone=$2
+ local chain=zone_${zone}
+ local ifname=$3
+ local subnet=$4
+ local extra_src="$5"
+ local extra_dest="$6"
+
+ local idev odev inet onet mode
+ fw_get_family_mode mode x $zone i
+
+ fw_get_negation idev '-i' "$ifname"
+ fw_get_negation odev '-o' "$ifname"
+
+ case "$mode/$subnet" in
+ # Zone supports v6 only or dual, need v6
+ G6/*:*|i/*:*)
+ fw_get_negation inet '-s' "$subnet"
+ fw_get_negation onet '-d' "$subnet"
+ mode=6
+ ;;
+
+ # Zone supports v4 only or dual, need v4
+ G4/*.*.*.*|i/*.*.*.*)
+ fw_get_negation inet '-s' "$subnet"
+ fw_get_negation onet '-d' "$subnet"
+ mode=4
+ ;;
+
+ # Need v6 while zone is v4
+ */*:*) fw_log info "zone $zone does not support IPv6 address family, skipping"; return ;;
+
+ # Need v4 while zone is v6
+ */*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;;
+
+ # Strip prefix
+ *) mode="${mode#G}" ;;
+ esac
+
+ lock /var/run/firewall-interface.lock
+
+ fw $action $mode f ${chain}_dest_ACCEPT ACCEPT $ { $odev $onet $extra_dest }
+ fw $action $mode f ${chain}_src_ACCEPT ACCEPT $ { $idev $inet $extra_src }
+ fw $action $mode f ${chain}_dest_DROP DROP $ { $odev $onet $extra_dest }
+ fw $action $mode f ${chain}_src_DROP DROP $ { $idev $inet $extra_src }
+ fw $action $mode f ${chain}_dest_REJECT reject $ { $odev $onet $extra_dest }
+ fw $action $mode f ${chain}_src_REJECT reject $ { $idev $inet $extra_src }
+
+ [ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
+ fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
+ { $odev -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet $extra_dest }
+
+ fw $action $mode f delegate_input ${chain}_input $ { $idev $inet $extra_src }
+ fw $action $mode f delegate_forward ${chain}_forward $ { $idev $inet $extra_src }
+ fw $action $mode f delegate_output ${chain}_output $ { $odev $onet $extra_dest }
+
+ fw $action $mode n PREROUTING ${chain}_prerouting $ { $idev $inet $extra_src }
+ fw $action $mode r PREROUTING ${chain}_notrack $ { $idev $inet $extra_src }
+ fw $action $mode n POSTROUTING ${chain}_nat $ { $odev $onet $extra_dest }
+
+ # Flush conntrack table
+ echo f >/proc/net/nf_conntrack 2>/dev/null
+
+ lock -u /var/run/firewall-interface.lock
+}
+
fw_configure_interface() {
local iface=$1
local action=$2
fw_callback pre interface
- fw__do_rules() {
- local action=$1
- local zone=$2
- local chain=zone_${zone}
- local ifname=$3
- local subnet=$4
-
- local inet onet mode
- fw_get_family_mode mode x $zone i
-
- case "$mode/$subnet" in
- # Zone supports v6 only or dual, need v6
- G6/*:*|i/*:*)
- inet="-s $subnet -d ::/0"
- onet="-s ::/0 -d $subnet"
- mode=6
- ;;
-
- # Zone supports v4 only or dual, need v4
- G4/*.*.*.*|i/*.*.*.*)
- inet="-s $subnet -d 0.0.0.0/0"
- onet="-s 0.0.0.0/0 -d $subnet"
- mode=4
- ;;
-
- # Need v6 while zone is v4
- */*:*) fw_log info "zone $zone does not support IPv6 address family, skipping"; return ;;
-
- # Need v4 while zone is v6
- */*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;;
-
- # Strip prefix
- *) mode="${mode#G}" ;;
- esac
-
- lock /var/run/firewall-interface.lock
-
- fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -o "$ifname" $onet }
- fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -i "$ifname" $inet }
- fw $action $mode f ${chain}_DROP DROP $ { -o "$ifname" $onet }
- fw $action $mode f ${chain}_DROP DROP $ { -i "$ifname" $inet }
- fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
- fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }
-
- [ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
- fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
- { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
-
- fw $action $mode f input ${chain} $ { -i "$ifname" $inet }
- fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }
- fw $action $mode n PREROUTING ${chain}_prerouting $ { -i "$ifname" $inet }
- fw $action $mode r PREROUTING ${chain}_notrack $ { -i "$ifname" $inet }
- fw $action $mode n POSTROUTING ${chain}_nat $ { -o "$ifname" $onet }
-
- lock -u /var/run/firewall-interface.lock
- }
-
local old_zones old_ifname old_subnets
config_get old_zones core "${iface}_zone"
[ -n "$old_zones" ] && {
local n
for n in ${old_subnets:-""}; do
fw_log info "removing $iface ($old_ifname${n:+ alias $n}) from zone $z"
- fw__do_rules del $z $old_ifname $n
+ fw_do_interface_rules del $z $old_ifname $n
done
[ -n "$old_subnets" ] || {
list_contains zone_network "$iface" || return
fw_log info "adding $iface ($ifname${aliasnet:+ alias $aliasnet}) to zone $zone_name"
- fw__do_rules add ${zone_name} "$ifname" "$aliasnet"
+ fw_do_interface_rules add ${zone_name} "$ifname" "$aliasnet"
append new_zones $zone_name
[ -n "$aliasnet" ] || {
sysctl -w net.ipv6.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE
} >/dev/null 2>/dev/null
}
-
projects / openwrt.git / blobdiff