LuCI - Lua Configuration Interface
Copyright 2008 Steven Barth <steven@midlink.org>
+Copyright 2010 Jo-Philipp Wich <xm@subsignal.org>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
$Id$
]]--
+
+local has_v2 = nixio.fs.access("/lib/firewall/fw.sh")
+local dsp = require "luci.dispatcher"
+
arg[1] = arg[1] or ""
+
m = Map("firewall", translate("Advanced Rules"),
translate("Advanced rules let you customize the firewall to your " ..
"needs. Only new connections will be matched. Packets " ..
"belonging to already open connections are automatically " ..
"allowed to pass the firewall."))
+m.redirect = dsp.build_url("admin", "network", "firewall")
+
+if not m.uci:get(arg[1]) == "rule" then
+ luci.http.redirect(m.redirect)
+ return
+end
+
s = m:section(NamedSection, arg[1], "rule", "")
s.anonymous = true
s.addremove = false
+s:tab("general", translate("General Settings"))
+s:tab("advanced", translate("Advanced Options"))
+
back = s:option(DummyValue, "_overview", translate("Overview"))
back.value = ""
-back.titleref = luci.dispatcher.build_url("admin", "network", "firewall", "rule")
+back.titleref = dsp.build_url("admin", "network", "firewall", "rule")
-name = s:option(Value, "_name", translate("Name").." "..translate("(optional)"))
+name = s:taboption("general", Value, "_name", translate("Name").." "..translate("(optional)"))
name.rmempty = true
-iface = s:option(ListValue, "src", translate("Source zone"))
-iface.rmempty = true
+src = s:taboption("general", Value, "src", translate("Source zone"))
+src.nocreate = true
+src.default = "wan"
+src.template = "cbi/firewall_zonelist"
-oface = s:option(ListValue, "dest", translate("Destination zone"))
-oface:value("", translate("any"))
-oface.rmempty = true
+dest = s:taboption("advanced", Value, "dest", translate("Destination zone"))
+dest.nocreate = true
+dest.allowlocal = true
+dest.template = "cbi/firewall_zonelist"
-luci.model.uci.cursor():foreach("firewall", "zone",
- function (section)
- iface:value(section.name)
- oface:value(section.name)
- end)
-
-proto = s:option(Value, "proto", translate("Protocol"))
+proto = s:taboption("general", Value, "proto", translate("Protocol"))
proto.optional = true
-proto:value("")
proto:value("all", translate("Any"))
proto:value("tcpudp", "TCP+UDP")
proto:value("tcp", "TCP")
proto:value("udp", "UDP")
proto:value("icmp", "ICMP")
-s:option(Value, "src_ip", translate("Source address")).optional = true
-s:option(Value, "dest_ip", translate("Destination address")).optional = true
-s:option(Value, "src_mac", translate("Source MAC-address")).optional = true
-
-sport = s:option(Value, "src_port", translate("Source port"))
+icmpt = s:taboption("general", Value, "icmp_type", translate("Match ICMP type"))
+icmpt:depends("proto", "icmp")
+icmpt:value("", "any")
+icmpt:value("echo-reply")
+icmpt:value("destination-unreachable")
+icmpt:value("network-unreachable")
+icmpt:value("host-unreachable")
+icmpt:value("protocol-unreachable")
+icmpt:value("port-unreachable")
+icmpt:value("fragmentation-needed")
+icmpt:value("source-route-failed")
+icmpt:value("network-unknown")
+icmpt:value("host-unknown")
+icmpt:value("network-prohibited")
+icmpt:value("host-prohibited")
+icmpt:value("TOS-network-unreachable")
+icmpt:value("TOS-host-unreachable")
+icmpt:value("communication-prohibited")
+icmpt:value("host-precedence-violation")
+icmpt:value("precedence-cutoff")
+icmpt:value("source-quench")
+icmpt:value("redirect")
+icmpt:value("network-redirect")
+icmpt:value("host-redirect")
+icmpt:value("TOS-network-redirect")
+icmpt:value("TOS-host-redirect")
+icmpt:value("echo-request")
+icmpt:value("router-advertisement")
+icmpt:value("router-solicitation")
+icmpt:value("time-exceeded")
+icmpt:value("ttl-zero-during-transit")
+icmpt:value("ttl-zero-during-reassembly")
+icmpt:value("parameter-problem")
+icmpt:value("ip-header-bad")
+icmpt:value("required-option-missing")
+icmpt:value("timestamp-request")
+icmpt:value("timestamp-reply")
+icmpt:value("address-mask-request")
+icmpt:value("address-mask-reply")
+
+src_ip = s:taboption("general", Value, "src_ip", translate("Source address"))
+src_ip.optional = true
+src_ip.datatype = has_v2 and "neg_ipaddr" or "neg_ip4addr"
+src_ip.placeholder = translate("any")
+
+sport = s:taboption("general", Value, "src_port", translate("Source port"))
+sport.optional = true
+sport.datatype = "portrange"
+sport.placeholder = "0-65535"
sport:depends("proto", "tcp")
sport:depends("proto", "udp")
sport:depends("proto", "tcpudp")
-dport = s:option(Value, "dest_port", translate("Destination port"))
+dest_ip = s:taboption("general", Value, "dest_ip", translate("Destination address"))
+dest_ip.optional = true
+dest_ip.datatype = has_v2 and "neg_ipaddr" or "neg_ip4addr"
+dest_ip.placeholder = translate("any")
+
+dport = s:taboption("general", Value, "dest_port", translate("Destination port"))
+dport.optional = true
+dport.datatype = "portrange"
dport:depends("proto", "tcp")
dport:depends("proto", "udp")
dport:depends("proto", "tcpudp")
+dport.placeholder = "0-65535"
-jump = s:option(ListValue, "target", translate("Action"))
+jump = s:taboption("general", ListValue, "target", translate("Action"))
jump.rmempty = true
jump.default = "ACCEPT"
jump:value("DROP", translate("drop"))
jump:value("ACCEPT", translate("accept"))
jump:value("REJECT", translate("reject"))
+jump:value("NOTRACK", translate("don't track"))
+
+
+smac = s:taboption("advanced", Value, "src_mac", translate("Source MAC address"))
+smac.optional = true
+smac.datatype = "macaddr"
+smac.placeholder = translate("any")
+if has_v2 then
+ family = s:taboption("advanced", ListValue, "family", translate("Restrict to address family"))
+ family.rmempty = true
+ family:value("", translate("IPv4 and IPv6"))
+ family:value("ipv4", translate("IPv4 only"))
+ family:value("ipv6", translate("IPv6 only"))
+end
return m
projects / project / luci.git / blobdiff