From 9a63ad7c1066182458c6e35c4edb8f2308022b8c Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Mon, 4 Aug 2008 23:36:33 +0000 Subject: [PATCH] applications/luci-fw: Reworked to use the new native UCI-based firewall configuration --- .../luci-fw/luasrc/controller/luci_fw/luci_fw.lua | 9 +- applications/luci-fw/luasrc/i18n/luci-fw.de.lua | 101 +++++++----- applications/luci-fw/luasrc/i18n/luci-fw.en.lua | 83 ++++++---- .../luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua | 62 ++++++++ .../luci-fw/luasrc/model/cbi/luci_fw/firewall.lua | 56 ++----- .../luci-fw/luasrc/model/cbi/luci_fw/general.lua | 67 ++++++++ .../luasrc/model/cbi/luci_fw/miniportfw.lua | 25 +-- .../luci-fw/luasrc/model/cbi/luci_fw/portfw.lua | 28 ++-- .../luci-fw/luasrc/model/cbi/luci_fw/routing.lua | 20 +-- applications/luci-fw/root/etc/config/luci_fw | 2 - applications/luci-fw/root/etc/init.d/luci_fw | 176 --------------------- contrib/package/luci/Makefile | 2 +- libs/web/root/etc/config/luci | 6 +- 13 files changed, 304 insertions(+), 333 deletions(-) create mode 100644 applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua create mode 100644 applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua delete mode 100644 applications/luci-fw/root/etc/config/luci_fw delete mode 100755 applications/luci-fw/root/etc/init.d/luci_fw diff --git a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua index b8967330c..18b6f87f6 100644 --- a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua +++ b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua @@ -6,9 +6,12 @@ function index() local nodes = {} - table.insert(nodes, entry({"admin", "network", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw", "Portweiterleitung"), 70)) - table.insert(nodes, entry({"admin", "network", "routing"}, cbi("luci_fw/routing"), i18n("fw_routing", "Routing"), 73)) - table.insert(nodes, entry({"admin", "network", "firewall"}, cbi("luci_fw/firewall"), i18n("fw_fw", "Firewall"), 76)) + table.insert(nodes, entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("fw_fw"), 60)) + table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/general"), i18n("fw_zones"), 10)) + table.insert(nodes, entry({"admin", "network", "firewall", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw"), 20)) + table.insert(nodes, entry({"admin", "network", "firewall", "forwarding"}, cbi("luci_fw/routing"), i18n("fw_forwarding"), 30)) + table.insert(nodes, entry({"admin", "network", "firewall", "rules"}, cbi("luci_fw/firewall"), i18n("fw_rules"), 40)) + table.insert(nodes, entry({"admin", "network", "firewall", "customfwd"}, cbi("luci_fw/customfwd"), i18n("fw_custfwd"), 50)) table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70)) diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua index d7adf3600..93075f3cc 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua +++ b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua @@ -1,45 +1,60 @@ -fw_fw = [[Firewall]] -fw_portfw = [[Portweiterleitung]] -fw_routing = [[Routing]] -fw_fw1 = [[Mit Hilfe der Firewall können Zugriffe auf das Netzwerk -erlaubt, verboten oder umgeleitet werden.]] -lucifw_rule_chain = "Kette" -lucifw_rule_iface = "Eingangsschnittstelle" -lucifw_rule_oface = "Ausgangsschnittstelle" -lucifw_rule_source = "Quelladresse" -lucifw_rule_destination = "Zieladresse" -lucifw_rule_mac = "MAC-Adresse" -lucifw_rule_sport = "Quellport" -lucifw_rule_dport = "Zielport" -lucifw_rule_tosrc = "Neue Quelladresse [SNAT]" -lucifw_rule_todest = "Neue Zieladresse [DNAT]" -lucifw_rule_jump = "Aktion" -lucifw_rule_command = "Eigener Befehl" -fw_accept = "annehmen (ACCEPT)" -fw_reject = "zurückweisen (REJECT)" -fw_drop = "verwerfen (DROP)" -fw_log = "protokollieren (LOG)" -fw_dnat = "Ziel umschreiben (DNAT) [nur Prerouting]" -fw_masq = "maskieren (MASQUERADE) [nur Postrouting]" -fw_snat = "Quelle umschreiben (SNAT) [nur Postrouting]" +fw_portfw = "Portweiterleitung" +fw_forwarding = "Weiterleitung" +fw_fw = "Firewall" +fw_zone = "Zone" +fw_zones = "Zonen" +fw_custfwd = "Eigene Weiterleitungen" +fw_rules = "Eigene Regeln" +fw_rules1 = "An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren." +fw_fw1 = "Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen." +firewall_rule_src = "Eingangszone" +firewall_rule_dest = "Ausgangszone" +firewall_rule_srcip = "Quelladresse" +firewall_rule_destip = "Zieladresse" +firewall_rule_srcmac = "Quell-MAC-Adresse" +firewall_rule_srcport = "Quellport" +firewall_rule_destport = "Zielport" +firewall_rule_target = "Aktion" +fw_accept = "annehmen" +fw_reject = "zurückweisen" +fw_drop = "verwerfen" -fw_portfw1 = [[Portweiterleitungen ermöglichen es interne -Netzwerkdienste von einem anderen externen Netzwerk aus erreichbar zu machen.]] -lucifw_portfw_iface_desc = "Externe Schnittstelle" -lucifw_portfw_dport = "Externer Port" -lucifw_portfw_dport_desc = "Einzelner Port oder Erster Port-Letzter Port" -lucifw_portfw_to = "Interne Adresse" -lucifw_portfw_to_desc = "IP, IP:Port oder IP:Erster Port-Letzter Port" +fw_portfw1 = [[Portweiterleitungen ermöglichen es interne Netzwerkdienste aus einem externen Netzwerk heraus erreichbar zu machen.]] +firewall_redirect_src_desc = "Externe Zone" +firewall_redirect_srcdport = "Externer Port" +firewall_redirect_srcdport_desc = "Port od. Erster:Letzter Port" +firewall_redirect_destip = "Interne Adresse" +firewall_redirect_destip_desc = "IP-Adresse" +firewall_redirect_destport = "Interner Port (optional)" +firewall_redirect_destport_desc = "Port od. Erster:Letzter Port" +firewall_redirect_srcip = firewall_rule_srcip +firewall_redirect_srcmac = firewall_rule_srcmac +firewall_redirect_srcport = firewall_rule_srcport -fw_routing1 = [[An dieser Stelle wird festlegt, welcher Netzverkehr zwischen einzelnen -Schnittstellen erlaubt werden soll. Es werden jeweils nur neue Verbindungen -betrachtet, d.h. Pakete von aufgebauten oder zugehörigen Verbindungen werden automatisch in beide Richtungen -akzeptiert, auch wenn das Feld "beide Richtungen" nicht explizit gesetzt ist. -NAT ermöglicht Adressübersetzung.]] -lucifw_routing_iface = "Eingang" -lucifw_routing_iface_desc = lucifw_rule_iface -lucifw_routing_oface = "Ausgang" -lucifw_routing_oface_desc = lucifw_rule_oface -lucifw_routing_fwd_desc = "weiterleiten" -lucifw_routing_nat_desc = "übersetzen" -lucifw_routing_bidi_desc = "beide Richtungen" \ No newline at end of file +fw_forwarding1 = [[An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann. +Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch +akzeptiert.]] +firewall_forwarding_src = "Eingang" +firewall_forwarding_src_desc = firewall_rule_src +firewall_forwarding_dest = "Ausgang" +firewall_forwarding_dest_desc = firewall_rule_dest + +firewall_defaults = "Grundeinstellungen" +firewall_defaults_desc = "Grundeinstellungen die verwendet werden, wenn keine andere Regel angewandt werden kann." +firewall_defaults_synflood = "Schutz vor SYN-flood-Attacken" +firewall_defaults_input = "Eingehender Verkehr" +firewall_defaults_output = "Ausgehender Verkehr" +firewall_defaults_forward = "Weitergeleiteter Verkehr" + +firewall_zone_desc = [[Zonen teilen das Netzwerk in mehrere Bereiche ein um Netzverkehr sicher zu trennen. +Ein oder mehrere Netzwerke gehören zu einer Zone. +Das MASQ-Flag legt fest, dass aller ausgehende Netzverkehr einer Zone NAT-maskiert wird.]] +firewall_zone_input = "Eingehender Verkehr" +firewall_zone_input_desc = "Standardaktion" +firewall_zone_output = "Ausgehender Verkehr" +firewall_zone_output_desc = "Standardaktion" +firewall_zone_forward = "Weitergeleiteter Verkehr" +firewall_zone_forward_desc = "Standardaktion" +firewall_zone_masq = "MASQ" +firewall_zone_network = "Netzwerke" +firewall_zone_network_desc = "verbundene Netzwerke" \ No newline at end of file diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua index 7d3a3a032..9998c28a7 100644 --- a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua +++ b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua @@ -1,43 +1,60 @@ fw_portfw = "Port forwarding" -fw_routing = "Routing" +fw_forwarding = "Forwarding" fw_fw = "Firewall" -fw_fw1 = "Here you can grant, access or redirect network traffic." -lucifw_rule_chain = "Chain" -lucifw_rule_iface = "Input interface" -lucifw_rule_oface = "Output interface" -lucifw_rule_source = "Source address" -lucifw_rule_destination = "Destination address" -lucifw_rule_mac = "MAC-Address" -lucifw_rule_sport = "Source port" -lucifw_rule_dport = "Destination port" -lucifw_rule_tosrc = "New source address [SNAT]" -lucifw_rule_todest = "New target address [DNAT]" -lucifw_rule_jump = "Action" -lucifw_rule_command = "Custom Command" +fw_zone = "Zone" +fw_zones = "Zones" +fw_custfwd = "Custom redirect" +fw_rules = "Custom Rules" +fw_rules1 = "Here you can create custom firewall rules to control your network traffic." +fw_fw1 = "The firewall creates zones over your network interfaces to control network traffic flow." +firewall_rule_src = "Input Zone" +firewall_rule_dest = "Output Zone" +firewall_rule_srcip = "Source address" +firewall_rule_destip = "Destination address" +firewall_rule_srcmac = "Source MAC-Address" +firewall_rule_srcport = "Source port" +firewall_rule_destport = "Destination port" +firewall_rule_target = "Action" fw_accept = "accept" fw_reject = "reject" fw_drop = "drop" -fw_log = "log" -fw_dnat = "change destination (DNAT) [prerouting only]" -fw_masq = "masquerade [postrouting only]" -fw_snat = "change source (SNAT) [postrouting only]" fw_portfw1 = [[Port forwarding allows to provide network services in the internal network to an external network.]] -lucifw_portfw_iface_desc = "External interface" -lucifw_portfw_dport = "External port" -lucifw_portfw_dport_desc = "single port or first port-last port" -lucifw_portfw_to = "Internal address" -lucifw_portfw_to_desc = "IP, IP:port or IP:first port-last port" +firewall_redirect_src_desc = "External Zone" +firewall_redirect_srcdport = "External port" +firewall_redirect_srcdport_desc = "port or range as first:last" +firewall_redirect_destip = "Internal address" +firewall_redirect_destip_desc = "IP-Address" +firewall_redirect_destport = "Internal port (optional)" +firewall_redirect_destport_desc = "port or range as first:last" +firewall_redirect_srcip = firewall_rule_srcip +firewall_redirect_srcmac = firewall_rule_srcmac +firewall_redirect_srcport = firewall_rule_srcport -fw_routing1 = [[Here you can specify which network traffic is allowed to flow between network interfaces. +fw_forwarding1 = [[Here you can specify which network traffic is allowed to flow between network zones. Only new connections will be matched. Packets belonging to already open connections are automatically allowed -to pass the firewall in this case you do not need to set the "bidirectional" flag. NAT provides -address translation.]] -lucifw_routing_iface = "Input" -lucifw_routing_iface_desc = lucifw_rule_iface -lucifw_routing_oface = "Output" -lucifw_routing_oface_desc = lucifw_rule_oface -lucifw_routing_fwd_desc = "forward" -lucifw_routing_nat_desc = "translate" -lucifw_routing_bidi_desc = "bidirectional" \ No newline at end of file +to pass the firewall.]] +firewall_forwarding_src = "Input" +firewall_forwarding_src_desc = firewall_rule_src +firewall_forwarding_dest = "Output" +firewall_forwarding_dest_desc = firewall_rule_dest + +firewall_defaults = "Defaults" +firewall_defaults_desc = "These are the default settings that are used if no other rules match." +firewall_defaults_synflood = "SYN-flood protection" +firewall_defaults_input = "Incoming Traffic" +firewall_defaults_output = "Outgoing Traffic" +firewall_defaults_forward = "Forwarded Traffic" + +firewall_zone_desc = [[Zones part the network interfaces into certain isolated areas to separate network traffic. +One or more networks can belong to a zone. The MASQ-flag enables NAT masquerading for all outgoing traffic on this zone.]] +firewall_zone_input = "Incoming Traffic" +firewall_zone_input_desc = "Default Policy" +firewall_zone_output = "Outgoing Traffic" +firewall_zone_output_desc = "Default Policy" +firewall_zone_forward = "Forwarded Traffic" +firewall_zone_forward_desc = "Default Policy" +firewall_zone_masq = "MASQ" +firewall_zone_network = "Networks" +firewall_zone_network_desc = "contained networks" \ No newline at end of file diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua new file mode 100644 index 000000000..42be400c4 --- /dev/null +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua @@ -0,0 +1,62 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- +require("luci.sys") +m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1")) + + +s = m:section(TypedSection, "redirect", "") +s.addremove = true +s.anonymous = true + +name = s:option(Value, "_name", translate("name")) +name.rmempty = true +name.size = 10 + +iface = s:option(ListValue, "src", translate("fw_zone")) +iface.default = "wan" +luci.model.uci.foreach("firewall", "zone", + function (section) + iface:value(section.name) + end) + +s:option(Value, "src_ip").optional = true +s:option(Value, "src_mac").optional = true + +sport = s:option(Value, "src_port") +sport.optional = true +sport:depends("proto", "tcp") +sport:depends("proto", "udp") + +proto = s:option(ListValue, "proto", translate("protocol")) +proto.optional = true +proto:value("") +proto:value("tcp", "TCP") +proto:value("udp", "UDP") + +dport = s:option(Value, "src_dport") +dport.size = 5 +dport.optional = true +dport:depends("proto", "tcp") +dport:depends("proto", "udp") + +to = s:option(Value, "dest_ip") +for i, dataset in ipairs(luci.sys.net.arptable()) do + to:value(dataset["IP address"]) +end + +toport = s:option(Value, "dest_port") +toport.optional = true +toport.size = 5 + +return m diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua index 5ed45593b..291989611 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua @@ -11,31 +11,23 @@ You may obtain a copy of the License at $Id$ ]]-- -m = Map("luci_fw", translate("fw_fw"), translate("fw_fw1")) +m = Map("firewall", translate("fw_rules"), translate("fw_rules1")) s = m:section(TypedSection, "rule", "") s.addremove = true s.anonymous = true -chain = s:option(ListValue, "chain") -chain:value("forward", "Forward") -chain:value("input", "Input") -chain:value("output", "Output") -chain:value("prerouting", "Prerouting") -chain:value("postrouting", "Postrouting") +iface = s:option(ListValue, "src") +iface:value("") +iface.rmempty = true -iface = s:option(ListValue, "iface") -iface.optional = true - -oface = s:option(ListValue, "oface") +oface = s:option(ListValue, "dest") oface.optional = true -luci.model.uci.foreach("network", "interface", +luci.model.uci.foreach("firewall", "zone", function (section) - if section[".name"] ~= "loopback" then - iface:value(section[".name"]) - oface:value(section[".name"]) - end + iface:value(section.name) + oface:value(section.name) end) proto = s:option(ListValue, "proto", translate("protocol")) @@ -43,43 +35,27 @@ proto.optional = true proto:value("") proto:value("tcp", "TCP") proto:value("udp", "UDP") +proto:value("icmp", "ICMP") -s:option(Value, "source").optional = true -s:option(Value, "destination").optional = true -s:option(Value, "mac").optional = true +s:option(Value, "src_ip").optional = true +s:option(Value, "dest_ip").optional = true +s:option(Value, "src_mac").optional = true -sport = s:option(Value, "sport") +sport = s:option(Value, "src_port") sport.optional = true sport:depends("proto", "tcp") sport:depends("proto", "udp") -dport = s:option(Value, "dport") +dport = s:option(Value, "dest_port") dport.optional = true dport:depends("proto", "tcp") dport:depends("proto", "udp") -tosrc = s:option(Value, "tosrc") -tosrc.optional = true -tosrc:depends("jump", "SNAT") - -tosrc = s:option(Value, "todest") -tosrc.optional = true -tosrc:depends("jump", "DNAT") - -jump = s:option(ListValue, "jump") +jump = s:option(ListValue, "target") jump.rmempty = true -jump:value("", "") +jump:value("DROP", translate("fw_drop")) jump:value("ACCEPT", translate("fw_accept")) jump:value("REJECT", translate("fw_reject")) -jump:value("DROP", translate("fw_drop")) -jump:value("LOG", translate("fw_log")) -jump:value("DNAT", translate("fw_dnat")) -jump:value("MASQUERADE", translate("fw_masq")) -jump:value("SNAT", translate("fw_snat")) - -add = s:option(Value, "command") -add.size = 50 -add.rmempty = true return m diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua new file mode 100644 index 000000000..1a765abb7 --- /dev/null +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua @@ -0,0 +1,67 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- +m = Map("firewall", translate("fw_fw"), translate("fw_fw1")) + +s = m:section(TypedSection, "defaults") +s.anonymous = true + +s:option(Flag, "syn_flood") + +p = {} +p[1] = s:option(ListValue, "input") +p[2] = s:option(ListValue, "output") +p[3] = s:option(ListValue, "forward") + +for i, v in ipairs(p) do + v:value("DROP", translate("fw_drop")) + v:value("ACCEPT", translate("fw_accept")) +end + + +s = m:section(TypedSection, "zone", translate("fw_zones")) +s.template = "cbi/tblsection" +s.anonymous = true +s.addremove = true + +name = s:option(Value, "name", translate("name")) +name.size = 8 + +p = {} +p[1] = s:option(ListValue, "input") +p[2] = s:option(ListValue, "output") +p[3] = s:option(ListValue, "forward") + +for i, v in ipairs(p) do + v:value("DROP", translate("fw_drop")) + v:value("ACCEPT", translate("fw_accept")) +end + +s:option(Flag, "masq") + +net = s:option(MultiValue, "network") +net.widget = "select" +net.rmempty = true +luci.model.uci.foreach("network", "interface", + function (section) + if section[".name"] ~= "loopback" then + net:value(section[".name"]) + end + end) + +function net.cfgvalue(self, section) + local value = MultiValue.cfgvalue(self, section) + return value or name:cfgvalue(section) +end + +return m \ No newline at end of file diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua index 39eefa659..44a739185 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua @@ -12,26 +12,33 @@ You may obtain a copy of the License at $Id$ ]]-- require("luci.sys") -m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1")) +m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1")) -s = m:section(TypedSection, "portfw", "") -s:depends("iface", "wan") -s.defaults.iface = "wan" +s = m:section(TypedSection, "redirect", "") +s:depends("src", "wan") +s.defaults.src = "wan" s.template = "cbi/tblsection" s.addremove = true s.anonymous = true -name = s:option(Value, "_name", translate("name") .. translate("cbi_optional")) +name = s:option(Value, "_name", translate("name"), translate("cbi_optional")) +name.size = 10 -proto = s:option(ListValue, "proto", translate("protocol")) +proto = s:option(ListValue, "protocol", translate("protocol")) proto:value("tcp", "TCP") proto:value("udp", "UDP") -proto:value("tcpudp", "TCP + UDP") -dport = s:option(Value, "dport") +dport = s:option(Value, "src_dport") +dport.size = 5 -to = s:option(Value, "to") +to = s:option(Value, "dest_ip") +for i, dataset in ipairs(luci.sys.net.arptable()) do + to:value(dataset["IP address"]) +end + +toport = s:option(Value, "dest_port") +toport.size = 5 return m diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua index 72f3d7e1d..c79441099 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua @@ -12,29 +12,37 @@ You may obtain a copy of the License at $Id$ ]]-- require("luci.sys") -m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1")) +m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1")) -s = m:section(TypedSection, "portfw", "") + +s = m:section(TypedSection, "redirect", "") s.template = "cbi/tblsection" s.addremove = true s.anonymous = true -iface = s:option(ListValue, "iface", translate("interface")) +name = s:option(Value, "_name", translate("name"), translate("cbi_optional")) +name.size = 10 + +iface = s:option(ListValue, "src", translate("fw_zone")) iface.default = "wan" -luci.model.uci.foreach("network", "interface", +luci.model.uci.foreach("firewall", "zone", function (section) - if section[".name"] ~= "loopback" then - iface:value(section[".name"]) - end + iface:value(section.name) end) proto = s:option(ListValue, "proto", translate("protocol")) proto:value("tcp", "TCP") proto:value("udp", "UDP") -proto:value("tcpudp", "TCP + UDP") -dport = s:option(Value, "dport") +dport = s:option(Value, "src_dport") +dport.size = 5 + +to = s:option(Value, "dest_ip") +for i, dataset in ipairs(luci.sys.net.arptable()) do + to:value(dataset["IP address"]) +end -to = s:option(Value, "to") +toport = s:option(Value, "dest_port") +toport.size = 5 return m diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua index 56f1282c1..d542bcb7f 100644 --- a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua +++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua @@ -11,26 +11,20 @@ You may obtain a copy of the License at $Id$ ]]-- -m = Map("luci_fw", translate("fw_routing"), translate("fw_routing1")) +m = Map("firewall", translate("fw_forwarding"), translate("fw_forwarding1")) -s = m:section(TypedSection, "routing", "") +s = m:section(TypedSection, "forwarding", "") s.template = "cbi/tblsection" s.addremove = true s.anonymous = true -iface = s:option(ListValue, "iface") -oface = s:option(ListValue, "oface") +iface = s:option(ListValue, "src") +oface = s:option(ListValue, "dest") -luci.model.uci.foreach("network", "interface", +luci.model.uci.foreach("firewall", "zone", function (section) - if section[".name"] ~= "loopback" then - iface:value(section[".name"]) - oface:value(section[".name"]) - end + iface:value(section.name) + oface:value(section.name) end) -s:option(Flag, "fwd", "FWD").rmempty = true -s:option(Flag, "nat", "NAT").rmempty = true -s:option(Flag, "bidi", "<->").rmempty = true - return m diff --git a/applications/luci-fw/root/etc/config/luci_fw b/applications/luci-fw/root/etc/config/luci_fw deleted file mode 100644 index c7dec7f2c..000000000 --- a/applications/luci-fw/root/etc/config/luci_fw +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/applications/luci-fw/root/etc/init.d/luci_fw b/applications/luci-fw/root/etc/init.d/luci_fw deleted file mode 100755 index 86d8a56a3..000000000 --- a/applications/luci-fw/root/etc/init.d/luci_fw +++ /dev/null @@ -1,176 +0,0 @@ -#!/bin/sh /etc/rc.common -START=46 - -apply_portfw() { - local cfg="$1" - config_get proto "$cfg" proto - config_get dport "$cfg" dport - config_get iface "$cfg" iface - config_get to "$cfg" to - - config_get ifname "$iface" ifname - - [ -n "$proto" ] || return 0 - [ -n "$dport" ] || return 0 - [ -n "$ifname" ] || return 0 - [ -n "$to" ] || return 0 - - dport=$(echo $dport | sed -e 's/-/:/') - - ports=$(echo $to | cut -sd: -f2) - if [ -n "$ports" ]; then - ports="--dport $(echo $ports | sed -e 's/-/:/')" - else - ports="--dport $dport" - fi - - ip=$(echo $to | cut -d: -f1) - - if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then - iptables -t nat -A luci_fw_prerouting -i "$ifname" -p tcp --dport "$dport" -j DNAT --to "$to" - iptables -A luci_fw_forward -i "$ifname" -p tcp -d "$ip" $ports -j ACCEPT - fi - - if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then - iptables -t nat -A luci_fw_prerouting -i "$ifname" -p udp --dport "$dport" -j DNAT --to "$to" - iptables -A luci_fw_forward -i "$ifname" -p udp -d "$ip" $ports -j ACCEPT - fi -} - -apply_routing() { - local cfg="$1" - config_get iface "$cfg" iface - config_get oface "$cfg" oface - config_get_bool fwd "$cfg" fwd - config_get_bool nat "$cfg" nat - config_get_bool bidi "$cfg" bidi - - config_get ifname "$iface" ifname - config_get ofname "$oface" ifname - - [ -n "$ifname" ] || return 0 - [ -n "$ofname" ] || return 0 - - [ "$fwd" -gt 0 ] && { - iptables -A luci_fw_forward -i "$ifname" -o "$ofname" -j ACCEPT - [ "$bidi" -gt 0 ] && iptables -A luci_fw_forward -i "$ofname" -o "$ifname" -j ACCEPT - } - - [ "$nat" -gt 0 ] && { - config_get ifip "$iface" ipaddr - config_get ifmask "$iface" netmask - eval "$(ipcalc.sh $ifip $ifmask)" - - iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ofname" -j MASQUERADE - - [ "$bidi" -gt 0 ] && { - config_get ofip "$oface" ipaddr - config_get ofmask "$oface" netmask - eval "$(ipcalc.sh $ofip $ofmask)" - - iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ifname" -j MASQUERADE - } - } -} - -apply_rule() { - local cfg="$1" - local cmd="" - - config_get chain "$cfg" chain - [ -n "$chain" ] || return 0 - [ "$chain" == "forward" ] && cmd="$cmd -A luci_fw_forward" - [ "$chain" == "input" ] && cmd="$cmd -A luci_fw_input" - [ "$chain" == "output" ] && cmd="$cmd -A luci_fw_output" - [ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_fw_prerouting" - [ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting" - - config_get iface "$cfg" iface - config_get ifname "$iface" ifname - [ -n "$ifname" ] && cmd="$cmd -i $ifname" - - config_get oface "$cfg" oface - config_get ofname "$oface" ifname - [ -n "$ofname" ] && cmd="$cmd -o $ofname" - - config_get proto "$cfg" proto - [ -n "$proto" ] && cmd="$cmd -p $proto" - - config_get source "$cfg" source - [ -n "$source" ] && cmd="$cmd -s $source" - - config_get destination "$cfg" destination - [ -n "$destination" ] && cmd="$cmd -d $destination" - - config_get sport "$cfg" sport - [ -n "$sport" ] && cmd="$cmd --sport $sport" - - config_get dport "$cfg" dport - [ -n "$dport" ] && cmd="$cmd --dport $dport" - - config_get todest "$cfg" todest - [ -n "$todest" ] && cmd="$cmd --to-destination $todest" - - config_get tosrc "$cfg" tosrc - [ -n "$tosrc" ] && cmd="$cmd --to-source $tosrc" - - config_get mac "$cfg" mac - [ -n "$mac" ] && cmd="$cmd -m mac --mac-source $mac" - - config_get jump "$cfg" jump - [ -n "$jump" ] && cmd="$cmd -j $jump" - - config_get command "$cfg" command - [ -n "$command" ] && cmd="$cmd $command" - - iptables $cmd -} - -start() { - ### Create subchains - iptables -N luci_fw_input - iptables -N luci_fw_output - iptables -N luci_fw_forward - iptables -t nat -N luci_fw_prerouting - iptables -t nat -N luci_fw_postrouting - - ### Hook in the chains - iptables -A input_rule -j luci_fw_input - iptables -A output_rule -j luci_fw_output - iptables -A forwarding_rule -j luci_fw_forward - iptables -t nat -A prerouting_rule -j luci_fw_prerouting - iptables -t nat -A postrouting_rule -j luci_fw_postrouting - - ### Scan network interfaces - include /lib/network - scan_interfaces - - ### Read chains from config - config_load luci_fw - config_foreach apply_rule rule - config_foreach apply_portfw portfw - config_foreach apply_routing routing -} - -stop() { - ### Hook out the chains - iptables -D input_rule -j luci_fw_input - iptables -D output_rule -j luci_fw_output - iptables -D forwarding_rule -j luci_fw_forward - iptables -t nat -D prerouting_rule -j luci_fw_prerouting - iptables -t nat -D postrouting_rule -j luci_fw_postrouting - - ### Clear subchains - iptables -F luci_fw_input - iptables -F luci_fw_output - iptables -F luci_fw_forward - iptables -t nat -F luci_fw_prerouting - iptables -t nat -F luci_fw_postrouting - - ### Delete subchains - iptables -X luci_fw_input - iptables -X luci_fw_output - iptables -X luci_fw_forward - iptables -t nat -X luci_fw_prerouting - iptables -t nat -X luci_fw_postrouting -} diff --git a/contrib/package/luci/Makefile b/contrib/package/luci/Makefile index d5123aba0..0c06cd7cc 100644 --- a/contrib/package/luci/Makefile +++ b/contrib/package/luci/Makefile @@ -354,7 +354,7 @@ endef define Package/luci-app-firewall $(call Package/luci/webtemplate) - DEPENDS+=+luci-admin-core + DEPENDS+=+luci-admin-core +firewall TITLE:=Firewall and Portforwarding application endef diff --git a/libs/web/root/etc/config/luci b/libs/web/root/etc/config/luci index b02fb51f5..8382b5d28 100644 --- a/libs/web/root/etc/config/luci +++ b/libs/web/root/etc/config/luci @@ -19,15 +19,15 @@ config extern flash_keep option firewall "/etc/firewall.user" config event uci_oncommit - option network "/sbin/luci-reload network firewall luci_fw dnsmasq" - option wireless "/sbin/luci-reload network firewall luci_fw dnsmasq" + option network "/sbin/luci-reload network firewall dnsmasq" + option wireless "/sbin/luci-reload network firewall dnsmasq" option olsr "/sbin/luci-reload olsrd" option dhcp "/sbin/luci-reload dnsmasq" option dropbear "/sbin/luci-reload dropbear" option httpd "/sbin/luci-reload httpd" option fstab "/sbin/luci-reload fstab" option qos "/sbin/luci-reload qos" - option luci_fw "/sbin/luci-reload luci_fw" + option firewall "/sbin/luci-reload firewall" option luci_ethers "/sbin/luci-reload luci_ethers dnsmasq" option luci_splash "/sbin/luci-reload luci_splash" option upnpd "/etc/init.d/miniupnpd enabled && /sbin/luci-reload miniupnpd || /etc/init.d/miniupnpd stop" -- 2.11.0