1 # Copyright (C) 2009-2010 OpenWrt.org
2 # Copyright (C) 2009 Malte S. Stretz
11 [ "${-#*x}" == "$-" ] && {
26 fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
27 local cmd fam tab chn tgt pos
29 for i in cmd fam tab chn tgt pos; do
30 if [ "$1" -a "$1" != '{' ]; then
39 export FW_${fam#G}_ERROR=$1
44 fw $cmd 4 $tab $chn $tgt $pos "$@"
45 fw $cmd 6 $tab $chn $tgt $pos "$@"
46 fw__rc $((FW_4_ERROR | FW_6_ERROR))
52 while [ "$1" != '}' ]; do
60 if [ "${ip4:-4}" == "${ip6:-6}" ]; then
61 echo "fw: can't mix ip4 and ip6" >&2
64 local ver=${ip4:+4}${ip6:+6}
66 fw $cmd ${ver:-i} $tab $chn $tgt $pos "$@"
72 if [ $tab == '-' ]; then
73 type $app > /dev/null 2> /dev/null
78 eval "mod=\$FW_${fam#G}_${tab}"
84 *4) mod=iptable_${tab} ;;
85 *6) mod=ip6table_${tab} ;;
88 grep -q "^${mod} " /proc/modules
90 export FW_${fam}_${tab}=$mod
96 eval "err=\$FW_${fam}_ERROR"
103 *4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables || return ;;
104 *6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
105 i) fw__dualip "$@"; return ;;
106 I) fw__autoip "$@"; return ;;
109 -) fw $cmd i $tab $chn $tgt $pos "$@"; return ;;
119 case "$cmd:$chn:$tgt:$pos" in
120 add:*:-:*) cmd=new-chain ;;
121 add:*:*:-) cmd=append ;;
122 add:*:*:$) cmd=append ;;
123 add:*:*:*) cmd=insert ;;
124 del:-:*:*) cmd=delete-chain; fw flush $fam $tab ;;
125 del:*:-:*) cmd=delete-chain; fw flush $fam $tab $chn ;;
126 del:*:*:*) cmd=delete ;;
128 policy:*) pol=$tgt; tgt=- ;;
129 has:*) fw__has; return ;;
130 err:*) fw__err; return ;;
131 list:*) cmd="numeric --verbose --$cmd" ;;
146 +) eval "rule_offset=\${FW__RULE_OFS_${app}_${tab}_${chn}:-1}" ;;
149 if ! fw__has - family || ! fw__has $tab ; then
150 export FW_${fam}_ERROR=0
155 G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;;
158 if [ $# -gt 0 ]; then
160 if [ $cmd == delete ]; then
165 local cmdline="$app --table ${tab} --${cmd} ${chn} ${pol} ${rule_offset:-${pos}} ${tgt:+--jump "$tgt"}"
166 while [ $# -gt 1 ]; do
167 # special parameter handling
169 -p:icmp*|-p:1|-p:58|--protocol:icmp*|--protocol:1|--protocol:58)
170 [ "$app" = ip6tables ] && \
171 cmdline="$cmdline -p icmpv6" || \
172 cmdline="$cmdline -p icmp"
175 --icmp-type:*|--icmpv6-type:*)
177 if [ "$app" = ip6tables ] && fw_check_icmptype6 icmp_type "$2"; then
178 cmdline="$cmdline $icmp_type"
179 elif [ "$app" = iptables ] && fw_check_icmptype4 icmp_type "$2"; then
180 cmdline="$cmdline $icmp_type"
182 local fam=IPv4; [ "$app" = ip6tables ] && fam=IPv6
183 fw_log info "ICMP type '$2' is not valid for $fam address family, skipping rule"
188 *) cmdline="$cmdline $1" ;;
193 [ -n "$FW_TRACE" ] && echo $cmdline >&2
198 [ $rv -eq 0 ] && [ -n "$rule_offset" ] && \
199 export -- "FW__RULE_OFS_${app}_${tab}_${chn}=$(($rule_offset + 1))"
203 fw_get_port_range() {
208 fw_get_port_range $_var "${_ports}-${4}" $_delim
212 local _first=${_ports%-*}
213 local _last=${_ports#*-}
214 if [ "${_first#!}" != "${_last#!}" ]; then
215 export -- "$_var=$_first$_delim${_last#!}"
217 export -- "$_var=$_first"
221 fw_get_family_mode() {
228 [ -n "$FW_ZONES4$FW_ZONES6" ] && {
229 list_contains FW_ZONES4 $_zone && _ipv4=1 || _ipv4=0
230 list_contains FW_ZONES6 $_zone && _ipv6=1 || _ipv6=0
232 _ipv4=$(uci_get_state firewall core ${_zone}_ipv4 0)
233 _ipv6=$(uci_get_state firewall core ${_zone}_ipv6 0)
236 case "$_hint:$_ipv4:$_ipv6" in
237 *4:1:*|*:1:0) export -n -- "$_var=G4" ;;
238 *6:*:1|*:0:1) export -n -- "$_var=G6" ;;
239 *) export -n -- "$_var=$_mode" ;;
248 [ "${_value#!}" != "$_value" ] && \
249 export -n -- "$_var=! $_flag ${_value#!}" || \
250 export -n -- "$_var=${_value:+$_flag $_value}"
258 local _ipaddr="$(uci_get_state network "${_name#!}" ipaddr)"
259 local _netmask="$(uci_get_state network "${_name#!}" netmask)"
263 [ "${_name#!}" != "$_name" ] && \
264 export -n -- "$_var=! $_flag $_ipaddr/${_netmask:-255.255.255.255}" || \
265 export -n -- "$_var=$_flag $_ipaddr/${_netmask:-255.255.255.255}"
267 *) export -n -- "$_var=" ;;
271 fw_check_icmptype4() {
275 ![0-9]*) export -n -- "$_var=! --icmp-type ${_type#!}"; return 0 ;;
276 [0-9]*) export -n -- "$_var=--icmp-type $_type"; return 0 ;;
279 [ -z "$FW_ICMP4_TYPES" ] && \
280 export FW_ICMP4_TYPES=$(
281 iptables -p icmp -h 2>/dev/null | \
282 sed -n -e '/^Valid ICMP Types:/ {
284 /router-advertisement/d;
285 /router-solicitation/d;
286 s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
291 for _check in $FW_ICMP4_TYPES; do
292 if [ "$_check" = "${_type#!}" ]; then
293 [ "${_type#!}" != "$_type" ] && \
294 export -n -- "$_var=! --icmp-type ${_type#!}" || \
295 export -n -- "$_var=--icmp-type $_type"
300 export -n -- "$_var="
304 fw_check_icmptype6() {
308 ![0-9]*) export -n -- "$_var=! --icmpv6-type ${_type#!}"; return 0 ;;
309 [0-9]*) export -n -- "$_var=--icmpv6-type $_type"; return 0 ;;
312 [ -z "$FW_ICMP6_TYPES" ] && \
313 export FW_ICMP6_TYPES=$(
314 ip6tables -p icmpv6 -h 2>/dev/null | \
315 sed -n -e '/^Valid ICMPv6 Types:/ {
316 n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
321 for _check in $FW_ICMP6_TYPES; do
322 if [ "$_check" = "${_type#!}" ]; then
323 [ "${_type#!}" != "$_type" ] && \
324 export -n -- "$_var=! --icmpv6-type ${_type#!}" || \
325 export -n -- "$_var=--icmpv6-type $_type"
330 export -n -- "$_var="