projects / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[package] firewall: change the order of IPv4/IPv6 address detection, fixes mixed...
[openwrt.git] / package / firewall / files / lib / fw.sh
1 # Copyright (C) 2009-2010 OpenWrt.org
2 # Copyright (C) 2009 Malte S. Stretz
3
4 export FW_4_ERROR=0
5 export FW_6_ERROR=0
6 export FW_i_ERROR=0
7 export FW_e_ERROR=0
8 export FW_a_ERROR=0
9
10 #TODO: remove this
11 [ "${-#*x}" == "$-" ] && {
12         fw() {
13                 fw__exec "$@"
14         }
15 } || {
16         fw() {
17                 local os=$-
18                 set +x
19                 fw__exec "$@"
20                 local rc=$?
21                 set -$os
22                 return $rc
23         }
24 }
25
26 fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
27         local cmd fam tab chn tgt pos
28         local i
29         for i in cmd fam tab chn tgt pos; do
30                 if [ "$1" -a "$1" != '{' ]; then
31                         eval "$i='$1'"
32                         shift
33                 else
34                         eval "$i=-"
35                 fi
36         done
37
38         fw__rc() {
39                 export FW_${fam}_ERROR=$1
40                 return $1
41         }
42
43         fw__dualip() {
44                 fw $cmd 4 $tab $chn $tgt $pos "$@"
45                 fw $cmd 6 $tab $chn $tgt $pos "$@"
46                 fw__rc $((FW_4_ERROR | FW_6_ERROR))
47         }
48
49         fw__autoip() {
50                 local ip4 ip6
51                 shift
52                 while [ "$1" != '}' ]; do
53                         case "$1" in
54                                 *:*) ip6=1 ;;
55                                 *.*.*.*) ip4=1 ;;
56                         esac
57                         shift
58                 done
59                 shift
60                 if [ "${ip4:-4}" == "${ip6:-6}" ]; then
61                         echo "fw: can't mix ip4 and ip6" >&2
62                         return 1
63                 fi
64                 local ver=${ip4:+4}${ip6:+6}
65                 fam=i
66                 fw $cmd ${ver:-i} $tab $chn $tgt $pos "$@"
67                 fw__rc $?
68         }
69
70         fw__has() {
71                 local tab=${1:-$tab}
72                 if [ $tab == '-' ]; then
73                         type $app > /dev/null 2> /dev/null
74                         fw__rc $(($? & 1))
75                         return
76                 fi
77                 local mod
78                 eval "mod=\$FW_${fam}_${tab}"
79                 if [ "$mod" ]; then
80                         fw__rc $mod
81                         return
82                 fi
83                 case "$fam" in
84                         4) mod=iptable_${tab} ;;
85                         6) mod=ip6table_${tab} ;;
86                         *) mod=. ;;
87                 esac
88                 grep -q "^${mod} " /proc/modules
89                 mod=$?
90                 export FW_${fam}_${tab}=$mod
91                 fw__rc $mod
92         }
93
94         fw__err() {
95                 local err
96                 eval "err=\$FW_${fam}_ERROR"
97                 fw__rc $err
98         }
99
100         local app=
101         local pol=
102         case "$fam" in
103                 4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables  || return ;;
104                 6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
105                 i) fw__dualip "$@"; return ;;
106                 I) fw__autoip "$@"; return ;;
107                 e) app=ebtables ;;
108                 a) app=arptables ;;
109                 -) fw $cmd i $tab $chn $tgt $pos "$@"; return ;;
110                 *) return 254 ;;
111         esac
112         case "$tab" in
113                 f) tab=filter ;;
114                 m) tab=mangle ;;
115                 n) tab=nat ;;
116                 r) tab=raw ;;
117                 -) tab=filter ;;
118         esac
119         case "$cmd:$chn:$tgt:$pos" in
120                 add:*:-:*) cmd=new-chain ;;
121                 add:*:*:-) cmd=append ;;
122                 add:*:*:$) cmd=append ;;
123                 add:*:*:*) cmd=insert ;;
124                 del:-:*:*) cmd=delete-chain; fw flush $fam $tab ;;
125                 del:*:-:*) cmd=delete-chain; fw flush $fam $tab $chn ;;
126                 del:*:*:*) cmd=delete ;;
127                 flush:*) ;;
128                 policy:*) pol=$tgt; tgt=- ;;
129                 has:*) fw__has; return ;;
130                 err:*) fw__err; return ;;
131                 list:*) cmd="numeric --verbose --$cmd" ;;
132                 *) return 254 ;;
133         esac
134         case "$chn" in
135                 -) chn= ;;
136         esac
137         case "$tgt" in
138                 -) tgt= ;;
139         esac
140         case "$pos" in
141                 ^) pos=1 ;;
142                 $) pos= ;;
143                 -) pos= ;;
144         esac
145
146         if ! fw__has - family || ! fw__has $tab ; then
147                 export FW_${fam}_ERROR=0
148                 return 0
149         fi
150
151         if [ $# -gt 0 ]; then
152                 shift
153                 if [ $cmd == delete ]; then
154                         pos=
155                 fi
156         fi
157         while [ $# -gt 1 ]; do
158                 case "$app:$1" in
159                         ip6tables:--icmp-type) echo -n "--icmpv6-type" ;;
160                         ip6tables:icmp|ip6tables:ICMP) echo -n "icmpv6" ;;
161                         iptables:--icmpv6-type) echo -n "--icmp-type" ;;
162                         iptables:icmpv6) echo -n "icmp" ;;
163                         *:}|*:{) shift; continue ;;
164                         *) echo -n "$1" ;;
165                 esac
166                 echo -ne "\0"
167                 shift
168         done | xargs -0 ${FW_TRACE:+-t} \
169                 $app --table ${tab} --${cmd} ${chn} ${pol} ${pos} ${tgt:+--jump "$tgt"}
170         fw__rc $?
171 }
172
173 fw_get_port_range() {
174         local ports=$1
175         local delim=${2:-:}
176         if [ "$3" ]; then
177                 fw_get_port_range "${ports}-${3}" $delim
178                 return
179         fi
180
181         local first=${ports%-*}
182         local last=${ports#*-}
183         if [ "$first" != "$last" ]; then
184                 echo "$first$delim$last"
185         else
186                 echo "$first"
187         fi
188 }
189
190 fw_get_family_mode() {
191         local hint="$1"
192         local zone="$2"
193         local mode="$3"
194
195         local ipv4 ipv6
196         [ -n "$FW_ZONES4$FW_ZONES6" ] && {
197                 list_contains FW_ZONES4 $zone && ipv4=1 || ipv4=0
198                 list_contains FW_ZONES6 $zone && ipv6=1 || ipv6=0
199         } || {
200                 ipv4=$(uci_get_state firewall core ${zone}_ipv4 0)
201                 ipv6=$(uci_get_state firewall core ${zone}_ipv6 0)
202         }
203
204         case "$hint:$ipv4:$ipv6" in
205                 *4:1:*|*:1:0) echo 4 ;;
206                 *6:*:1|*:0:1) echo 6 ;;
207                 *) echo $mode ;;
208         esac
209 }
210
OpenWrt main development branch