applications/luci-fw: Reworked to use the new native UCI-based firewall configuration

diff --git a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua
index b896733..18b6f87 100644 (file)
--- a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua
+++ b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua
@@ -6,9 +6,12 @@ function index()
        
        local nodes = {}
 
        
        local nodes = {}
 

-       table.insert(nodes, entry({"admin", "network", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw", "Portweiterleitung"), 70))   
-       table.insert(nodes, entry({"admin", "network", "routing"}, cbi("luci_fw/routing"), i18n("fw_routing", "Routing"), 73))
-       table.insert(nodes, entry({"admin", "network", "firewall"}, cbi("luci_fw/firewall"), i18n("fw_fw", "Firewall"), 76))
+       table.insert(nodes, entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("fw_fw"), 60))
+       table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/general"), i18n("fw_zones"), 10))
+       table.insert(nodes, entry({"admin", "network", "firewall", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw"), 20))    
+       table.insert(nodes, entry({"admin", "network", "firewall", "forwarding"}, cbi("luci_fw/routing"), i18n("fw_forwarding"), 30))
+       table.insert(nodes, entry({"admin", "network", "firewall", "rules"}, cbi("luci_fw/firewall"), i18n("fw_rules"), 40))    
+       table.insert(nodes, entry({"admin", "network", "firewall", "customfwd"}, cbi("luci_fw/customfwd"), i18n("fw_custfwd"), 50))     

        
        table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70))
        
        
        table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70))
        

diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua
index d7adf36..93075f3 100644 (file)
--- a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua
+++ b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua
@@ -1,45 +1,60 @@
-fw_fw = [[Firewall]]
-fw_portfw = [[Portweiterleitung]]
-fw_routing = [[Routing]]
-fw_fw1 = [[Mit Hilfe der Firewall können Zugriffe auf das Netzwerk
-erlaubt, verboten oder umgeleitet werden.]]
-lucifw_rule_chain = "Kette"
-lucifw_rule_iface = "Eingangsschnittstelle"
-lucifw_rule_oface = "Ausgangsschnittstelle"
-lucifw_rule_source = "Quelladresse"
-lucifw_rule_destination = "Zieladresse"
-lucifw_rule_mac = "MAC-Adresse"
-lucifw_rule_sport = "Quellport"
-lucifw_rule_dport = "Zielport"
-lucifw_rule_tosrc = "Neue Quelladresse [SNAT]"
-lucifw_rule_todest = "Neue Zieladresse [DNAT]" 
-lucifw_rule_jump = "Aktion"
-lucifw_rule_command = "Eigener Befehl"
-fw_accept = "annehmen (ACCEPT)"
-fw_reject = "zurückweisen (REJECT)"
-fw_drop = "verwerfen (DROP)"
-fw_log = "protokollieren (LOG)"
-fw_dnat = "Ziel umschreiben (DNAT) [nur Prerouting]"
-fw_masq = "maskieren (MASQUERADE) [nur Postrouting]"
-fw_snat = "Quelle umschreiben (SNAT) [nur Postrouting]"
+fw_portfw = "Portweiterleitung"
+fw_forwarding = "Weiterleitung"
+fw_fw = "Firewall"
+fw_zone = "Zone"
+fw_zones = "Zonen"
+fw_custfwd = "Eigene Weiterleitungen"
+fw_rules = "Eigene Regeln"
+fw_rules1 = "An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren."
+fw_fw1 = "Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen."
+firewall_rule_src = "Eingangszone"
+firewall_rule_dest = "Ausgangszone"
+firewall_rule_srcip = "Quelladresse"
+firewall_rule_destip = "Zieladresse"
+firewall_rule_srcmac = "Quell-MAC-Adresse"
+firewall_rule_srcport = "Quellport"
+firewall_rule_destport = "Zielport"
+firewall_rule_target = "Aktion"
+fw_accept = "annehmen"
+fw_reject = "zurückweisen"
+fw_drop = "verwerfen"

 
 

-fw_portfw1 = [[Portweiterleitungen ermöglichen es interne
-Netzwerkdienste von einem anderen externen Netzwerk aus erreichbar zu machen.]]
-lucifw_portfw_iface_desc = "Externe Schnittstelle"
-lucifw_portfw_dport = "Externer Port"
-lucifw_portfw_dport_desc = "Einzelner Port oder Erster Port-Letzter Port"
-lucifw_portfw_to = "Interne Adresse"
-lucifw_portfw_to_desc = "IP, IP:Port oder IP:Erster Port-Letzter Port"
+fw_portfw1 = [[Portweiterleitungen ermöglichen es interne Netzwerkdienste aus einem externen Netzwerk heraus erreichbar zu machen.]]
+firewall_redirect_src_desc = "Externe Zone"
+firewall_redirect_srcdport = "Externer Port"
+firewall_redirect_srcdport_desc = "Port od. Erster:Letzter Port"
+firewall_redirect_destip = "Interne Adresse"
+firewall_redirect_destip_desc = "IP-Adresse"
+firewall_redirect_destport = "Interner Port (optional)"
+firewall_redirect_destport_desc = "Port od. Erster:Letzter Port"
+firewall_redirect_srcip = firewall_rule_srcip
+firewall_redirect_srcmac = firewall_rule_srcmac
+firewall_redirect_srcport = firewall_rule_srcport

 
 

-fw_routing1 = [[An dieser Stelle wird festlegt, welcher Netzverkehr zwischen einzelnen
-Schnittstellen erlaubt werden soll. Es werden jeweils nur neue Verbindungen
-betrachtet, d.h. Pakete von aufgebauten oder zugehörigen Verbindungen werden automatisch in beide Richtungen
-akzeptiert, auch wenn das Feld "beide Richtungen" nicht explizit gesetzt ist.
-NAT ermöglicht Adressübersetzung.]]
-lucifw_routing_iface = "Eingang"
-lucifw_routing_iface_desc = lucifw_rule_iface
-lucifw_routing_oface = "Ausgang" 
-lucifw_routing_oface_desc = lucifw_rule_oface
-lucifw_routing_fwd_desc = "weiterleiten"
-lucifw_routing_nat_desc = "übersetzen"
-lucifw_routing_bidi_desc = "beide Richtungen"
\ No newline at end of file
+fw_forwarding1 = [[An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann.
+Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch
+akzeptiert.]]
+firewall_forwarding_src = "Eingang"
+firewall_forwarding_src_desc = firewall_rule_src
+firewall_forwarding_dest = "Ausgang" 
+firewall_forwarding_dest_desc = firewall_rule_dest
+
+firewall_defaults = "Grundeinstellungen"
+firewall_defaults_desc = "Grundeinstellungen die verwendet werden, wenn keine andere Regel angewandt werden kann."
+firewall_defaults_synflood = "Schutz vor SYN-flood-Attacken"
+firewall_defaults_input = "Eingehender Verkehr"
+firewall_defaults_output = "Ausgehender Verkehr"
+firewall_defaults_forward = "Weitergeleiteter Verkehr"
+
+firewall_zone_desc = [[Zonen teilen das Netzwerk in mehrere Bereiche ein um Netzverkehr sicher zu trennen.
+Ein oder mehrere Netzwerke gehören zu einer Zone.
+Das MASQ-Flag legt fest, dass aller ausgehende Netzverkehr einer Zone NAT-maskiert wird.]]
+firewall_zone_input = "Eingehender Verkehr"
+firewall_zone_input_desc = "Standardaktion"
+firewall_zone_output = "Ausgehender Verkehr"
+firewall_zone_output_desc = "Standardaktion"
+firewall_zone_forward = "Weitergeleiteter Verkehr"
+firewall_zone_forward_desc = "Standardaktion"
+firewall_zone_masq = "MASQ"
+firewall_zone_network = "Netzwerke"
+firewall_zone_network_desc = "verbundene Netzwerke"
\ No newline at end of file

diff --git a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua
index 7d3a3a0..9998c28 100644 (file)
--- a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua
+++ b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua
@@ -1,43 +1,60 @@
 fw_portfw = "Port forwarding"
 fw_portfw = "Port forwarding"

-fw_routing = "Routing"
+fw_forwarding = "Forwarding"

 fw_fw = "Firewall"
 fw_fw = "Firewall"

-fw_fw1 = "Here you can grant, access or redirect network traffic."
-lucifw_rule_chain = "Chain"
-lucifw_rule_iface = "Input interface"
-lucifw_rule_oface = "Output interface"
-lucifw_rule_source = "Source address"
-lucifw_rule_destination = "Destination address"
-lucifw_rule_mac = "MAC-Address"
-lucifw_rule_sport = "Source port"
-lucifw_rule_dport = "Destination port"
-lucifw_rule_tosrc = "New source address [SNAT]"
-lucifw_rule_todest = "New target address [DNAT]" 
-lucifw_rule_jump = "Action"
-lucifw_rule_command = "Custom Command"
+fw_zone = "Zone"
+fw_zones = "Zones"
+fw_custfwd = "Custom redirect"
+fw_rules = "Custom Rules"
+fw_rules1 = "Here you can create custom firewall rules to control your network traffic."
+fw_fw1 = "The firewall creates zones over your network interfaces to control network traffic flow."
+firewall_rule_src = "Input Zone"
+firewall_rule_dest = "Output Zone"
+firewall_rule_srcip = "Source address"
+firewall_rule_destip = "Destination address"
+firewall_rule_srcmac = "Source MAC-Address"
+firewall_rule_srcport = "Source port"
+firewall_rule_destport = "Destination port"
+firewall_rule_target = "Action"

 fw_accept = "accept"
 fw_reject = "reject"
 fw_drop = "drop"
 fw_accept = "accept"
 fw_reject = "reject"
 fw_drop = "drop"

-fw_log = "log"
-fw_dnat = "change destination (DNAT) [prerouting only]"
-fw_masq = "masquerade [postrouting only]"
-fw_snat = "change source (SNAT) [postrouting only]"

 
 fw_portfw1 = [[Port forwarding allows to provide network services 
 in the internal network to an external network.]]
 
 fw_portfw1 = [[Port forwarding allows to provide network services 
 in the internal network to an external network.]]

-lucifw_portfw_iface_desc = "External interface"
-lucifw_portfw_dport = "External port"
-lucifw_portfw_dport_desc = "single port or first port-last port"
-lucifw_portfw_to = "Internal address"
-lucifw_portfw_to_desc = "IP, IP:port or IP:first port-last port"
+firewall_redirect_src_desc = "External Zone"
+firewall_redirect_srcdport = "External port"
+firewall_redirect_srcdport_desc = "port or range as first:last"
+firewall_redirect_destip = "Internal address"
+firewall_redirect_destip_desc = "IP-Address"
+firewall_redirect_destport = "Internal port (optional)"
+firewall_redirect_destport_desc = "port or range as first:last"
+firewall_redirect_srcip = firewall_rule_srcip
+firewall_redirect_srcmac = firewall_rule_srcmac
+firewall_redirect_srcport = firewall_rule_srcport

 
 

-fw_routing1 = [[Here you can specify which network traffic is allowed to flow between network interfaces.
+fw_forwarding1 = [[Here you can specify which network traffic is allowed to flow between network zones.

 Only new connections will be matched. Packets belonging to already open connections are automatically allowed
 Only new connections will be matched. Packets belonging to already open connections are automatically allowed

-to pass the firewall in this case you do not need to set the "bidirectional" flag. NAT provides
-address translation.]]
-lucifw_routing_iface = "Input"
-lucifw_routing_iface_desc = lucifw_rule_iface
-lucifw_routing_oface = "Output" 
-lucifw_routing_oface_desc = lucifw_rule_oface
-lucifw_routing_fwd_desc = "forward"
-lucifw_routing_nat_desc = "translate"
-lucifw_routing_bidi_desc = "bidirectional"
\ No newline at end of file
+to pass the firewall.]]
+firewall_forwarding_src = "Input"
+firewall_forwarding_src_desc = firewall_rule_src
+firewall_forwarding_dest = "Output" 
+firewall_forwarding_dest_desc = firewall_rule_dest
+
+firewall_defaults = "Defaults"
+firewall_defaults_desc = "These are the default settings that are used if no other rules match."
+firewall_defaults_synflood = "SYN-flood protection"
+firewall_defaults_input = "Incoming Traffic"
+firewall_defaults_output = "Outgoing Traffic"
+firewall_defaults_forward = "Forwarded Traffic"
+
+firewall_zone_desc = [[Zones part the network interfaces into certain isolated areas to separate network traffic.
+One or more networks can belong to a zone. The MASQ-flag enables NAT masquerading for all outgoing traffic on this zone.]]
+firewall_zone_input = "Incoming Traffic"
+firewall_zone_input_desc = "Default Policy"
+firewall_zone_output = "Outgoing Traffic"
+firewall_zone_output_desc = "Default Policy"
+firewall_zone_forward = "Forwarded Traffic"
+firewall_zone_forward_desc = "Default Policy"
+firewall_zone_masq = "MASQ"
+firewall_zone_network = "Networks"
+firewall_zone_network_desc = "contained networks"
\ No newline at end of file

diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua
new file mode 100644 (file)
index 0000000..42be400
--- /dev/null
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua
@@ -0,0 +1,62 @@
+--[[
+LuCI - Lua Configuration Interface
+
+Copyright 2008 Steven Barth <steven@midlink.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+]]--
+require("luci.sys")
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
+
+
+s = m:section(TypedSection, "redirect", "")
+s.addremove = true
+s.anonymous = true
+
+name = s:option(Value, "_name", translate("name"))
+name.rmempty = true
+name.size = 10
+
+iface = s:option(ListValue, "src", translate("fw_zone"))
+iface.default = "wan"
+luci.model.uci.foreach("firewall", "zone",
+       function (section)
+               iface:value(section.name)
+       end)
+       
+s:option(Value, "src_ip").optional = true
+s:option(Value, "src_mac").optional = true
+
+sport = s:option(Value, "src_port")
+sport.optional = true
+sport:depends("proto", "tcp")
+sport:depends("proto", "udp")
+
+proto = s:option(ListValue, "proto", translate("protocol"))
+proto.optional = true
+proto:value("")
+proto:value("tcp", "TCP")
+proto:value("udp", "UDP")
+
+dport = s:option(Value, "src_dport")
+dport.size = 5
+dport.optional = true
+dport:depends("proto", "tcp")
+dport:depends("proto", "udp")
+
+to = s:option(Value, "dest_ip")
+for i, dataset in ipairs(luci.sys.net.arptable()) do
+       to:value(dataset["IP address"])
+end
+
+toport = s:option(Value, "dest_port")
+toport.optional = true
+toport.size = 5
+
+return m

diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua
index 5ed4559..2919896 100644 (file)
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua
@@ -11,31 +11,23 @@ You may obtain a copy of the License at
 
 $Id$
 ]]--
 
 $Id$
 ]]--

-m = Map("luci_fw", translate("fw_fw"), translate("fw_fw1"))
+m = Map("firewall", translate("fw_rules"), translate("fw_rules1"))

 
 s = m:section(TypedSection, "rule", "")
 s.addremove = true
 s.anonymous = true
 
 
 s = m:section(TypedSection, "rule", "")
 s.addremove = true
 s.anonymous = true
 

-chain = s:option(ListValue, "chain")
-chain:value("forward", "Forward")
-chain:value("input", "Input")
-chain:value("output", "Output")
-chain:value("prerouting", "Prerouting")
-chain:value("postrouting", "Postrouting")
+iface = s:option(ListValue, "src")
+iface:value("")
+iface.rmempty = true

 
 

-iface = s:option(ListValue, "iface")
-iface.optional = true
-
-oface = s:option(ListValue, "oface")
+oface = s:option(ListValue, "dest")

 oface.optional = true
 
 oface.optional = true
 

-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",

        function (section)
        function (section)

-               if section[".name"] ~= "loopback" then
-                       iface:value(section[".name"])
-                       oface:value(section[".name"])
-               end
+               iface:value(section.name)
+               oface:value(section.name)

        end)
 
 proto = s:option(ListValue, "proto", translate("protocol"))
        end)
 
 proto = s:option(ListValue, "proto", translate("protocol"))


@@ -43,43 +35,27 @@ proto.optional = true
 proto:value("")
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
 proto:value("")
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")

+proto:value("icmp", "ICMP")

 
 

-s:option(Value, "source").optional = true
-s:option(Value, "destination").optional = true
-s:option(Value, "mac").optional = true
+s:option(Value, "src_ip").optional = true
+s:option(Value, "dest_ip").optional = true
+s:option(Value, "src_mac").optional = true

 
 

-sport = s:option(Value, "sport")
+sport = s:option(Value, "src_port")

 sport.optional = true
 sport:depends("proto", "tcp")
 sport:depends("proto", "udp")
 
 sport.optional = true
 sport:depends("proto", "tcp")
 sport:depends("proto", "udp")
 

-dport = s:option(Value, "dport")
+dport = s:option(Value, "dest_port")

 dport.optional = true
 dport:depends("proto", "tcp")
 dport:depends("proto", "udp")
 
 dport.optional = true
 dport:depends("proto", "tcp")
 dport:depends("proto", "udp")
 

-tosrc = s:option(Value, "tosrc")
-tosrc.optional = true
-tosrc:depends("jump", "SNAT")
-
-tosrc = s:option(Value, "todest")
-tosrc.optional = true
-tosrc:depends("jump", "DNAT")
-
-jump = s:option(ListValue, "jump")
+jump = s:option(ListValue, "target")

 jump.rmempty = true
 jump.rmempty = true

-jump:value("", "")
+jump:value("DROP", translate("fw_drop"))

 jump:value("ACCEPT", translate("fw_accept"))
 jump:value("REJECT", translate("fw_reject"))
 jump:value("ACCEPT", translate("fw_accept"))
 jump:value("REJECT", translate("fw_reject"))

-jump:value("DROP", translate("fw_drop"))
-jump:value("LOG", translate("fw_log"))
-jump:value("DNAT", translate("fw_dnat"))
-jump:value("MASQUERADE", translate("fw_masq"))
-jump:value("SNAT", translate("fw_snat"))
-

 
 

-add = s:option(Value, "command")
-add.size = 50
-add.rmempty = true

 
 return m
 
 return m

diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua
new file mode 100644 (file)
index 0000000..1a765ab
--- /dev/null
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua
@@ -0,0 +1,67 @@
+--[[
+LuCI - Lua Configuration Interface
+
+Copyright 2008 Steven Barth <steven@midlink.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+]]--
+m = Map("firewall", translate("fw_fw"), translate("fw_fw1"))
+
+s = m:section(TypedSection, "defaults")
+s.anonymous = true
+
+s:option(Flag, "syn_flood")
+
+p = {}
+p[1] = s:option(ListValue, "input")
+p[2] = s:option(ListValue, "output")
+p[3] = s:option(ListValue, "forward")
+
+for i, v in ipairs(p) do
+       v:value("DROP", translate("fw_drop"))
+       v:value("ACCEPT", translate("fw_accept"))
+end
+
+
+s = m:section(TypedSection, "zone", translate("fw_zones"))
+s.template = "cbi/tblsection"
+s.anonymous = true
+s.addremove = true
+
+name = s:option(Value, "name", translate("name"))
+name.size = 8
+
+p = {}
+p[1] = s:option(ListValue, "input")
+p[2] = s:option(ListValue, "output")
+p[3] = s:option(ListValue, "forward")
+
+for i, v in ipairs(p) do
+       v:value("DROP", translate("fw_drop"))
+       v:value("ACCEPT", translate("fw_accept"))
+end
+
+s:option(Flag, "masq")
+
+net = s:option(MultiValue, "network")
+net.widget = "select"
+net.rmempty = true
+luci.model.uci.foreach("network", "interface",
+       function (section)
+               if section[".name"] ~= "loopback" then
+                       net:value(section[".name"])
+               end
+       end)
+       
+function net.cfgvalue(self, section)
+       local value = MultiValue.cfgvalue(self, section)
+       return value or name:cfgvalue(section)
+end
+
+return m
\ No newline at end of file

diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua
index 39eefa6..44a7391 100644 (file)
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua
@@ -12,26 +12,33 @@ You may obtain a copy of the License at
 $Id$
 ]]--
 require("luci.sys")
 $Id$
 ]]--
 require("luci.sys")

-m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1"))
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))

 
 
 
 

-s = m:section(TypedSection, "portfw", "")
-s:depends("iface", "wan")
-s.defaults.iface = "wan"
+s = m:section(TypedSection, "redirect", "")
+s:depends("src", "wan")
+s.defaults.src = "wan"

 
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
 
 
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
 

-name = s:option(Value, "_name", translate("name") .. translate("cbi_optional"))
+name = s:option(Value, "_name", translate("name"), translate("cbi_optional"))
+name.size = 10

 
 

-proto = s:option(ListValue, "proto", translate("protocol"))
+proto = s:option(ListValue, "protocol", translate("protocol"))

 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")

-proto:value("tcpudp", "TCP + UDP")

 
 

-dport = s:option(Value, "dport")
+dport = s:option(Value, "src_dport")
+dport.size = 5

 
 

-to = s:option(Value, "to")
+to = s:option(Value, "dest_ip")
+for i, dataset in ipairs(luci.sys.net.arptable()) do
+       to:value(dataset["IP address"])
+end
+
+toport = s:option(Value, "dest_port")
+toport.size = 5

 
 return m
 
 return m

diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua
index 72f3d7e..c794410 100644 (file)
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua
@@ -12,29 +12,37 @@ You may obtain a copy of the License at
 $Id$
 ]]--
 require("luci.sys")
 $Id$
 ]]--
 require("luci.sys")

-m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1"))
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))

 
 

-s = m:section(TypedSection, "portfw", "")
+
+s = m:section(TypedSection, "redirect", "")

 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
 
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
 

-iface = s:option(ListValue, "iface", translate("interface"))
+name = s:option(Value, "_name", translate("name"), translate("cbi_optional"))
+name.size = 10
+
+iface = s:option(ListValue, "src", translate("fw_zone"))

 iface.default = "wan"
 iface.default = "wan"

-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",

        function (section)
        function (section)

-               if section[".name"] ~= "loopback" then
-                       iface:value(section[".name"])
-               end
+               iface:value(section.name)

        end)
 
 proto = s:option(ListValue, "proto", translate("protocol"))
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
        end)
 
 proto = s:option(ListValue, "proto", translate("protocol"))
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")

-proto:value("tcpudp", "TCP + UDP")

 
 

-dport = s:option(Value, "dport")
+dport = s:option(Value, "src_dport")
+dport.size = 5
+
+to = s:option(Value, "dest_ip")
+for i, dataset in ipairs(luci.sys.net.arptable()) do
+       to:value(dataset["IP address"])
+end

 
 

-to = s:option(Value, "to")
+toport = s:option(Value, "dest_port")
+toport.size = 5

 
 return m
 
 return m

diff --git a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua b/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua
index 56f1282..d542bcb 100644 (file)
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua
@@ -11,26 +11,20 @@ You may obtain a copy of the License at
 
 $Id$
 ]]--
 
 $Id$
 ]]--

-m = Map("luci_fw", translate("fw_routing"), translate("fw_routing1"))
+m = Map("firewall", translate("fw_forwarding"), translate("fw_forwarding1"))

 
 

-s = m:section(TypedSection, "routing", "")
+s = m:section(TypedSection, "forwarding", "")

 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
 
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
 

-iface = s:option(ListValue, "iface")
-oface = s:option(ListValue, "oface")
+iface = s:option(ListValue, "src")
+oface = s:option(ListValue, "dest")

 
 

-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",

        function (section)
        function (section)

-               if section[".name"] ~= "loopback" then
-                       iface:value(section[".name"])
-                       oface:value(section[".name"])
-               end
+                       iface:value(section.name)
+                       oface:value(section.name)

        end)
 
        end)
 

-s:option(Flag, "fwd", "FWD").rmempty = true
-s:option(Flag, "nat", "NAT").rmempty = true
-s:option(Flag, "bidi", "<->").rmempty = true
-

 return m
 return m

diff --git a/applications/luci-fw/root/etc/config/luci_fw b/applications/luci-fw/root/etc/config/luci_fw
deleted file mode 100644 (file)
index c7dec7f..0000000
--- a/applications/luci-fw/root/etc/config/luci_fw
+++ /dev/null
@@ -1,2 +0,0 @@
-
- 
\ No newline at end of file

diff --git a/applications/luci-fw/root/etc/init.d/luci_fw b/applications/luci-fw/root/etc/init.d/luci_fw
deleted file mode 100755 (executable)
index 86d8a56..0000000
--- a/applications/luci-fw/root/etc/init.d/luci_fw
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/bin/sh /etc/rc.common
-START=46
-
-apply_portfw() {
-       local cfg="$1"
-       config_get proto "$cfg" proto
-       config_get dport "$cfg" dport
-       config_get iface "$cfg" iface
-       config_get to    "$cfg" to
-       
-       config_get ifname "$iface" ifname
-       
-       [ -n "$proto" ] || return 0
-       [ -n "$dport" ] || return 0
-       [ -n "$ifname" ] || return 0
-       [ -n "$to" ] || return 0
-
-       dport=$(echo $dport | sed -e 's/-/:/')
-
-       ports=$(echo $to | cut -sd: -f2)
-       if [ -n "$ports" ]; then
-               ports="--dport $(echo $ports | sed -e 's/-/:/')"
-       else
-               ports="--dport $dport"
-       fi
-
-       ip=$(echo $to | cut -d: -f1)
-       
-       if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then
-               iptables -t nat -A luci_fw_prerouting -i "$ifname" -p tcp --dport "$dport" -j DNAT --to "$to"
-               iptables -A luci_fw_forward -i "$ifname" -p tcp -d "$ip" $ports -j ACCEPT
-       fi
-
-       if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then
-               iptables -t nat -A luci_fw_prerouting -i "$ifname" -p udp --dport "$dport" -j DNAT --to "$to"
-               iptables -A luci_fw_forward -i "$ifname" -p udp -d "$ip" $ports -j ACCEPT
-       fi
-}
-
-apply_routing() {
-       local cfg="$1"
-       config_get iface "$cfg" iface
-       config_get oface "$cfg" oface
-       config_get_bool fwd "$cfg" fwd
-       config_get_bool nat "$cfg" nat
-       config_get_bool bidi "$cfg" bidi
-       
-       config_get ifname "$iface" ifname
-       config_get ofname "$oface" ifname
-       
-       [ -n "$ifname" ] || return 0
-       [ -n "$ofname" ] || return 0
-       
-       [ "$fwd" -gt 0 ] && {
-               iptables -A luci_fw_forward -i "$ifname" -o "$ofname" -j ACCEPT
-               [ "$bidi" -gt 0 ] && iptables -A luci_fw_forward -i "$ofname" -o "$ifname" -j ACCEPT
-       }
-       
-       [ "$nat" -gt 0 ] && {
-               config_get ifip "$iface" ipaddr
-               config_get ifmask "$iface" netmask
-               eval "$(ipcalc.sh $ifip $ifmask)"
-               
-               iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ofname" -j MASQUERADE
-               
-               [ "$bidi" -gt 0 ] && {
-                       config_get ofip "$oface" ipaddr
-                       config_get ofmask "$oface" netmask
-                       eval "$(ipcalc.sh $ofip $ofmask)"
-                       
-                       iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ifname" -j MASQUERADE         
-               }
-       }
-}
-
-apply_rule() {
-       local cfg="$1"
-       local cmd=""
-
-       config_get chain "$cfg" chain
-       [ -n "$chain" ] || return 0
-       [ "$chain" == "forward" ] && cmd="$cmd -A luci_fw_forward"
-       [ "$chain" == "input" ] && cmd="$cmd -A luci_fw_input"
-       [ "$chain" == "output" ] && cmd="$cmd -A luci_fw_output"
-       [ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_fw_prerouting"
-       [ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting"
-       
-       config_get iface "$cfg" iface
-       config_get ifname "$iface" ifname
-       [ -n "$ifname" ] && cmd="$cmd -i $ifname"       
-
-       config_get oface "$cfg" oface
-       config_get ofname "$oface" ifname
-       [ -n "$ofname" ] && cmd="$cmd -o $ofname"       
-
-       config_get proto "$cfg" proto
-       [ -n "$proto" ] && cmd="$cmd -p $proto" 
-
-       config_get source "$cfg" source
-       [ -n "$source" ] && cmd="$cmd -s $source"       
-
-       config_get destination "$cfg" destination
-       [ -n "$destination" ] && cmd="$cmd -d $destination"     
-
-       config_get sport "$cfg" sport
-       [ -n "$sport" ] && cmd="$cmd --sport $sport"    
-
-       config_get dport "$cfg" dport
-       [ -n "$dport" ] && cmd="$cmd --dport $dport"    
-       
-       config_get todest "$cfg" todest
-       [ -n "$todest" ] && cmd="$cmd --to-destination $todest" 
-
-       config_get tosrc "$cfg" tosrc
-       [ -n "$tosrc" ] && cmd="$cmd --to-source $tosrc"        
-       
-       config_get mac "$cfg" mac
-       [ -n "$mac" ] && cmd="$cmd -m mac --mac-source $mac"
-
-       config_get jump "$cfg" jump
-       [ -n "$jump" ] && cmd="$cmd -j $jump"   
-
-       config_get command "$cfg" command
-       [ -n "$command" ] && cmd="$cmd $command"        
-
-       iptables $cmd
-}
-
-start() {
-       ### Create subchains
-       iptables -N luci_fw_input
-       iptables -N luci_fw_output
-       iptables -N luci_fw_forward
-       iptables -t nat -N luci_fw_prerouting
-       iptables -t nat -N luci_fw_postrouting
-       
-       ### Hook in the chains
-       iptables -A input_rule -j luci_fw_input
-       iptables -A output_rule -j luci_fw_output
-       iptables -A forwarding_rule -j luci_fw_forward
-       iptables -t nat -A prerouting_rule -j luci_fw_prerouting
-       iptables -t nat -A postrouting_rule -j luci_fw_postrouting
-       
-       ### Scan network interfaces
-       include /lib/network
-       scan_interfaces
-       
-       ### Read chains from config
-       config_load luci_fw
-       config_foreach apply_rule rule
-       config_foreach apply_portfw portfw
-       config_foreach apply_routing routing
-}
-
-stop() {
-       ### Hook out the chains
-       iptables -D input_rule -j luci_fw_input
-       iptables -D output_rule -j luci_fw_output
-       iptables -D forwarding_rule -j luci_fw_forward
-       iptables -t nat -D prerouting_rule -j luci_fw_prerouting
-       iptables -t nat -D postrouting_rule -j luci_fw_postrouting      
-       
-       ### Clear subchains
-       iptables -F luci_fw_input
-       iptables -F luci_fw_output
-       iptables -F luci_fw_forward
-       iptables -t nat -F luci_fw_prerouting
-       iptables -t nat -F luci_fw_postrouting
-       
-       ### Delete subchains
-       iptables -X luci_fw_input
-       iptables -X luci_fw_output
-       iptables -X luci_fw_forward
-       iptables -t nat -X luci_fw_prerouting
-       iptables -t nat -X luci_fw_postrouting
-}

diff --git a/contrib/package/luci/Makefile b/contrib/package/luci/Makefile
index d5123ab..0c06cd7 100644 (file)
--- a/contrib/package/luci/Makefile
+++ b/contrib/package/luci/Makefile
@@ -354,7 +354,7 @@ endef
 
 define Package/luci-app-firewall
   $(call Package/luci/webtemplate)
 
 define Package/luci-app-firewall
   $(call Package/luci/webtemplate)

-  DEPENDS+=+luci-admin-core
+  DEPENDS+=+luci-admin-core +firewall

   TITLE:=Firewall and Portforwarding application
 endef
 
   TITLE:=Firewall and Portforwarding application
 endef
 

diff --git a/libs/web/root/etc/config/luci b/libs/web/root/etc/config/luci
index b02fb51..8382b5d 100644 (file)
--- a/libs/web/root/etc/config/luci
+++ b/libs/web/root/etc/config/luci
@@ -19,15 +19,15 @@ config extern flash_keep
        option firewall "/etc/firewall.user"
 
 config event uci_oncommit
        option firewall "/etc/firewall.user"
 
 config event uci_oncommit

-       option network          "/sbin/luci-reload network firewall luci_fw dnsmasq"
-       option wireless         "/sbin/luci-reload network firewall luci_fw dnsmasq"
+       option network          "/sbin/luci-reload network firewall dnsmasq"
+       option wireless         "/sbin/luci-reload network firewall dnsmasq"

        option olsr                     "/sbin/luci-reload olsrd"
        option dhcp                     "/sbin/luci-reload dnsmasq"
        option dropbear         "/sbin/luci-reload dropbear"
        option httpd            "/sbin/luci-reload httpd"
        option fstab            "/sbin/luci-reload fstab"
        option qos                      "/sbin/luci-reload qos"
        option olsr                     "/sbin/luci-reload olsrd"
        option dhcp                     "/sbin/luci-reload dnsmasq"
        option dropbear         "/sbin/luci-reload dropbear"
        option httpd            "/sbin/luci-reload httpd"
        option fstab            "/sbin/luci-reload fstab"
        option qos                      "/sbin/luci-reload qos"

-       option luci_fw          "/sbin/luci-reload luci_fw"
+       option firewall         "/sbin/luci-reload firewall"

        option luci_ethers      "/sbin/luci-reload luci_ethers dnsmasq"
        option luci_splash      "/sbin/luci-reload luci_splash"
        option upnpd            "/etc/init.d/miniupnpd enabled && /sbin/luci-reload miniupnpd || /etc/init.d/miniupnpd stop"
        option luci_ethers      "/sbin/luci-reload luci_ethers dnsmasq"
        option luci_splash      "/sbin/luci-reload luci_splash"
        option upnpd            "/etc/init.d/miniupnpd enabled && /sbin/luci-reload miniupnpd || /etc/init.d/miniupnpd stop"