8 files changed, 290 insertions, 0 deletions

diff --git a/applications/luci-app-bcp38/Makefile b/applications/luci-app-bcp38/Makefile
new file mode 100644
index 0000000000..9ab5a6701d
--- /dev/null
+++ b/applications/luci-app-bcp38/Makefile
@@ -0,0 +1,18 @@
+#
+# Copyright (C) 2010 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=BCP38 LuCI interface
+LUCI_DEPENDS:=+luci-mod-admin-full +bcp38
+
+PKG_MAINTAINER:=Toke Høiland-Jørgensen <toke@toke.dk>
+PKG_LICENSE:=Apache-2.0
+
+include ../../luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
diff --git a/applications/luci-app-bcp38/luasrc/controller/bcp38.lua b/applications/luci-app-bcp38/luasrc/controller/bcp38.lua
new file mode 100644
index 0000000000..7ea22835d6
--- /dev/null
+++ b/applications/luci-app-bcp38/luasrc/controller/bcp38.lua
@@ -0,0 +1,7 @@
+module("luci.controller.bcp38", package.seeall)
+
+function index()
+	entry({"admin", "network", "firewall", "bcp38"},
+		cbi("bcp38"),
+		_("BCP38"), 50).dependent = false
+end
diff --git a/applications/luci-app-bcp38/luasrc/model/cbi/bcp38.lua b/applications/luci-app-bcp38/luasrc/model/cbi/bcp38.lua
new file mode 100644
index 0000000000..632074a56f
--- /dev/null
+++ b/applications/luci-app-bcp38/luasrc/model/cbi/bcp38.lua
@@ -0,0 +1,60 @@
+--[[
+LuCI - Lua Configuration Interface
+
+Copyright 2014 Toke Høiland-Jørgensen <toke@toke.dk>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+]]--
+
+local wa = require "luci.tools.webadmin"
+local net = require "luci.model.network".init()
+local ifaces = net:get_interfaces()
+
+m = Map("bcp38", translate("BCP38"),
+	translate("This function blocks packets with private address destinations " ..
+		"from going out onto the internet as per " ..
+		"<a href=\"http://tools.ietf.org/html/bcp38\">BCP 38</a>. " ..
+		"For IPv6, only source specific default routes are installed, so " ..
+		"no BCP38 firewall routes are needed."))
+
+s = m:section(TypedSection, "bcp38", translate("BCP38 config"))
+s.anonymous = true
+-- BASIC
+e = s:option(Flag, "enabled", translate("Enable"))
+e.rmempty = false
+
+a = s:option(Flag, "detect_upstream", translate("Auto-detect upstream IP"),
+				translate("Attempt to automatically detect if the upstream IP " ..
+					"will be blocked by the configuration, and add an exception if it will. " ..
+					"If this does not work correctly, you can add exceptions manually below."))
+a.rmempty = false
+
+n = s:option(ListValue, "interface", translate("Interface name"), translate("Interface to apply the blocking to " ..
+							"(should be the upstream WAN interface)."))
+for _, iface in ipairs(ifaces) do
+     if iface:is_up() then
+	n:value(iface:name())
+     end
+end
+n.rmempty = false
+
+ma = s:option(DynamicList, "match",
+	translate("Blocked IP ranges"))
+
+ma.datatype = "ip4addr"
+
+nm = s:option(DynamicList, "nomatch",
+	translate("Allowed IP ranges"), translate("Takes precedence over blocked ranges. "..
+						  "Use to whitelist your upstream network if you're behind a double NAT " ..
+						  "and the auto-detection doesn't work."))
+
+nm.datatype = "ip4addr"
+
+
+return m
diff --git a/applications/luci-app-bcp38/po/sv/bcp38.po b/applications/luci-app-bcp38/po/sv/bcp38.po
new file mode 100644
index 0000000000..7293278f26
--- /dev/null
+++ b/applications/luci-app-bcp38/po/sv/bcp38.po
@@ -0,0 +1,45 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8\n"
+
+msgid "Allowed IP ranges"
+msgstr ""
+
+msgid ""
+"Attempt to automatically detect if the upstream IP will be blocked by the "
+"configuration, and add an exception if it will. If this does not work "
+"correctly, you can add exceptions manually below."
+msgstr ""
+
+msgid "Auto-detect upstream IP"
+msgstr "Upptäck automatiskt IP från uppströms"
+
+msgid "BCP38"
+msgstr "BCP38"
+
+msgid "BCP38 config"
+msgstr ""
+
+msgid "Blocked IP ranges"
+msgstr ""
+
+msgid "Enable"
+msgstr "Aktivera"
+
+msgid "Interface name"
+msgstr "Namn på gränssnittet"
+
+msgid ""
+"Interface to apply the blocking to (should be the upstream WAN interface)."
+msgstr ""
+
+msgid ""
+"Takes precedence over blocked ranges. Use to whitelist your upstream network "
+"if you're behind a double NAT and the auto-detection doesn't work."
+msgstr ""
+
+msgid ""
+"This function blocks packets with private address destinations from going "
+"out onto the internet as per <a href=\"http://tools.ietf.org/html/"
+"bcp38\">BCP 38</a>. For IPv6, only source specific default routes are "
+"installed, so no BCP38 firewall routes are needed."
+msgstr ""
diff --git a/applications/luci-app-bcp38/po/templates/bcp38.pot b/applications/luci-app-bcp38/po/templates/bcp38.pot
new file mode 100644
index 0000000000..1210784d23
--- /dev/null
+++ b/applications/luci-app-bcp38/po/templates/bcp38.pot
@@ -0,0 +1,45 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8"
+
+msgid "Allowed IP ranges"
+msgstr ""
+
+msgid ""
+"Attempt to automatically detect if the upstream IP will be blocked by the "
+"configuration, and add an exception if it will. If this does not work "
+"correctly, you can add exceptions manually below."
+msgstr ""
+
+msgid "Auto-detect upstream IP"
+msgstr ""
+
+msgid "BCP38"
+msgstr ""
+
+msgid "BCP38 config"
+msgstr ""
+
+msgid "Blocked IP ranges"
+msgstr ""
+
+msgid "Enable"
+msgstr ""
+
+msgid "Interface name"
+msgstr ""
+
+msgid ""
+"Interface to apply the blocking to (should be the upstream WAN interface)."
+msgstr ""
+
+msgid ""
+"Takes precedence over blocked ranges. Use to whitelist your upstream network "
+"if you're behind a double NAT and the auto-detection doesn't work."
+msgstr ""
+
+msgid ""
+"This function blocks packets with private address destinations from going "
+"out onto the internet as per <a href=\"http://tools.ietf.org/html/"
+"bcp38\">BCP 38</a>. For IPv6, only source specific default routes are "
+"installed, so no BCP38 firewall routes are needed."
+msgstr ""
diff --git a/applications/luci-app-bcp38/po/zh-cn/bcp38.po b/applications/luci-app-bcp38/po/zh-cn/bcp38.po
new file mode 100644
index 0000000000..45eff986b2
--- /dev/null
+++ b/applications/luci-app-bcp38/po/zh-cn/bcp38.po
@@ -0,0 +1,52 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8\n"
+
+msgid "Allowed IP ranges"
+msgstr "允许的 IP 范围"
+
+msgid ""
+"Attempt to automatically detect if the upstream IP will be blocked by the "
+"configuration, and add an exception if it will. If this does not work "
+"correctly, you can add exceptions manually below."
+msgstr ""
+"自动检测上游 IP 是否会被当前配置所阻止，当检测到会被阻止时将会添加例外。如果"
+"自动检测无法正常工作，您可以在下面手动添加例外。"
+
+msgid "Auto-detect upstream IP"
+msgstr "自动检测上游 IP"
+
+msgid "BCP38"
+msgstr "BCP38"
+
+msgid "BCP38 config"
+msgstr "BCP38 配置"
+
+msgid "Blocked IP ranges"
+msgstr "阻止的 IP 范围"
+
+msgid "Enable"
+msgstr "启用"
+
+msgid "Interface name"
+msgstr "接口名称"
+
+msgid ""
+"Interface to apply the blocking to (should be the upstream WAN interface)."
+msgstr "应用“阻止规则”的接口（应当为上游 WAN 接口）。"
+
+msgid ""
+"Takes precedence over blocked ranges. Use to whitelist your upstream network "
+"if you're behind a double NAT and the auto-detection doesn't work."
+msgstr ""
+"这里的规则优先于阻止规则被使用。如果您在双重 NAT 之后并且自动检测功能不起作"
+"用，请在这里添加您上游网络的白名单。"
+
+msgid ""
+"This function blocks packets with private address destinations from going "
+"out onto the internet as per <a href=\"http://tools.ietf.org/html/"
+"bcp38\">BCP 38</a>. For IPv6, only source specific default routes are "
+"installed, so no BCP38 firewall routes are needed."
+msgstr ""
+"此功能可以阻止具有私有目标地址的数据包通过 <a href=\"http://tools.ietf.org/"
+"html/bcp38\">BCP 38</a> 发送到互联网上。对于 IPv6，仅安装源特定的默认路由，因"
+"此不需要 BCP38 防火墙路由。"
diff --git a/applications/luci-app-bcp38/po/zh-tw/bcp38.po b/applications/luci-app-bcp38/po/zh-tw/bcp38.po
new file mode 100644
index 0000000000..7900cb37f0
--- /dev/null
+++ b/applications/luci-app-bcp38/po/zh-tw/bcp38.po
@@ -0,0 +1,52 @@
+msgid ""
+msgstr "Content-Type: text/plain; charset=UTF-8\n"
+
+msgid "Allowed IP ranges"
+msgstr "允許的 IP 範圍"
+
+msgid ""
+"Attempt to automatically detect if the upstream IP will be blocked by the "
+"configuration, and add an exception if it will. If this does not work "
+"correctly, you can add exceptions manually below."
+msgstr ""
+"自動檢測上游 IP 是否會被當前配置所阻止，當檢測到會被阻止時將會新增例外。如果"
+"自動檢測無法正常工作，您可以在下面手動新增例外。"
+
+msgid "Auto-detect upstream IP"
+msgstr "自動檢測上游 IP"
+
+msgid "BCP38"
+msgstr "BCP38"
+
+msgid "BCP38 config"
+msgstr "BCP38 配置"
+
+msgid "Blocked IP ranges"
+msgstr "阻止的 IP 範圍"
+
+msgid "Enable"
+msgstr "啟用"
+
+msgid "Interface name"
+msgstr "介面名稱"
+
+msgid ""
+"Interface to apply the blocking to (should be the upstream WAN interface)."
+msgstr "應用“阻止規則”的介面（應當為上游 WAN 介面）。"
+
+msgid ""
+"Takes precedence over blocked ranges. Use to whitelist your upstream network "
+"if you're behind a double NAT and the auto-detection doesn't work."
+msgstr ""
+"這裡的規則優先於阻止規則被使用。如果您在雙重 NAT 之後並且自動檢測功能不起作"
+"用，請在這裡新增您上游網路的白名單。"
+
+msgid ""
+"This function blocks packets with private address destinations from going "
+"out onto the internet as per <a href=\"http://tools.ietf.org/html/"
+"bcp38\">BCP 38</a>. For IPv6, only source specific default routes are "
+"installed, so no BCP38 firewall routes are needed."
+msgstr ""
+"此功能可以阻止具有私有目標位址的資料包通過 <a href=\"http://tools.ietf.org/"
+"html/bcp38\">BCP 38</a> 傳送到網際網路上。對於 IPv6，僅安裝源特定的預設路由，因"
+"此不需要 BCP38 防火牆路由。"
diff --git a/applications/luci-app-bcp38/root/etc/uci-defaults/60_luci-bcp38 b/applications/luci-app-bcp38/root/etc/uci-defaults/60_luci-bcp38
new file mode 100755
index 0000000000..c204236e37
--- /dev/null
+++ b/applications/luci-app-bcp38/root/etc/uci-defaults/60_luci-bcp38
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete ucitrack.@bcp38[-1]
+	add ucitrack bcp38
+        add_list ucitrack.@bcp38[0].affects=firewall
+	commit ucitrack
+EOF
+
+rm -f /tmp/luci-indexcache
+exit 0