diff options
Diffstat (limited to 'applications/luci-app-firewall/luasrc/model')
7 files changed, 139 insertions, 53 deletions
diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/custom.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/custom.lua index 2b3cee3283..21a1b2796d 100644 --- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/custom.lua +++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/custom.lua @@ -5,7 +5,7 @@ local fs = require "nixio.fs" local f = SimpleForm("firewall", translate("Firewall - Custom Rules"), - translate("Custom rules allow you to execute arbritary iptables commands \ + translate("Custom rules allow you to execute arbitrary iptables commands \ which are not otherwise covered by the firewall framework. \ The commands are executed after each firewall restart, right after \ the default ruleset has been loaded.")) diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua index 22f1c77164..d51f8fb79b 100644 --- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua +++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forward-details.lua @@ -55,6 +55,7 @@ o = s:option(Value, "src", translate("Source zone")) o.nocreate = true o.default = "wan" o.template = "cbi/firewall_zonelist" +o.rmempty = false o = s:option(DynamicList, "src_mac", @@ -73,7 +74,7 @@ o = s:option(Value, "src_ip", translate("Source IP address"), translate("Only match incoming traffic from this IP or range.")) o.rmempty = true -o.datatype = "neg(ip4addr)" +o.datatype = "neg(ipmask4)" o.placeholder = translate("any") luci.sys.net.ipv4_hints(function(ip, name) @@ -88,6 +89,10 @@ o.rmempty = true o.datatype = "neg(portrange)" o.placeholder = translate("any") +o:depends("proto", "tcp") +o:depends("proto", "udp") +o:depends("proto", "tcp udp") +o:depends("proto", "tcpudp") o = s:option(Value, "src_dip", translate("External IP address"), @@ -99,7 +104,7 @@ end) o.rmempty = true -o.datatype = "neg(ip4addr)" +o.datatype = "neg(ipmask4)" o.placeholder = translate("any") @@ -108,7 +113,10 @@ o = s:option(Value, "src_dport", translate("External port"), "destination port or port range on this host")) o.datatype = "neg(portrange)" - +o:depends("proto", "tcp") +o:depends("proto", "udp") +o:depends("proto", "tcp udp") +o:depends("proto", "tcpudp") o = s:option(Value, "dest", translate("Internal zone")) o.nocreate = true @@ -119,7 +127,7 @@ o.template = "cbi/firewall_zonelist" o = s:option(Value, "dest_ip", translate("Internal IP address"), translate("Redirect matched incoming traffic to the specified \ internal host")) -o.datatype = "ip4addr" +o.datatype = "ipmask4" luci.sys.net.ipv4_hints(function(ip, name) o:value(ip, "%s (%s)" %{ ip, name }) @@ -133,6 +141,10 @@ o = s:option(Value, "dest_port", o.placeholder = translate("any") o.datatype = "portrange" +o:depends("proto", "tcp") +o:depends("proto", "udp") +o:depends("proto", "tcp udp") +o:depends("proto", "tcpudp") o = s:option(Flag, "reflection", translate("Enable NAT Loopback")) o.rmempty = true diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forwards.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forwards.lua index e61ce73cdd..5d1ffe0913 100644 --- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/forwards.lua +++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/forwards.lua @@ -54,7 +54,7 @@ function s.parse(self, ...) if created then m.uci:save("firewall") luci.http.redirect(ds.build_url( - "admin/network/firewall/redirect", created + "admin/network/firewall/forwards", created )) end end @@ -63,8 +63,9 @@ function s.filter(self, sid) return (self.map:get(sid, "target") ~= "SNAT") end - -ft.opt_name(s, DummyValue, translate("Name")) +function s.sectiontitle(self, sid) + return (self.map:get(sid, "name") or translate("Unnamed forward")) +end local function forward_proto_txt(self, s) @@ -103,7 +104,6 @@ end match = s:option(DummyValue, "match", translate("Match")) match.rawhtml = true -match.width = "50%" function match.cfgvalue(self, s) return "<small>%s<br />%s<br />%s</small>" % { forward_proto_txt(self, s), @@ -115,7 +115,6 @@ end dest = s:option(DummyValue, "dest", translate("Forward to")) dest.rawhtml = true -dest.width = "40%" function dest.cfgvalue(self, s) local z = ft.fmt_zone(self.map:get(s, "dest"), translate("any zone")) local a = ft.fmt_ip(self.map:get(s, "dest_ip"), translate("any host")) @@ -129,6 +128,6 @@ function dest.cfgvalue(self, s) end end -ft.opt_enabled(s, Flag, translate("Enable")).width = "1%" +ft.opt_enabled(s, Flag, translate("Enable")) return m diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua index 97e93ae050..a4763d5dc4 100644 --- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua +++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rule-details.lua @@ -99,7 +99,7 @@ elseif rule_type == "redirect" then o = s:option(Value, "src_ip", translate("Source IP address")) o.rmempty = true - o.datatype = "neg(ipaddr)" + o.datatype = "neg(ipmask4)" o.placeholder = translate("any") luci.sys.net.ipv4_hints(function(ip, name) @@ -115,6 +115,10 @@ elseif rule_type == "redirect" then o.datatype = "neg(portrange)" o.placeholder = translate("any") + o:depends("proto", "tcp") + o:depends("proto", "udp") + o:depends("proto", "tcp udp") + o:depends("proto", "tcpudp") o = s:option(Value, "dest", translate("Destination zone")) o.nocreate = true @@ -123,7 +127,7 @@ elseif rule_type == "redirect" then o = s:option(Value, "dest_ip", translate("Destination IP address")) - o.datatype = "neg(ip4addr)" + o.datatype = "neg(ipmask4)" luci.sys.net.ipv4_hints(function(ip, name) o:value(ip, "%s (%s)" %{ ip, name }) @@ -139,6 +143,10 @@ elseif rule_type == "redirect" then o.placeholder = translate("any") o.datatype = "neg(portrange)" + o:depends("proto", "tcp") + o:depends("proto", "udp") + o:depends("proto", "tcp udp") + o:depends("proto", "tcpudp") o = s:option(Value, "src_dip", translate("SNAT IP address"), @@ -163,6 +171,10 @@ elseif rule_type == "redirect" then o.rmempty = true o.placeholder = translate('Do not rewrite') + o:depends("proto", "tcp") + o:depends("proto", "udp") + o:depends("proto", "tcp udp") + o:depends("proto", "tcpudp") s:option(Value, "extra", translate("Extra arguments"), @@ -212,7 +224,13 @@ else end - o = s:option(DynamicList, "icmp_type", translate("Match ICMP type")) + o = s:option(DropDown, "icmp_type", translate("Match ICMP type")) + o.multiple = true + o.display = 10 + o.dropdown = 10 + o.custom = true + o.cast = "table" + o:value("", "any") o:value("echo-reply") o:value("destination-unreachable") @@ -251,11 +269,13 @@ else o:value("address-mask-request") o:value("address-mask-reply") + o:depends("proto", "icmp") + o = s:option(Value, "src", translate("Source zone")) o.nocreate = true o.allowany = true - o.default = "wan" + o.allowlocal = "src" o.template = "cbi/firewall_zonelist" @@ -269,7 +289,7 @@ else o = s:option(Value, "src_ip", translate("Source address")) - o.datatype = "neg(ipaddr)" + o.datatype = "list(neg(ipmask))" o.placeholder = translate("any") luci.sys.net.ipv4_hints(function(ip, name) @@ -281,16 +301,29 @@ else o.datatype = "list(neg(portrange))" o.placeholder = translate("any") + o:depends("proto", "tcp") + o:depends("proto", "udp") + o:depends("proto", "tcp udp") + o:depends("proto", "tcpudp") - o = s:option(Value, "dest", translate("Destination zone")) + o = s:option(Value, "dest_local", translate("Output zone")) + o.nocreate = true + o.allowany = true + o.template = "cbi/firewall_zonelist" + o.alias = "dest" + o:depends("src", "") + + o = s:option(Value, "dest_remote", translate("Destination zone")) o.nocreate = true o.allowany = true o.allowlocal = true o.template = "cbi/firewall_zonelist" + o.alias = "dest" + o:depends({["src"] = "", ["!reverse"] = true}) o = s:option(Value, "dest_ip", translate("Destination address")) - o.datatype = "neg(ipaddr)" + o.datatype = "list(neg(ipmask))" o.placeholder = translate("any") luci.sys.net.ipv4_hints(function(ip, name) @@ -302,6 +335,10 @@ else o.datatype = "list(neg(portrange))" o.placeholder = translate("any") + o:depends("proto", "tcp") + o:depends("proto", "udp") + o:depends("proto", "tcp udp") + o:depends("proto", "tcpudp") o = s:option(ListValue, "target", translate("Action")) o.default = "ACCEPT" @@ -316,9 +353,9 @@ else translate("Passes additional arguments to iptables. Use with care!")) end -o = s:option(MultiValue, "weekdays", translate("Week Days")) -o.oneline = true -o.widget = "checkbox" +o = s:option(DropDown, "weekdays", translate("Week Days")) +o.multiple = true +o.display = 5 o:value("Sun", translate("Sunday")) o:value("Mon", translate("Monday")) o:value("Tue", translate("Tuesday")) @@ -327,9 +364,9 @@ o:value("Thu", translate("Thursday")) o:value("Fri", translate("Friday")) o:value("Sat", translate("Saturday")) -o = s:option(MultiValue, "monthdays", translate("Month Days")) -o.oneline = true -o.widget = "checkbox" +o = s:option(DropDown, "monthdays", translate("Month Days")) +o.multiple = true +o.display = 15 for i = 1,31 do o:value(translate(i)) end diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rules.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rules.lua index c533491977..f4b6b2a928 100644 --- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/rules.lua +++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/rules.lua @@ -72,7 +72,9 @@ function s.parse(self, ...) end end -ft.opt_name(s, DummyValue, translate("Name")) +function s.sectiontitle(self, sid) + return (self.map:get(sid, "name") or translate("Unnamed rule")) +end local function rule_proto_txt(self, s) local f = self.map:get(s, "family") @@ -89,17 +91,31 @@ local function rule_proto_txt(self, s) end local function rule_src_txt(self, s) - local z = ft.fmt_zone(self.map:get(s, "src"), translate("any zone")) - local a = ft.fmt_ip(self.map:get(s, "src_ip"), translate("any host")) + local z = ft.fmt_zone(self.map:get(s, "src")) local p = ft.fmt_port(self.map:get(s, "src_port")) local m = ft.fmt_mac(self.map:get(s, "src_mac")) - if p and m then - return translatef("From %s in %s with source %s and %s", a, z, p, m) - elseif p or m then - return translatef("From %s in %s with source %s", a, z, p or m) + -- Forward/Input + if z and #z > 0 then + local a = ft.fmt_ip(self.map:get(s, "src_ip"), translate("any host")) + if p and m then + return translatef("From %s in %s with source %s and %s", a, z, p, m) + elseif p or m then + return translatef("From %s in %s with source %s", a, z, p or m) + else + return translatef("From %s in %s", a, z) + end + + -- Output else - return translatef("From %s in %s", a, z) + local a = ft.fmt_ip(self.map:get(s, "src_ip"), translate("any router IP")) + if p and m then + return translatef("From %s on <var>this device</var> with source %s and %s", a, p, m) + elseif p or m then + return translatef("From %s on <var>this device</var> with source %s", a, p or m) + else + return translatef("From %s on <var>this device</var>", a) + end end end @@ -145,7 +161,6 @@ end match = s:option(DummyValue, "match", translate("Match")) match.rawhtml = true -match.width = "70%" function match.cfgvalue(self, s) return "<small>%s<br />%s<br />%s</small>" % { rule_proto_txt(self, s), @@ -156,9 +171,8 @@ end target = s:option(DummyValue, "target", translate("Action")) target.rawhtml = true -target.width = "20%" function target.cfgvalue(self, s) - local t = ft.fmt_target(self.map:get(s, "target"), self.map:get(s, "dest")) + local t = ft.fmt_target(self.map:get(s, "target"), self.map:get(s, "src"), self.map:get(s, "dest")) local l = ft.fmt_limit(self.map:get(s, "limit"), self.map:get(s, "limit_burst")) @@ -169,7 +183,7 @@ function target.cfgvalue(self, s) end end -ft.opt_enabled(s, Flag, translate("Enable")).width = "1%" +ft.opt_enabled(s, Flag, translate("Enable")) -- @@ -226,11 +240,12 @@ function s.filter(self, sid) return (self.map:get(sid, "target") == "SNAT") end -ft.opt_name(s, DummyValue, translate("Name")) +function s.sectiontitle(self, sid) + return (self.map:get(sid, "name") or translate("Unnamed SNAT")) +end match = s:option(DummyValue, "match", translate("Match")) match.rawhtml = true -match.width = "70%" function match.cfgvalue(self, s) return "<small>%s<br />%s<br />%s</small>" % { rule_proto_txt(self, s), @@ -241,7 +256,6 @@ end snat = s:option(DummyValue, "via", translate("Action")) snat.rawhtml = true -snat.width = "20%" function snat.cfgvalue(self, s) local a = ft.fmt_ip(self.map:get(s, "src_dip")) local p = ft.fmt_port(self.map:get(s, "src_dport")) @@ -253,7 +267,7 @@ function snat.cfgvalue(self, s) end end -ft.opt_enabled(s, Flag, translate("Enable")).width = "1%" +ft.opt_enabled(s, Flag, translate("Enable")) return m diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/zone-details.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/zone-details.lua index c8b8f22bda..e168c3c605 100644 --- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/zone-details.lua +++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/zone-details.lua @@ -21,7 +21,7 @@ nw.init(m.uci) local zone = fw:get_zone(arg[1]) if not zone then - luci.http.redirect(dsp.build_url("admin/network/firewall/zones")) + luci.http.redirect(ds.build_url("admin/network/firewall/zones")) return else m.title = "%s - %s" %{ @@ -68,12 +68,6 @@ function name.write(self, section, value) out.exclude = value inp.exclude = value end - - m.redirect = ds.build_url("admin/network/firewall/zones", value) - m.title = "%s - %s" %{ - translate("Firewall - Zone Settings"), - translatef("Zone %q", value or "?") - } end p = { @@ -107,9 +101,12 @@ end function net.write(self, section, value) zone:clear_networks() - local n - for n in ut.imatch(value) do - zone:add_network(n) + local net + for net in ut.imatch(value) do + local n = nw:get_network(net) or nw:add_network(net, { proto = "none" }) + if n then + zone:add_network(n:name()) + end end end @@ -126,7 +123,7 @@ msrc = s:taboption("advanced", DynamicList, "masq_src", translate("Restrict Masquerading to given source subnets")) msrc.optional = true -msrc.datatype = "list(neg(or(uciname,hostname,ip4addr)))" +msrc.datatype = "list(neg(or(uciname,hostname,ipmask4)))" msrc.placeholder = "0.0.0.0/0" msrc:depends("family", "") msrc:depends("family", "ipv4") @@ -135,7 +132,7 @@ mdest = s:taboption("advanced", DynamicList, "masq_dest", translate("Restrict Masquerading to given destination subnets")) mdest.optional = true -mdest.datatype = "list(neg(or(uciname,hostname,ip4addr)))" +mdest.datatype = "list(neg(or(uciname,hostname,ipmask4)))" mdest.placeholder = "0.0.0.0/0" mdest:depends("family", "") mdest:depends("family", "ipv4") diff --git a/applications/luci-app-firewall/luasrc/model/cbi/firewall/zones.lua b/applications/luci-app-firewall/luasrc/model/cbi/firewall/zones.lua index 694bbd872e..46402a8fc1 100644 --- a/applications/luci-app-firewall/luasrc/model/cbi/firewall/zones.lua +++ b/applications/luci-app-firewall/luasrc/model/cbi/firewall/zones.lua @@ -3,6 +3,7 @@ local ds = require "luci.dispatcher" local fw = require "luci.model.firewall" +local fs = require "nixio.fs" local m, s, o, p, i, v @@ -19,7 +20,6 @@ s.addremove = false s:option(Flag, "syn_flood", translate("Enable SYN-flood protection")) o = s:option(Flag, "drop_invalid", translate("Drop invalid packets")) -o.default = o.enabled p = { s:option(ListValue, "input", translate("Input")), @@ -33,6 +33,28 @@ for i, v in ipairs(p) do v:value("ACCEPT", translate("accept")) end +-- Netfilter flow offload support + +local offload = fs.access("/sys/module/xt_FLOWOFFLOAD/refcnt") + +if offload then + s:option(DummyValue, "offload_advice", + translate("Routing/NAT Offloading"), + translate("Experimental feature. Not fully compatible with QoS/SQM.")) + + o = s:option(Flag, "flow_offloading", + translate("Software flow offloading"), + translate("Software based offloading for routing/NAT")) + o.optional = true + + o = s:option(Flag, "flow_offloading_hw", + translate("Hardware flow offloading"), + translate("Requires hardware NAT support. Implemented at least for mt7621")) + o.optional = true + o:depends( "flow_offloading", 1) +end + +-- Firewall zones s = m:section(TypedSection, "zone", translate("Zones")) s.template = "cbi/tblsection" @@ -40,6 +62,11 @@ s.anonymous = true s.addremove = true s.extedit = ds.build_url("admin", "network", "firewall", "zones", "%s") +function s.sectiontitle(self, sid) + local z = fw:get_zone(sid) + return z:name() +end + function s.create(self) local z = fw:new_zone() if z then |