diff options
Diffstat (limited to 'applications/luci-firewall')
9 files changed, 698 insertions, 0 deletions
diff --git a/applications/luci-firewall/Makefile b/applications/luci-firewall/Makefile new file mode 100644 index 0000000000..87e881d950 --- /dev/null +++ b/applications/luci-firewall/Makefile @@ -0,0 +1,4 @@ +PO = luci-fw + +include ../../build/config.mk +include ../../build/module.mk diff --git a/applications/luci-firewall/luasrc/controller/luci_fw/luci_fw.lua b/applications/luci-firewall/luasrc/controller/luci_fw/luci_fw.lua new file mode 100644 index 0000000000..766821af0d --- /dev/null +++ b/applications/luci-firewall/luasrc/controller/luci_fw/luci_fw.lua @@ -0,0 +1,13 @@ +module("luci.controller.luci_fw.luci_fw", package.seeall) + +function index() + require("luci.i18n").loadc("luci-fw") + local i18n = luci.i18n.translate + + entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("Firewall"), 60).i18n = "luci-fw" + entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/zones"), i18n("Zones"), 10) + entry({"admin", "network", "firewall", "redirect"}, arcombine(cbi("luci_fw/redirect"), cbi("luci_fw/rrule")), i18n("Traffic Redirection"), 30).leaf = true + entry({"admin", "network", "firewall", "rule"}, arcombine(cbi("luci_fw/traffic"), cbi("luci_fw/trule")), i18n("Traffic Control"), 20).leaf = true + + entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw", {autoapply=true}), i18n("Port forwarding"), 70).i18n = "luci-fw" +end
\ No newline at end of file diff --git a/applications/luci-firewall/luasrc/model/cbi/luci_fw/miniportfw.lua b/applications/luci-firewall/luasrc/model/cbi/luci_fw/miniportfw.lua new file mode 100644 index 0000000000..44b15f2c77 --- /dev/null +++ b/applications/luci-firewall/luasrc/model/cbi/luci_fw/miniportfw.lua @@ -0,0 +1,48 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth <steven@midlink.org> + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- +require("luci.sys") +m = Map("firewall", translate("Port forwarding"), + translate("Port forwarding allows to provide network services in " .. + "the internal network to an external network.")) + + +s = m:section(TypedSection, "redirect", "") +s:depends("src", "wan") +s.defaults.src = "wan" + +s.template = "cbi/tblsection" +s.addremove = true +s.anonymous = true + +name = s:option(Value, "_name", translate("Name"), translate("(optional)")) +name.size = 10 + +proto = s:option(ListValue, "proto", translate("Protocol")) +proto:value("tcp", "TCP") +proto:value("udp", "UDP") +proto:value("tcpudp", "TCP+UDP") + +dport = s:option(Value, "src_dport", translate("External port")) +dport.size = 5 + +to = s:option(Value, "dest_ip", translate("Internal IP address")) +for i, dataset in ipairs(luci.sys.net.arptable()) do + to:value(dataset["IP address"]) +end + +toport = s:option(Value, "dest_port", translate("Internal port"), + translate("(optional)")) +toport.size = 5 + +return m diff --git a/applications/luci-firewall/luasrc/model/cbi/luci_fw/redirect.lua b/applications/luci-firewall/luasrc/model/cbi/luci_fw/redirect.lua new file mode 100644 index 0000000000..da87015c86 --- /dev/null +++ b/applications/luci-firewall/luasrc/model/cbi/luci_fw/redirect.lua @@ -0,0 +1,52 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth <steven@midlink.org> + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- +require("luci.sys") +m = Map("firewall", translate("Traffic Redirection"), + translate("Traffic redirection allows you to change the " .. + "destination address of forwarded packets.")) + + +s = m:section(TypedSection, "redirect", "") +s.template = "cbi/tblsection" +s.addremove = true +s.anonymous = true +s.extedit = luci.dispatcher.build_url("admin", "network", "firewall", "redirect", "%s") + +name = s:option(Value, "_name", translate("Name"), translate("(optional)")) +name.size = 10 + +iface = s:option(ListValue, "src", translate("Zone")) +iface.default = "wan" +luci.model.uci.cursor():foreach("firewall", "zone", + function (section) + iface:value(section.name) + end) + +proto = s:option(ListValue, "proto", translate("Protocol")) +proto:value("tcp", "TCP") +proto:value("udp", "UDP") +proto:value("tcpudp", "TCP+UDP") + +dport = s:option(Value, "src_dport", translate("Source port")) +dport.size = 5 + +to = s:option(Value, "dest_ip", translate("Destination IP")) +for i, dataset in ipairs(luci.sys.net.arptable()) do + to:value(dataset["IP address"]) +end + +toport = s:option(Value, "dest_port", translate("Destination port")) +toport.size = 5 + +return m diff --git a/applications/luci-firewall/luasrc/model/cbi/luci_fw/rrule.lua b/applications/luci-firewall/luasrc/model/cbi/luci_fw/rrule.lua new file mode 100644 index 0000000000..63e014444b --- /dev/null +++ b/applications/luci-firewall/luasrc/model/cbi/luci_fw/rrule.lua @@ -0,0 +1,80 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth <steven@midlink.org> + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- +require("luci.sys") +arg[1] = arg[1] or "" + +m = Map("firewall", translate("Traffic Redirection"), + translate("Traffic redirection allows you to change the " .. + "destination address of forwarded packets.")) + + +s = m:section(NamedSection, arg[1], "redirect", "") +s.anonymous = true +s.addremove = false + +back = s:option(DummyValue, "_overview", translate("Overview")) +back.value = "" +back.titleref = luci.dispatcher.build_url("admin", "network", "firewall", "redirect") + +name = s:option(Value, "_name", translate("Name")) +name.rmempty = true +name.size = 10 + +iface = s:option(ListValue, "src", translate("Source zone")) +iface.default = "wan" +luci.model.uci.cursor():foreach("firewall", "zone", + function (section) + iface:value(section.name) + end) + +s:option(Value, "src_ip", translate("Source IP address")).optional = true +s:option(Value, "src_mac", translate("Source MAC-address")).optional = true + +sport = s:option(Value, "src_port", translate("Source port"), + translate("Match incoming traffic originating from the given " .. + "source port or port range on the client host")) +sport.optional = true +sport:depends("proto", "tcp") +sport:depends("proto", "udp") +sport:depends("proto", "tcpudp") + +proto = s:option(ListValue, "proto", translate("Protocol")) +proto.optional = true +proto:value("") +proto:value("tcp", "TCP") +proto:value("udp", "UDP") +proto:value("tcpudp", "TCP+UDP") + +dport = s:option(Value, "src_dport", translate("External port"), + translate("Match incoming traffic directed at the given " .. + "destination port or port range on this host")) +dport.size = 5 +dport:depends("proto", "tcp") +dport:depends("proto", "udp") +dport:depends("proto", "tcpudp") + +to = s:option(Value, "dest_ip", translate("Internal IP address"), + translate("Redirect matched incoming traffic to the specified " .. + "internal host")) +for i, dataset in ipairs(luci.sys.net.arptable()) do + to:value(dataset["IP address"]) +end + +toport = s:option(Value, "dest_port", translate("Internal port (optional)"), + translate("Redirect matched incoming traffic to the given port on " .. + "the internal host")) +toport.optional = true +toport.size = 5 + +return m diff --git a/applications/luci-firewall/luasrc/model/cbi/luci_fw/traffic.lua b/applications/luci-firewall/luasrc/model/cbi/luci_fw/traffic.lua new file mode 100644 index 0000000000..3bdc6db4c5 --- /dev/null +++ b/applications/luci-firewall/luasrc/model/cbi/luci_fw/traffic.lua @@ -0,0 +1,88 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth <steven@midlink.org> +Copyright 2008 Jo-Philipp Wich <xm@leipzig.freifunk.net> + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +m = Map("firewall", translate("Traffic Control")) +s = m:section(TypedSection, "forwarding", translate("Zone-to-Zone traffic"), + translate("Here you can specify which network traffic is allowed " .. + "to flow between network zones. Only new connections will " .. + "be matched. Packets belonging to already open " .. + "connections are automatically allowed to pass the " .. + "firewall. If you experience occasional connection " .. + "problems try enabling MSS Clamping otherwise disable it " .. + "for performance reasons.")) +s.template = "cbi/tblsection" +s.addremove = true +s.anonymous = true + +iface = s:option(ListValue, "src", translate("Source")) +oface = s:option(ListValue, "dest", translate("Destination")) + +luci.model.uci.cursor():foreach("firewall", "zone", + function (section) + iface:value(section.name) + oface:value(section.name) + end) + + + +s = m:section(TypedSection, "rule", translate("Rules")) +s.addremove = true +s.anonymous = true +s.template = "cbi/tblsection" +s.extedit = luci.dispatcher.build_url("admin", "network", "firewall", "rule", "%s") +s.defaults.target = "ACCEPT" + +local created = nil + +function s.create(self, section) + created = TypedSection.create(self, section) +end + +function s.parse(self, ...) + TypedSection.parse(self, ...) + if created then + m.uci:save("firewall") + luci.http.redirect(luci.dispatcher.build_url( + "admin", "network", "firewall", "rule", created + )) + end +end + +s:option(DummyValue, "_name", translate("Name")) +s:option(DummyValue, "proto", translate("Protocol")) + +src = s:option(DummyValue, "src", translate("Source")) +function src.cfgvalue(self, s) + return "%s:%s:%s" % { + self.map:get(s, "src") or "*", + self.map:get(s, "src_ip") or "0.0.0.0/0", + self.map:get(s, "src_port") or "*" + } +end + +dest = s:option(DummyValue, "dest", translate("Destination")) +function dest.cfgvalue(self, s) + return "%s:%s:%s" % { + self.map:get(s, "dest") or translate("Device"), + self.map:get(s, "dest_ip") or "0.0.0.0/0", + self.map:get(s, "dest_port") or "*" + } +end + + +s:option(DummyValue, "target", translate("Action")) + + +return m diff --git a/applications/luci-firewall/luasrc/model/cbi/luci_fw/trule.lua b/applications/luci-firewall/luasrc/model/cbi/luci_fw/trule.lua new file mode 100644 index 0000000000..0ce41e38c7 --- /dev/null +++ b/applications/luci-firewall/luasrc/model/cbi/luci_fw/trule.lua @@ -0,0 +1,77 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth <steven@midlink.org> + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- +arg[1] = arg[1] or "" +m = Map("firewall", translate("Advanced Rules"), + translate("Advanced rules let you customize the firewall to your " .. + "needs. Only new connections will be matched. Packets " .. + "belonging to already open connections are automatically " .. + "allowed to pass the firewall.")) + +s = m:section(NamedSection, arg[1], "rule", "") +s.anonymous = true +s.addremove = false + +back = s:option(DummyValue, "_overview", translate("Overview")) +back.value = "" +back.titleref = luci.dispatcher.build_url("admin", "network", "firewall", "rule") + + +name = s:option(Value, "_name", translate("Name").." "..translate("(optional)")) +name.rmempty = true + +iface = s:option(ListValue, "src", translate("Source zone")) +iface.rmempty = true + +oface = s:option(ListValue, "dest", translate("Destination zone")) +oface:value("", translate("any")) +oface.rmempty = true + +luci.model.uci.cursor():foreach("firewall", "zone", + function (section) + iface:value(section.name) + oface:value(section.name) + end) + +proto = s:option(Value, "proto", translate("Protocol")) +proto.optional = true +proto:value("") +proto:value("all", translate("Any")) +proto:value("tcpudp", "TCP+UDP") +proto:value("tcp", "TCP") +proto:value("udp", "UDP") +proto:value("icmp", "ICMP") + +s:option(Value, "src_ip", translate("Source address")).optional = true +s:option(Value, "dest_ip", translate("Destination address")).optional = true +s:option(Value, "src_mac", translate("Source MAC-address")).optional = true + +sport = s:option(Value, "src_port", translate("Source port")) +sport:depends("proto", "tcp") +sport:depends("proto", "udp") +sport:depends("proto", "tcpudp") + +dport = s:option(Value, "dest_port", translate("Destination port")) +dport:depends("proto", "tcp") +dport:depends("proto", "udp") +dport:depends("proto", "tcpudp") + +jump = s:option(ListValue, "target", translate("Action")) +jump.rmempty = true +jump.default = "ACCEPT" +jump:value("DROP", translate("drop")) +jump:value("ACCEPT", translate("accept")) +jump:value("REJECT", translate("reject")) + + +return m diff --git a/applications/luci-firewall/luasrc/model/cbi/luci_fw/zones.lua b/applications/luci-firewall/luasrc/model/cbi/luci_fw/zones.lua new file mode 100644 index 0000000000..edb82a9b50 --- /dev/null +++ b/applications/luci-firewall/luasrc/model/cbi/luci_fw/zones.lua @@ -0,0 +1,81 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth <steven@midlink.org> + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +local nw = require "luci.model.network" +local fw = require "luci.model.firewall" + +require("luci.tools.webadmin") +m = Map("firewall", translate("Firewall"), translate("The firewall creates zones over your network interfaces to control network traffic flow.")) + +fw.init(m.uci) +nw.init(m.uci) + +s = m:section(TypedSection, "defaults") +s.anonymous = true +s.addremove = false + +s:option(Flag, "syn_flood", translate("Enable SYN-flood protection")) + +local di = s:option(Flag, "drop_invalid", translate("Drop invalid packets")) +di.rmempty = false +function di.cfgvalue(...) + return AbstractValue.cfgvalue(...) or "1" +end + +p = {} +p[1] = s:option(ListValue, "input", translate("Input")) +p[2] = s:option(ListValue, "output", translate("Output")) +p[3] = s:option(ListValue, "forward", translate("Forward")) + +for i, v in ipairs(p) do + v:value("REJECT", translate("reject")) + v:value("DROP", translate("drop")) + v:value("ACCEPT", translate("accept")) +end + + +s = m:section(TypedSection, "zone", translate("Zones")) +s.template = "cbi/tblsection" +s.anonymous = true +s.addremove = true + +name = s:option(Value, "name", translate("Name")) +name.size = 8 + +p = {} +p[1] = s:option(ListValue, "input", translate("Input")) +p[2] = s:option(ListValue, "output", translate("Output")) +p[3] = s:option(ListValue, "forward", translate("Forward")) + +for i, v in ipairs(p) do + v:value("REJECT", translate("reject")) + v:value("DROP", translate("drop")) + v:value("ACCEPT", translate("accept")) +end + +s:option(Flag, "masq", translate("Masquerading")) +s:option(Flag, "mtu_fix", translate("MSS clamping")) + +net = s:option(MultiValue, "network", translate("Network")) +net.template = "cbi/network_netlist" +net.widget = "checkbox" +net.rmempty = true +luci.tools.webadmin.cbi_add_networks(net) + +function net.cfgvalue(self, section) + local value = MultiValue.cfgvalue(self, section) + return value or name:cfgvalue(section) +end + +return m diff --git a/applications/luci-firewall/root/lib/uci/schema/default/firewall b/applications/luci-firewall/root/lib/uci/schema/default/firewall new file mode 100644 index 0000000000..35ff0565cc --- /dev/null +++ b/applications/luci-firewall/root/lib/uci/schema/default/firewall @@ -0,0 +1,255 @@ +package firewall + +config package + option title 'Firewall configuration' + +config section + option name 'zone' + option title 'Firewall zones' + option package 'firewall' + +config variable + option name 'name' + option title 'Name' + option section 'firewall.zone' + option required true + +config variable + option name 'network' + option title 'Networks belonging to this zone' + option section 'firewall.zone' + option valueof 'network.interface' + option multival true + +config variable + option name 'forward' + option title 'Zone specific action for forwarded traffic' + option section 'firewall.zone' + option required true + +config variable + option name 'input' + option title 'Zone specific action for incoming traffic' + option section 'firewall.zone' + option required true + +config variable + option name 'output' + option title 'Zone specific action for outgoing traffic' + option section 'firewall.zone' + option required true + +config variable + option name 'masq' + option title 'Enable masquerading for outgoing zone traffic' + option section 'firewall.zone' + option datatype 'boolean' + + + +config section + option name 'defaults' + option title 'Global firewall defaults' + option package 'firewall' + option unique true + option required true + +config variable + option name 'forward' + option title 'Action for forwarded traffic' + option section 'firewall.defaults' + option required true + +config variable + option name 'input' + option title 'Action for incoming traffic' + option section 'firewall.defaults' + option required true + +config variable + option name 'output' + option title 'Action for outgoing traffic' + option section 'firewall.defaults' + option required true + +config variable + option name 'syn_flood' + option title 'Enable syn-flood protection' + option section 'firewall.defaults' + option datatype 'boolean' + +config variable + option name 'drop_invalid' + option title 'Do not drop packages with state invalid' + option section 'firewall.defaults' + option datatype 'boolean' + + + +config section + option name 'forwarding' + option title 'Forwarding rules' + option package 'firewall' + +config variable + option name 'src' + option title 'Source zone' + option section 'firewall.forwarding' + option valueof 'firewall.zone.name' + option required true + +config variable + option name 'dest' + option title 'Destination zone' + option section 'firewall.forwarding' + option valueof 'firewall.zone.name' + option required true + +config variable + option name 'mtu_fix' + option title 'Fixup MTU of outgoing packages' + option section 'firewall.forwarding' + option datatype 'boolean' + + + +config section + option name 'rule' + option title 'Custom rules' + option package 'firewall' + list depends 'target, src' + list depends 'target, dest' + list depends 'target, src_ip' + list depends 'target, src_port' + list depends 'target, src_mac' + list depends 'target, dest_ip' + list depends 'target, dest_port' + list depends 'target, proto' + +config variable + option name 'src' + option title 'Source zone' + option section 'firewall.rule' + option valueof 'firewall.zone.name' + +config variable + option name 'src_ip' + option title 'Source IP address' + option section 'firewall.rule' + option datatype 'ipaddr' + +config variable + option name 'src_port' + option title 'Source port' + option section 'firewall.rule' + option datatype 'portrange' + +config variable + option name 'src_mac' + option title 'Source MAC address' + option section 'firewall.rule' + option datatype 'macaddr' + +config variable + option name 'dest' + option title 'Destination zone' + option section 'firewall.rule' + option valueof 'firewall.zone.name' + +config variable + option name 'dest_ip' + option title 'Destination IP address' + option section 'firewall.rule' + option datatype 'ipaddr' + +config variable + option name 'dest_port' + option title 'Destination port' + option section 'firewall.rule' + option datatype 'portrange' + +config variable + option name 'proto' + option title 'Protocol' + option section 'firewall.rule' + option datatype 'string' + +config variable + option name 'target' + option title 'Option target' + option section 'firewall.rule' + option datatype 'string' + + + +config section + option name 'redirect' + option title 'Redirection rules' + option package 'firewall' + +config variable + option name 'src' + option title 'Source zone' + option section 'firewall.redirect' + option valueof 'firewall.zone.name' + +config variable + option name 'src_ip' + option title 'Source IP address' + option section 'firewall.redirect' + option datatype 'ipaddr' + +config variable + option name 'src_port' + option title 'Source port' + option section 'firewall.redirect' + option datatype 'portrange' + +config variable + option name 'src_dport' + option title 'Source destination port' + option section 'firewall.redirect' + option datatype 'portrange' + +config variable + option name 'src_mac' + option title 'Option src_mac' + option section 'firewall.redirect' + option datatype 'macaddr' + +config variable + option name 'dest' + option title 'Destination zone' + option section 'firewall.redirect' + option valueof 'firewall.zone.name' + +config variable + option name 'dest_ip' + option title 'Destination IP address' + option section 'firewall.redirect' + option datatype 'ipaddr' + +config variable + option name 'dest_port' + option title 'Destination port' + option section 'firewall.redirect' + option datatype 'portrange' + +config variable + option name 'proto' + option title 'Protocol' + option section 'firewall.redirect' + option datatype 'string' + + + +config section + option name 'include' + option title 'User defined config includes' + option package 'firewall' + +config variable + option name 'path' + option title 'Path to the include file' + option section 'firewall.include' + option datatype 'file' |