diff options
Diffstat (limited to 'modules/luci-mod-status')
3 files changed, 65 insertions, 17 deletions
diff --git a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/nftables.js b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/nftables.js index 0a22a331d3..3a11f1e830 100644 --- a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/nftables.js +++ b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/nftables.js @@ -10,7 +10,7 @@ var expr_translations = { 'meta.iifname': _('Ingress device name', 'nft meta iifname'), 'meta.oifname': _('Egress device name', 'nft meta oifname'), 'meta.iif': _('Ingress device id', 'nft meta iif'), - 'meta.iif': _('Engress device id', 'nft meta oif'), + 'meta.iif': _('Egress device id', 'nft meta oif'), 'meta.l4proto': _('IP protocol', 'nft meta l4proto'), 'meta.l4proto.tcp': 'TCP', @@ -25,6 +25,9 @@ var expr_translations = { 'meta.mark': _('Packet mark', 'nft meta mark'), + 'meta.hour': _('Current time', 'nft meta hour'), + 'meta.day': _('Current weekday', 'nft meta day'), + 'ct.state': _('Conntrack state', 'nft ct state'), 'ct.status': _('Conntrack status', 'nft ct status'), @@ -52,6 +55,8 @@ var expr_translations = { 'udp.sport': _('UDP source port', 'nft udp sport'), 'udp.dport': _('UDP destination port', 'nft udp dport'), 'tcp.flags': _('TCP flags', 'nft tcp flags'), + 'th.sport': _('Transport header source port', 'nft th sport'), + 'th.dport': _('Transport header destination port', 'nft th dport'), 'natflag.random': _('Randomize source port mapping', 'nft nat flag random'), 'natflag.fully-random': _('Full port randomization', 'nft nat flag fully-random'), @@ -68,6 +73,10 @@ var expr_translations = { 'unit.day': _('day', 'nft unit'), 'unit.hour': _('hour', 'nft unit'), 'unit.minute': _('minute', 'nft unit'), + + 'payload.ll': _('Link layer header bits %d-%d', 'nft @ll,off,len'), + 'payload.nh': _('Network header bits %d-%d', 'nft @nh,off,len'), + 'payload.th': _('Transport header bits %d-%d', 'nft @th,off,len') }; var op_translations = { @@ -123,7 +132,11 @@ var action_translations = { return view.extend({ load: function() { - return L.resolveDefault(fs.exec_direct('/usr/sbin/nft', [ '--json', 'list', 'ruleset' ], 'json'), {}); + return Promise.all([ + L.resolveDefault(fs.exec_direct('/usr/sbin/nft', [ '--terse', '--json', 'list', 'ruleset' ], 'json'), {}), + L.resolveDefault(fs.exec_direct('/usr/sbin/iptables-save'), ''), + L.resolveDefault(fs.exec_direct('/usr/sbin/ip6tables-save'), '') + ]); }, isActionExpression: function(expr) { @@ -168,9 +181,6 @@ return view.extend({ case 'rt': return '%h.%h'.format(kind, spec.key); - case 'payload': - return '%h.%h'.format(spec.protocol, spec.field); - case 'tcp option': return 'tcpoption.%h.%h'.format(spec.name, spec.field); @@ -243,6 +253,18 @@ return view.extend({ case 'range': return '%s-%s'.format(this.exprToString(spec[0], hint), this.exprToString(spec[1], hint)); + case 'payload': + if (spec.protocol && spec.field) { + var k = '%h.%h'.format(spec.protocol, spec.field); + return expr_translations[k] || '<em>%s</em>'.format(k); + } + else if (spec.base && spec.offset != null && spec.len != null) { + var k = 'payload.%h'.format(spec.base); + return (expr_translations[k] || '<em>@%s,%%d,%%d</em>'.format(spec.base)).format(spec.offset + 1, spec.offset + spec.len + 1); + } + + return 'payload: %s'.format(kind, JSON.stringify(spec)); + case '&': case '|': case '^': @@ -644,15 +666,32 @@ return view.extend({ return node; }, + checkLegacyRules: function(ipt4save, ipt6save) { + if (ipt4save.match(/\n-A /) || ipt6save.match(/\n-A /)) { + ui.addNotification(_('Legacy rules detected'), [ + E('p', _('There are legacy iptables rules present on the system. Mixing iptables and nftables rules is discouraged and may lead to incomplete traffic filtering.')), + E('button', { + 'class': 'btn cbi-button', + 'click': function() { location.href = 'nftables/iptables' } + }, _('Open iptables rules overview…')) + ], 'warning'); + } + }, + render: function(data) { - var view = E('div'); + var view = E('div'), + nft = data[0], + ipt = data[1], + ipt6 = data[2]; + + this.checkLegacyRules(ipt, ipt6); - if (!Array.isArray(data.nftables)) - return E('em', _('No nftables ruleset load')); + if (!Array.isArray(nft.nftables)) + return E('em', _('No nftables ruleset loaded.')); - for (var i = 0; i < data.nftables.length; i++) - if (data.nftables[i].hasOwnProperty('table')) - view.appendChild(this.renderTable(data.nftables, data.nftables[i].table)); + for (var i = 0; i < nft.nftables.length; i++) + if (nft.nftables[i].hasOwnProperty('table')) + view.appendChild(this.renderTable(nft.nftables, nft.nftables[i].table)); return view; }, diff --git a/modules/luci-mod-status/root/usr/share/luci/menu.d/luci-mod-status.json b/modules/luci-mod-status/root/usr/share/luci/menu.d/luci-mod-status.json index 8aa58e1616..190eef0ad3 100644 --- a/modules/luci-mod-status/root/usr/share/luci/menu.d/luci-mod-status.json +++ b/modules/luci-mod-status/root/usr/share/luci/menu.d/luci-mod-status.json @@ -24,7 +24,7 @@ }, "admin/status/iptables": { - "title": "Firewall (iptables)", + "title": "Firewall", "order": 3, "action": { "type": "view", @@ -33,14 +33,14 @@ "depends": { "acl": [ "luci-mod-status-firewall" ], "fs": [ - { "/usr/sbin/iptables": "executable" }, - { "/usr/sbin/ip6tables": "executable" } + { "/usr/sbin/nft": "absent", "/usr/sbin/iptables": "executable" }, + { "/usr/sbin/nft": "absent", "/usr/sbin/ip6tables": "executable" } ] } }, "admin/status/nftables": { - "title": "Firewall (nftables)", + "title": "Firewall", "order": 3, "action": { "type": "view", @@ -52,6 +52,13 @@ } }, + "admin/status/nftables/iptables": { + "action": { + "type": "view", + "path": "status/iptables" + } + }, + "admin/status/logs": { "title": "System Log", "order": 4, diff --git a/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json b/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json index 7ad43200a3..18d267e801 100644 --- a/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json +++ b/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json @@ -71,10 +71,12 @@ "read": { "cgi-io": [ "exec" ], "file": { - "/usr/sbin/nft --json list ruleset": [ "exec" ], + "/usr/sbin/nft --terse --json list ruleset": [ "exec" ], "/usr/sbin/iptables --line-numbers -w -nvxL -t *": [ "exec" ], "/usr/sbin/ip6tables --line-numbers -w -nvxL -t *": [ "exec" ], - "/usr/sbin/ip6tables": [ "list" ] + "/usr/sbin/ip6tables": [ "list" ], + "/usr/sbin/iptables-save": [ "exec" ], + "/usr/sbin/ip6tables-save": [ "exec" ] }, "ubus": { "file": [ "stat" ] |