From 033de64a0f66e727cb97c54403614917a49cc577 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Mon, 19 Dec 2011 21:16:31 +0000 Subject: applications/luci-firewall: complete rework firewall ui - split zone setup, port forwards, traffic rules and firewall.user - add quickadd forms for various common rules like port forwards - add tool class for textual formatting and descriptions of rules - simplify controller, remove old mini admin remainders --- .../luasrc/model/cbi/firewall/rule-details.lua | 300 +++++++++++++++++++++ 1 file changed, 300 insertions(+) create mode 100644 applications/luci-firewall/luasrc/model/cbi/firewall/rule-details.lua (limited to 'applications/luci-firewall/luasrc/model/cbi/firewall/rule-details.lua') diff --git a/applications/luci-firewall/luasrc/model/cbi/firewall/rule-details.lua b/applications/luci-firewall/luasrc/model/cbi/firewall/rule-details.lua new file mode 100644 index 0000000000..1f7df65136 --- /dev/null +++ b/applications/luci-firewall/luasrc/model/cbi/firewall/rule-details.lua @@ -0,0 +1,300 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2008 Steven Barth +Copyright 2010 Jo-Philipp Wich + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +local sys = require "luci.sys" +local dsp = require "luci.dispatcher" +local nxo = require "nixio" + +local nw = require "luci.model.network" +local m, s, o, k, v + +arg[1] = arg[1] or "" + +m = Map("firewall", + translate("Firewall - Traffic Rules"), + translate("This page allows you to change advanced properties of the \ + traffic rule entry, such as matched source and destination \ + hosts.")) + +m.redirect = dsp.build_url("admin/network/firewall/rules") + +nw.init(m.uci) + +local rule_type = m.uci:get("firewall", arg[1]) +if rule_type == "redirect" and m:get(arg[1], "target") ~= "SNAT" then + rule_type = nil +end + +if not rule_type then + luci.http.redirect(m.redirect) + return + +-- +-- SNAT +-- +elseif rule_type == "redirect" then + + local name = m:get(arg[1], "_name") + if not name or #name == 0 then + name = translate("(Unnamed SNAT)") + else + name = "SNAT %s" % name + end + + m.title = "%s - %s" %{ translate("Firewall - Traffic Rules"), name } + + local wan_zone = nil + + m.uci:foreach("firewall", "zone", + function(s) + local n = s.network or s.name + if n then + local i + for i in n:gmatch("%S+") do + if i == "wan" then + wan_zone = s.name + return false + end + end + end + end) + + s = m:section(NamedSection, arg[1], "redirect", "") + s.anonymous = true + s.addremove = false + + + o = s:option(Value, "_name", translate("Name")) + o.rmempty = true + o.size = 10 + + + o = s:option(Value, "proto", + translate("Protocol"), + translate("You may specify multiple by selecting \"-- custom --\" and \ + then entering protocols separated by space.")) + + o:value("all", "All protocols") + o:value("tcp udp", "TCP+UDP") + o:value("tcp", "TCP") + o:value("udp", "UDP") + o:value("icmp", "ICMP") + + function o.cfgvalue(...) + local v = Value.cfgvalue(...) + if not v or v == "tcpudp" then + return "tcp udp" + end + return v + end + + + o = s:option(Value, "src", translate("Source zone")) + o.nocreate = true + o.default = "wan" + o.template = "cbi/firewall_zonelist" + + + o = s:option(DynamicList, "src_mac", translate("Source MAC address")) + o.rmempty = true + o.datatype = "neg(macaddr)" + o.placeholder = translate("any") + + + o = s:option(Value, "src_ip", translate("Source IP address")) + o.rmempty = true + o.datatype = "neg(ip4addr)" + o.placeholder = translate("any") + + + o = s:option(Value, "src_port", + translate("Source port"), + translate("Match incoming traffic originating from the given source \ + port or port range on the client host.")) + o.rmempty = true + o.datatype = "neg(portrange)" + o.placeholder = translate("any") + + + o = s:option(Value, "dest", translate("Destination zone")) + o.nocreate = true + o.default = "lan" + o.template = "cbi/firewall_zonelist" + + + o = s:option(Value, "dest_ip", translate("Destination IP address")) + o.datatype = "neg(ip4addr)" + + for i, dataset in ipairs(luci.sys.net.arptable()) do + o:value(dataset["IP address"]) + end + + + o = s:option(Value, "dest_port", + translate("Destination port"), + translate("Match forwarded traffic to the given destination port or \ + port range.")) + + o.rmempty = true + o.placeholder = translate("any") + o.datatype = "portrange" + + + o = s:option(Value, "src_dip", + translate("SNAT IP address"), + translate("Rewrite matched traffic to the given address.")) + o.rmempty = false + o.datatype = "ip4addr" + + for k, v in ipairs(nw:get_interfaces()) do + local a + for k, a in ipairs(v:ipaddrs()) do + o:value(a:host():string(), '%s (%s)' %{ + a:host():string(), v:shortname() + }) + end + end + + + o = s:option(Value, "src_dport", translate("SNAT port"), + translate("Rewrite matched traffic to the given source port. May be \ + left empty to only rewrite the IP address.")) + o.datatype = "portrange" + o.rmempty = true + o.placeholder = translate('Do not rewrite') + + +-- +-- Rule +-- +else + s = m:section(NamedSection, arg[1], "rule", "") + s.anonymous = true + s.addremove = false + + s:option(Value, "_name", translate("Name").." "..translate("(optional)")) + + + o = s:option(ListValue, "family", translate("Restrict to address family")) + o.rmempty = true + o:value("", translate("IPv4 and IPv6")) + o:value("ipv4", translate("IPv4 only")) + o:value("ipv6", translate("IPv6 only")) + + + o = s:option(Value, "proto", translate("Protocol")) + o:value("all", translate("Any")) + o:value("tcp udp", "TCP+UDP") + o:value("tcp", "TCP") + o:value("udp", "UDP") + o:value("icmp", "ICMP") + + function o.cfgvalue(...) + local v = Value.cfgvalue(...) + if not v or v == "tcpudp" then + return "tcp udp" + end + return v + end + + + o = s:option(DynamicList, "icmp_type", translate("Match ICMP type")) + o:value("", "any") + o:value("echo-reply") + o:value("destination-unreachable") + o:value("network-unreachable") + o:value("host-unreachable") + o:value("protocol-unreachable") + o:value("port-unreachable") + o:value("fragmentation-needed") + o:value("source-route-failed") + o:value("network-unknown") + o:value("host-unknown") + o:value("network-prohibited") + o:value("host-prohibited") + o:value("TOS-network-unreachable") + o:value("TOS-host-unreachable") + o:value("communication-prohibited") + o:value("host-precedence-violation") + o:value("precedence-cutoff") + o:value("source-quench") + o:value("redirect") + o:value("network-redirect") + o:value("host-redirect") + o:value("TOS-network-redirect") + o:value("TOS-host-redirect") + o:value("echo-request") + o:value("router-advertisement") + o:value("router-solicitation") + o:value("time-exceeded") + o:value("ttl-zero-during-transit") + o:value("ttl-zero-during-reassembly") + o:value("parameter-problem") + o:value("ip-header-bad") + o:value("required-option-missing") + o:value("timestamp-request") + o:value("timestamp-reply") + o:value("address-mask-request") + o:value("address-mask-reply") + + + o = s:option(Value, "src", translate("Source zone")) + o.nocreate = true + o.allowany = true + o.default = "wan" + o.template = "cbi/firewall_zonelist" + + + o = s:option(Value, "src_mac", translate("Source MAC address")) + o.datatype = "list(macaddr)" + o.placeholder = translate("any") + + + o = s:option(Value, "src_ip", translate("Source address")) + o.datatype = "neg(ipaddr)" + o.placeholder = translate("any") + + + o = s:option(Value, "src_port", translate("Source port")) + o.datatype = "list(neg,portrange)" + o.placeholder = translate("any") + + + o = s:option(Value, "dest", translate("Destination zone")) + o.nocreate = true + o.allowany = true + o.allowlocal = true + o.template = "cbi/firewall_zonelist" + + + o = s:option(Value, "dest_ip", translate("Destination address")) + o.datatype = "neg(ipaddr)" + o.placeholder = translate("any") + + + o = s:option(Value, "dest_port", translate("Destination port")) + o.datatype = "list(neg,portrange)" + o.placeholder = translate("any") + + + o = s:option(ListValue, "target", translate("Action")) + o.default = "ACCEPT" + o:value("DROP", translate("drop")) + o:value("ACCEPT", translate("accept")) + o:value("REJECT", translate("reject")) + o:value("NOTRACK", translate("don't track")) +end + +return m -- cgit v1.2.3