From 9a63ad7c1066182458c6e35c4edb8f2308022b8c Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Mon, 4 Aug 2008 23:36:33 +0000 Subject: applications/luci-fw: Reworked to use the new native UCI-based firewall configuration --- applications/luci-fw/root/etc/config/luci_fw | 2 - applications/luci-fw/root/etc/init.d/luci_fw | 176 --------------------------- 2 files changed, 178 deletions(-) delete mode 100644 applications/luci-fw/root/etc/config/luci_fw delete mode 100755 applications/luci-fw/root/etc/init.d/luci_fw (limited to 'applications/luci-fw/root/etc') diff --git a/applications/luci-fw/root/etc/config/luci_fw b/applications/luci-fw/root/etc/config/luci_fw deleted file mode 100644 index c7dec7f2c5..0000000000 --- a/applications/luci-fw/root/etc/config/luci_fw +++ /dev/null @@ -1,2 +0,0 @@ - - \ No newline at end of file diff --git a/applications/luci-fw/root/etc/init.d/luci_fw b/applications/luci-fw/root/etc/init.d/luci_fw deleted file mode 100755 index 86d8a56a32..0000000000 --- a/applications/luci-fw/root/etc/init.d/luci_fw +++ /dev/null @@ -1,176 +0,0 @@ -#!/bin/sh /etc/rc.common -START=46 - -apply_portfw() { - local cfg="$1" - config_get proto "$cfg" proto - config_get dport "$cfg" dport - config_get iface "$cfg" iface - config_get to "$cfg" to - - config_get ifname "$iface" ifname - - [ -n "$proto" ] || return 0 - [ -n "$dport" ] || return 0 - [ -n "$ifname" ] || return 0 - [ -n "$to" ] || return 0 - - dport=$(echo $dport | sed -e 's/-/:/') - - ports=$(echo $to | cut -sd: -f2) - if [ -n "$ports" ]; then - ports="--dport $(echo $ports | sed -e 's/-/:/')" - else - ports="--dport $dport" - fi - - ip=$(echo $to | cut -d: -f1) - - if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then - iptables -t nat -A luci_fw_prerouting -i "$ifname" -p tcp --dport "$dport" -j DNAT --to "$to" - iptables -A luci_fw_forward -i "$ifname" -p tcp -d "$ip" $ports -j ACCEPT - fi - - if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then - iptables -t nat -A luci_fw_prerouting -i "$ifname" -p udp --dport "$dport" -j DNAT --to "$to" - iptables -A luci_fw_forward -i "$ifname" -p udp -d "$ip" $ports -j ACCEPT - fi -} - -apply_routing() { - local cfg="$1" - config_get iface "$cfg" iface - config_get oface "$cfg" oface - config_get_bool fwd "$cfg" fwd - config_get_bool nat "$cfg" nat - config_get_bool bidi "$cfg" bidi - - config_get ifname "$iface" ifname - config_get ofname "$oface" ifname - - [ -n "$ifname" ] || return 0 - [ -n "$ofname" ] || return 0 - - [ "$fwd" -gt 0 ] && { - iptables -A luci_fw_forward -i "$ifname" -o "$ofname" -j ACCEPT - [ "$bidi" -gt 0 ] && iptables -A luci_fw_forward -i "$ofname" -o "$ifname" -j ACCEPT - } - - [ "$nat" -gt 0 ] && { - config_get ifip "$iface" ipaddr - config_get ifmask "$iface" netmask - eval "$(ipcalc.sh $ifip $ifmask)" - - iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ofname" -j MASQUERADE - - [ "$bidi" -gt 0 ] && { - config_get ofip "$oface" ipaddr - config_get ofmask "$oface" netmask - eval "$(ipcalc.sh $ofip $ofmask)" - - iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ifname" -j MASQUERADE - } - } -} - -apply_rule() { - local cfg="$1" - local cmd="" - - config_get chain "$cfg" chain - [ -n "$chain" ] || return 0 - [ "$chain" == "forward" ] && cmd="$cmd -A luci_fw_forward" - [ "$chain" == "input" ] && cmd="$cmd -A luci_fw_input" - [ "$chain" == "output" ] && cmd="$cmd -A luci_fw_output" - [ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_fw_prerouting" - [ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting" - - config_get iface "$cfg" iface - config_get ifname "$iface" ifname - [ -n "$ifname" ] && cmd="$cmd -i $ifname" - - config_get oface "$cfg" oface - config_get ofname "$oface" ifname - [ -n "$ofname" ] && cmd="$cmd -o $ofname" - - config_get proto "$cfg" proto - [ -n "$proto" ] && cmd="$cmd -p $proto" - - config_get source "$cfg" source - [ -n "$source" ] && cmd="$cmd -s $source" - - config_get destination "$cfg" destination - [ -n "$destination" ] && cmd="$cmd -d $destination" - - config_get sport "$cfg" sport - [ -n "$sport" ] && cmd="$cmd --sport $sport" - - config_get dport "$cfg" dport - [ -n "$dport" ] && cmd="$cmd --dport $dport" - - config_get todest "$cfg" todest - [ -n "$todest" ] && cmd="$cmd --to-destination $todest" - - config_get tosrc "$cfg" tosrc - [ -n "$tosrc" ] && cmd="$cmd --to-source $tosrc" - - config_get mac "$cfg" mac - [ -n "$mac" ] && cmd="$cmd -m mac --mac-source $mac" - - config_get jump "$cfg" jump - [ -n "$jump" ] && cmd="$cmd -j $jump" - - config_get command "$cfg" command - [ -n "$command" ] && cmd="$cmd $command" - - iptables $cmd -} - -start() { - ### Create subchains - iptables -N luci_fw_input - iptables -N luci_fw_output - iptables -N luci_fw_forward - iptables -t nat -N luci_fw_prerouting - iptables -t nat -N luci_fw_postrouting - - ### Hook in the chains - iptables -A input_rule -j luci_fw_input - iptables -A output_rule -j luci_fw_output - iptables -A forwarding_rule -j luci_fw_forward - iptables -t nat -A prerouting_rule -j luci_fw_prerouting - iptables -t nat -A postrouting_rule -j luci_fw_postrouting - - ### Scan network interfaces - include /lib/network - scan_interfaces - - ### Read chains from config - config_load luci_fw - config_foreach apply_rule rule - config_foreach apply_portfw portfw - config_foreach apply_routing routing -} - -stop() { - ### Hook out the chains - iptables -D input_rule -j luci_fw_input - iptables -D output_rule -j luci_fw_output - iptables -D forwarding_rule -j luci_fw_forward - iptables -t nat -D prerouting_rule -j luci_fw_prerouting - iptables -t nat -D postrouting_rule -j luci_fw_postrouting - - ### Clear subchains - iptables -F luci_fw_input - iptables -F luci_fw_output - iptables -F luci_fw_forward - iptables -t nat -F luci_fw_prerouting - iptables -t nat -F luci_fw_postrouting - - ### Delete subchains - iptables -X luci_fw_input - iptables -X luci_fw_output - iptables -X luci_fw_forward - iptables -t nat -X luci_fw_prerouting - iptables -t nat -X luci_fw_postrouting -} -- cgit v1.2.3