blob: 5f09b527702a7d03cc67880e9949cf96a6c79617 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
#!/bin/sh /etc/rc.common
START=46
apply_portfw() {
local cfg="$1"
config_get proto "$cfg" proto
config_get dport "$cfg" dport
config_get iface "$cfg" iface
config_get to "$cfg" to
config_get ifname "$iface" ifname
[ -n "$proto" ] || return 0
[ -n "$dport" ] || return 0
[ -n "$ifname" ] || return 0
[ -n "$to" ] || return 0
ports=$(echo $to | cut -sd: -f2)
if [ -n "$ports" ]; then
ports="--dport $(echo $ports | sed -e 's/-/:/')"
else
ports="--dport $dport"
fi
ip=$(echo $to | cut -d: -f1)
if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then
iptables -t nat -A luci_fw_prerouting -i "$ifname" -p tcp --dport "$dport" -j DNAT --to "$to"
iptables -A luci_fw_forward -i "$ifname" -p tcp -d "$ip" $ports -j ACCEPT
fi
if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then
iptables -t nat -A luci_fw_prerouting -i "$ifname" -p udp --dport "$dport" -j DNAT --to "$to"
iptables -A luci_fw_forward -i "$ifname" -p udp -d "$ip" $ports -j ACCEPT
fi
}
apply_routing() {
local cfg="$1"
config_get iface "$cfg" iface
config_get oface "$cfg" oface
config_get_bool fwd "$cfg" fwd
config_get_bool nat "$cfg" nat
config_get_bool bidi "$cfg" bidi
config_get ifname "$iface" ifname
config_get ofname "$oface" ifname
[ -n "$ifname" ] || return 0
[ -n "$ofname" ] || return 0
[ "$fwd" -gt 0 ] && {
iptables -A luci_fw_forward -i "$ifname" -o "$ofname" -j ACCEPT
[ "$bidi" -gt 0 ] && iptables -A luci_fw_forward -i "$ofname" -o "$ifname" -j ACCEPT
}
[ "$nat" -gt 0 ] && {
config_get ifip "$iface" ipaddr
config_get ifmask "$iface" netmask
eval "$(ipcalc.sh $ifip $ifmask)"
iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ofname" -j MASQUERADE
[ "$bidi" -gt 0 ] && {
config_get ofip "$oface" ipaddr
config_get ofmask "$oface" netmask
eval "$(ipcalc.sh $ofip $ofmask)"
iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ifname" -j MASQUERADE
}
}
}
apply_rule() {
local cfg="$1"
local cmd=""
config_get chain "$cfg" chain
[ -n "$chain" ] || return 0
[ "$chain" == "forward" ] && cmd="$cmd -A luci_fw_forward"
[ "$chain" == "input" ] && cmd="$cmd -A luci_fw_input"
[ "$chain" == "output" ] && cmd="$cmd -A luci_fw_output"
[ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_fw_prerouting"
[ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting"
config_get iface "$cfg" iface
config_get ifname "$iface" ifname
[ -n "$ifname" ] && cmd="$cmd -i $ifname"
config_get oface "$cfg" oface
config_get ofname "$oface" ifname
[ -n "$ofname" ] && cmd="$cmd -o $ofname"
config_get proto "$cfg" proto
[ -n "$proto" ] && cmd="$cmd -p $proto"
config_get source "$cfg" source
[ -n "$source" ] && cmd="$cmd -s $source"
config_get destination "$cfg" destination
[ -n "$destination" ] && cmd="$cmd -d $destination"
config_get sport "$cfg" sport
[ -n "$sport" ] && cmd="$cmd --sport $sport"
config_get dport "$cfg" dport
[ -n "$dport" ] && cmd="$cmd --dport $dport"
config_get todest "$cfg" todest
[ -n "$todest" ] && cmd="$cmd --to-destination $todest"
config_get tosrc "$cfg" tosrc
[ -n "$tosrc" ] && cmd="$cmd --to-source $tosrc"
config_get mac "$cfg" mac
[ -n "$mac" ] && cmd="$cmd -m mac --mac-source $mac"
config_get jump "$cfg" jump
[ -n "$jump" ] && cmd="$cmd -j $jump"
config_get command "$cfg" command
[ -n "$command" ] && cmd="$cmd $command"
iptables $cmd
}
start() {
### Create subchains
iptables -N luci_fw_input
iptables -N luci_fw_output
iptables -N luci_fw_forward
iptables -t nat -N luci_fw_prerouting
iptables -t nat -N luci_fw_postrouting
### Hook in the chains
iptables -A input_rule -j luci_fw_input
iptables -A output_rule -j luci_fw_output
iptables -A forwarding_rule -j luci_fw_forward
iptables -t nat -A prerouting_rule -j luci_fw_prerouting
iptables -t nat -A postrouting_rule -j luci_fw_postrouting
### Scan network interfaces
include /lib/network
scan_interfaces
### Read chains from config
config_load luci_fw
config_foreach apply_rule rule
config_foreach apply_portfw portfw
config_foreach apply_routing routing
}
stop() {
### Hook out the chains
iptables -D input_rule -j luci_fw_input
iptables -D output_rule -j luci_fw_output
iptables -D forwarding_rule -j luci_fw_forward
iptables -t nat -D prerouting_rule -j luci_fw_prerouting
iptables -t nat -D postrouting_rule -j luci_fw_postrouting
### Clear subchains
iptables -F luci_fw_input
iptables -F luci_fw_output
iptables -F luci_fw_forward
iptables -t nat -F luci_fw_prerouting
iptables -t nat -F luci_fw_postrouting
### Delete subchains
iptables -X luci_fw_input
iptables -X luci_fw_output
iptables -X luci_fw_forward
iptables -t nat -X luci_fw_prerouting
iptables -t nat -X luci_fw_postrouting
}
|
