projects / project / luci.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
libs/core: rework firewall model
[project/luci.git] / libs / core / luasrc / model / firewall.lua
1 --[[
2 LuCI - Firewall model
3
4 Copyright 2009 Jo-Philipp Wich <xm@subsignal.org>
5
6 Licensed under the Apache License, Version 2.0 (the "License");
7 you may not use this file except in compliance with the License.
8 You may obtain a copy of the License at
9
10 http://www.apache.org/licenses/LICENSE-2.0
11
12 Unless required by applicable law or agreed to in writing, software
13 distributed under the License is distributed on an "AS IS" BASIS,
14 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 See the License for the specific language governing permissions and
16 limitations under the License.
17
18 ]]--
19
20 local type, pairs, ipairs, table, luci, math
21 = type, pairs, ipairs, table, luci, math
22
23 local lmo = require "lmo"
24 local utl = require "luci.util"
25 local uci = require "luci.model.uci"
26
27 module "luci.model.firewall"
28
29
30 local uci_r, uci_s
31
32 function _strlist(x)
33 if x == nil then
34 x = ""
35 elseif type(x) == "table" then
36 x = table.concat(x, " ")
37 end
38
39 return x:gmatch("%S+")
40 end
41
42 function _valid_id(x)
43 return (x and #x > 0 and x:match("^[a-zA-Z0-9_]+$"))
44 end
45
46 function _get(c, s, o)
47 return uci_r:get(c, s, o)
48 end
49
50 function _set(c, s, o, v)
51 if v ~= nil then
52 if type(v) == "boolean" then v = v and "1" or "0" end
53 return uci_r:set(c, s, o, v)
54 else
55 return uci_r:del(c, s, o, v)
56 end
57 end
58
59
60 function init(cursor)
61 uci_r = cursor or uci_r or uci.cursor()
62 uci_s = uci_r:substate()
63
64 return _M
65 end
66
67 function save(self, ...)
68 uci_r:save(...)
69 uci_r:load(...)
70 end
71
72 function commit(self, ...)
73 uci_r:commit(...)
74 uci_r:load(...)
75 end
76
77 function add_zone(self, n)
78 if _valid_id(n) and not self:get_zone(n) then
79 local z = uci_r:section("firewall", "zone", nil, {
80 name = n,
81 network = " ",
82 input = defaults:input() or "DROP",
83 forward = defaults:forward() or "DROP",
84 output = defaults:output() or "DROP"
85 })
86
87 return z and zone(z)
88 end
89 end
90
91 function get_zone(self, n)
92 if uci_r:get("firewall", n) == "zone" then
93 return zone(n)
94 else
95 local z
96 uci_r:foreach("firewall", "zone",
97 function(s)
98 if n and s.name == n then
99 z = s['.name']
100 return false
101 end
102 end)
103 return z and zone(z)
104 end
105 end
106
107 function get_zones(self)
108 local zones = { }
109 local znl = { }
110
111 uci_r:foreach("firewall", "zone",
112 function(s)
113 if s.name then
114 znl[s.name] = zone(s['.name'])
115 end
116 end)
117
118 local z
119 for z in utl.kspairs(znl) do
120 zones[#zones+1] = znl[z]
121 end
122
123 return zones
124 end
125
126 function get_zone_by_network(self, net)
127 local z
128
129 uci_r:foreach("firewall", "zone",
130 function(s)
131 if s.name and net then
132 local n
133 for n in _strlist(s.network or s.name) do
134 if n == net then
135 z = s['.name']
136 return false
137 end
138 end
139 end
140 end)
141
142 return z and zone(z)
143 end
144
145 function del_zone(self, n)
146 local r = false
147
148 if uci_r:get("firewall", n) == "zone" then
149 local z = uci_r:get("firewall", n, "name")
150 r = uci_r:delete("firwall", n)
151 n = z
152 else
153 uci_r:foreach("firewall", "zone",
154 function(s)
155 if n and s.name == n then
156 r = uci_r:delete("firewall", s['.name'])
157 return false
158 end
159 end)
160 end
161
162 if r then
163 uci_r:foreach("firewall", "rule",
164 function(s)
165 if s.src == n or s.dest == n then
166 uci_r:delete("firewall", s['.name'])
167 end
168 end)
169
170 uci_r:foreach("firewall", "redirect",
171 function(s)
172 if s.src == n then
173 uci_r:delete("firewall", s['.name'])
174 end
175 end)
176
177 uci_r:foreach("firewall", "forwarding",
178 function(s)
179 if s.src == n then
180 uci_r:delete("firewall", s['.name'])
181 end
182 end)
183 end
184
185 return r
186 end
187
188 function rename_zone(self, old, new)
189 local r = false
190
191 if _valid_id(new) and not self:get_zone(new) then
192 uci_r:foreach("firewall", "zone",
193 function(s)
194 if n and s.name == old then
195 uci_r:set("firewall", s['.name'], "name", new)
196 r = true
197 return false
198 end
199 end)
200
201 if r then
202 uci_r:foreach("firewall", "rule",
203 function(s)
204 if s.src == old then
205 uci_r:set("firewall", s['.name'], "src", new)
206 end
207 if s.dest == old then
208 uci_r:set("firewall", s['.name'], "dest", new)
209 end
210 end)
211
212 uci_r:foreach("firewall", "redirect",
213 function(s)
214 if s.src == old then
215 uci_r:set("firewall", s['.name'], "src", new)
216 end
217 if s.dest == old then
218 uci_r:set("firewall", s['.name'], "dest", new)
219 end
220 end)
221
222 ub.uci:foreach("firewall", "forwarding",
223 function(s)
224 if s.src == old then
225 ub.uci:set("firewall", s['.name'], "src", new)
226 end
227 if s.dest == old then
228 uci_r:set("firewall", s['.name'], "dest", new)
229 end
230 end)
231 end
232 end
233
234 return r
235 end
236
237 function del_network(self, net)
238 local z
239 if net then
240 for _, z in ipairs(self:get_zones()) do
241 z:del_network(net)
242 end
243 end
244 end
245
246
247 defaults = utl.class()
248 function defaults.__init__(self)
249 uci_r:foreach("firewall", "defaults",
250 function(s)
251 self.sid = s['.name']
252 return false
253 end)
254
255 self.sid = self.sid or uci_r:section("firewall", "defaults", nil, { })
256 end
257
258 function defaults.get(self, opt)
259 return _get("firewall", self.sid, opt)
260 end
261
262 function defaults.set(self, opt, val)
263 return _set("firewall", self.sid, opt, val)
264 end
265
266 function defaults.syn_flood(self)
267 return (self:get("syn_flood") == "1")
268 end
269
270 function defaults.drop_invalid(self)
271 return (self:get("drop_invalid") == "1")
272 end
273
274 function defaults.input(self)
275 return self:get("input") or "DROP"
276 end
277
278 function defaults.forward(self)
279 return self:get("forward") or "DROP"
280 end
281
282 function defaults.output(self)
283 return self:get("output") or "DROP"
284 end
285
286
287 zone = utl.class()
288 function zone.__init__(self, z)
289 if uci_r:get("firewall", z) == "zone" then
290 self.sid = z
291 self.data = uci_r:get_all("firewall", z)
292 else
293 uci_r:foreach("firewall", "zone",
294 function(s)
295 if s.name == z then
296 self.sid = s['.name']
297 self.data = s
298 return false
299 end
300 end)
301 end
302 end
303
304 function zone.get(self, opt)
305 return _get("firewall", self.sid, opt)
306 end
307
308 function zone.set(self, opt, val)
309 return _set("firewall", self.sid, opt, val)
310 end
311
312 function zone.masq(self)
313 return (self:get("masq") == "1")
314 end
315
316 function zone.name(self)
317 return self:get("name")
318 end
319
320 function zone.network(self)
321 return self:get("network")
322 end
323
324 function zone.input(self)
325 return self:get("input") or "DROP"
326 end
327
328 function zone.forward(self)
329 return self:get("forward") or "DROP"
330 end
331
332 function zone.output(self)
333 return self:get("output") or "DROP"
334 end
335
336 function zone.add_network(self, net)
337 if uci_r:get("network", net) == "interface" then
338 local nets = { }
339
340 local n
341 for n in _strlist(self:get("network") or self:get("name")) do
342 if n ~= net then
343 nets[#nets+1] = n
344 end
345 end
346
347 nets[#nets+1] = net
348
349 if #nets > 0 then
350 self:set("network", table.concat(nets, " "))
351 else
352 self:set("network", " ")
353 end
354 end
355 end
356
357 function zone.del_network(self, net)
358 local nets = { }
359
360 local n
361 for n in _strlist(self:get("network") or self:get("name")) do
362 if n ~= net then
363 nets[#nets+1] = n
364 end
365 end
366
367 if #nets > 0 then
368 self:set("network", table.concat(nets, " "))
369 else
370 self:set("network", " ")
371 end
372 end
373
374 function zone.get_networks(self)
375 local nets = { }
376
377 local n
378 for n in _strlist(self:get("network") or self:get("name")) do
379 nets[#nets+1] = n
380 end
381
382 return nets
383 end
384
385 function zone.get_forwardings_by(self, what)
386 local name = self:name()
387 local forwards = { }
388
389 uci_r:foreach("firewall", "forwarding",
390 function(s)
391 if s.src and s.dest and s[what] == name then
392 forwards[#forwards+1] = forwarding(s['.name'])
393 end
394 end)
395
396 return forwards
397 end
398
399 function zone.add_forwarding_to(self, dest)
400 local exist, forward
401
402 for _, forward in ipairs(self:get_forwardings_by('src')) do
403 if forward:dest() == dest then
404 exist = true
405 break
406 end
407 end
408
409 if not exist and dest ~= self:name() then
410 local s = uci_r:section("firewall", "forwarding", nil, {
411 src = self:name(),
412 dest = dest
413 })
414
415 return s and forwarding(s)
416 end
417 end
418
419 function zone.add_forwarding_from(self, src)
420 local exist, forward
421
422 for _, forward in ipairs(self:get_forwardings_by('dest')) do
423 if forward:src() == src then
424 exist = true
425 break
426 end
427 end
428
429 if not exist and src ~= self:name() then
430 local s = uci_r:section("firewall", "forwarding", nil, {
431 src = src,
432 dest = self:name()
433 })
434
435 return s and forwarding(s)
436 end
437 end
438
439 function zone.del_forwardings_by(self, what)
440 local name = self:name()
441
442 uci_r:foreach("firewall", "forwarding",
443 function(s)
444 if s.src and s.dest and s[what] == name then
445 uci_r:delete("firewall", s['.name'])
446 end
447 end)
448 end
449
450 function zone.add_redirect(self, options)
451 options = options or { }
452 options.src = self:name()
453
454 local s = uci_r:section("firewall", "redirect", nil, options)
455 return s and redirect(s)
456 end
457
458 function zone.add_rule(self, options)
459 options = options or { }
460 options.src = self:name()
461
462 local s = uci_r:section("firewall", "rule", nil, options)
463 return s and rule(s)
464 end
465
466 function zone.get_color(self)
467 if self and self:name() == "lan" then
468 return "#90f090"
469 elseif self and self:name() == "wan" then
470 return "#f09090"
471 elseif self then
472 math.randomseed(lmo.hash(self:name()))
473
474 local r = math.random(128)
475 local g = math.random(128)
476 local min = 0
477 local max = 128
478
479 if ( r + g ) < 128 then
480 min = 128 - r - g
481 else
482 max = 255 - r - g
483 end
484
485 local b = min + math.floor( math.random() * ( max - min ) )
486
487 return "#%02x%02x%02x" % { 0xFF - r, 0xFF - g, 0xFF - b }
488 else
489 return "#eeeeee"
490 end
491 end
492
493
494 forwarding = utl.class()
495 function forwarding.__init__(self, f)
496 self.sid = f
497 end
498
499 function forwarding.src(self)
500 return uci_r:get("firewall", self.sid, "src")
501 end
502
503 function forwarding.dest(self)
504 return uci_r:get("firewall", self.sid, "dest")
505 end
506
507 function forwarding.src_zone(self)
508 return zone(self:src())
509 end
510
511 function forwarding.dest_zone(self)
512 return zone(self:dest())
513 end
514
515
516 rule = utl.class()
517 function rule.__init__(self, f)
518 self.sid = f
519 end
520
521 function rule.get(self, opt)
522 return _get("firewall", self.sid, opt)
523 end
524
525 function rule.set(self, opt, val)
526 return _set("firewall", self.sid, opt, val)
527 end
528
529 function rule.src(self)
530 return uci_r:get("firewall", self.sid, "src")
531 end
532
533 function rule.dest(self)
534 return uci_r:get("firewall", self.sid, "dest")
535 end
536
537 function rule.src_zone(self)
538 return zone(self:src())
539 end
540
541 function rule.dest_zone(self)
542 return zone(self:dest())
543 end
544
545
546 redirect = utl.class()
547 function redirect.__init__(self, f)
548 self.sid = f
549 end
550
551 function redirect.get(self, opt)
552 return _get("firewall", self.sid, opt)
553 end
554
555 function redirect.set(self, opt, val)
556 return _set("firewall", self.sid, opt, val)
557 end
558
559 function redirect.src(self)
560 return uci_r:get("firewall", self.sid, "src")
561 end
562
563 function redirect.dest(self)
564 return uci_r:get("firewall", self.sid, "dest")
565 end
566
567 function redirect.src_zone(self)
568 return zone(self:src())
569 end
570
571 function redirect.dest_zone(self)
572 return zone(self:dest())
573 end
Lua Configuration Interface (mirror)