projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fw4: skip not existing netdev names in flowtable device list
[project/firewall4.git] / root / usr / share / firewall4 / main.uc
1 {%
2
3 let fw4 = require("fw4");
4
5 function read_state() {
6 let state = fw4.read_state();
7
8 if (!state) {
9 warn("Unable to read firewall state - do you need to start the firewall?\n");
10 exit(1);
11 }
12
13 return state;
14 }
15
16 function reload_sets() {
17 let state = read_state(),
18 sets = fw4.check_set_types();
19
20 for (let set in state.ipsets) {
21 if (!set.loadfile && !length(set.entries))
22 continue;
23
24 if (!exists(sets, set.name)) {
25 warn(`Named set '${set.name}' does not exist - do you need to restart the firewall?\n`);
26 continue;
27 }
28 else if (fw4.concat(sets[set.name]) != fw4.concat(set.types)) {
29 warn(`Named set '${set.name}' has a different type - want '${fw4.concat(set.types)}' but is '${fw4.concat(sets[set.name])}' - do you need to restart the firewall?\n`);
30 continue;
31 }
32
33 let first = true;
34 let printer = (entry) => {
35 if (first) {
36 print(`add element inet fw4 ${set.name} {\n`);
37 first = false;
38 }
39
40 print(` ${join(" . ", entry)},\n`);
41 };
42
43 print(`flush set inet fw4 ${set.name}\n`);
44
45 map(set.entries, printer);
46
47 if (set.loadfile)
48 fw4.parse_setfile(set, printer);
49
50 if (!first)
51 print("}\n\n");
52 }
53 }
54
55 function render_ruleset(use_statefile) {
56 fw4.load(use_statefile);
57
58 include("templates/ruleset.uc", { fw4, type, exists, length, include });
59 }
60
61 function lookup_network(net) {
62 let state = read_state();
63
64 for (let zone in state.zones) {
65 for (let network in (zone.network || [])) {
66 if (network.device == net) {
67 print(zone.name, "\n");
68 exit(0);
69 }
70 }
71 }
72
73 exit(1);
74 }
75
76 function lookup_device(dev) {
77 let state = read_state();
78
79 for (let zone in state.zones) {
80 for (let rule in (zone.match_rules || [])) {
81 if (dev in rule.devices_pos) {
82 print(zone.name, "\n");
83 exit(0);
84 }
85 }
86 }
87
88 exit(1);
89 }
90
91 function lookup_zone(name, dev) {
92 let state = read_state();
93
94 for (let zone in state.zones) {
95 if (zone.name == name) {
96 let devices = [];
97 map(zone.match_rules, (r) => push(devices, ...(r.devices_pos || [])));
98
99 if (dev) {
100 if (dev in devices) {
101 print(dev, "\n");
102 exit(0);
103 }
104
105 exit(1);
106 }
107
108 if (length(devices))
109 print(join("\n", devices), "\n");
110
111 exit(0);
112 }
113 }
114
115 exit(1);
116 }
117
118 function run_includes() {
119 let state = read_state(),
120 paths = [];
121
122 for (let inc in state.includes) {
123 if (inc.type != 'script')
124 continue;
125
126 let path = replace(inc.path, "'", "'\\''");
127 let rc = system([
128 'sh', '-c',
129 `exec 1000>&-; config() { echo "You cannot use UCI in firewall includes!" >&2; exit 1; }; . '${path}'`
130 ], 30000);
131
132 if (rc != 0)
133 warn(`Include '${inc.path}' failed with exit code ${rc}\n`);
134 }
135 }
136
137
138 switch (getenv("ACTION")) {
139 case "start":
140 return render_ruleset(true);
141
142 case "print":
143 return render_ruleset(false);
144
145 case "reload-sets":
146 return reload_sets();
147
148 case "network":
149 return lookup_network(getenv("OBJECT"));
150
151 case "device":
152 return lookup_device(getenv("OBJECT"));
153
154 case "zone":
155 return lookup_zone(getenv("OBJECT"), getenv("DEVICE"));
156
157 case "includes":
158 return run_includes();
159 }
OpenWrt nftables firewall