package/firewall/files/lib/core_interface.sh

   1 # Copyright (C) 2009-2010 OpenWrt.org
   2
   3 fw_configure_interface() {
   4         local iface=$1
   5         local action=$2
   6         local ifname=$3
   7
   8         local status;
   9         config_get_bool status "$iface" up "0"
  10         [ "$status" == 1 ] || return 0
  11
  12         [ -n "$ifname" ] || {
  13                 config_get ifname "$iface" ifname
  14                 ifname=${ifname:-$iface}
  15         }
  16         [ "$ifname" == "lo" ] && return 0
  17
  18         fw_callback pre interface
  19
  20         fw__do_rules() {
  21                 local action=$1
  22                 local chain=$2
  23                 local ifname=$3
  24
  25                 fw $action i f ${chain}_ACCEPT ACCEPT ^ { -o "$ifname" }
  26                 fw $action i f ${chain}_ACCEPT ACCEPT ^ { -i "$ifname" }
  27                 fw $action i f ${chain}_DROP   DROP   ^ { -o "$ifname" }
  28                 fw $action i f ${chain}_DROP   DROP   ^ { -i "$ifname" }
  29                 fw $action i f ${chain}_REJECT reject ^ { -o "$ifname" }
  30                 fw $action i f ${chain}_REJECT reject ^ { -i "$ifname" }
  31
  32                 fw $action i n ${chain}_nat MASQUERADE ^ { -o "$ifname" }
  33                 fw $action i f ${chain}_MSSFIX TCPMSS  ^ { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu }
  34
  35                 fw $action i f input   ${chain}         $ { -i "$ifname" }
  36                 fw $action i f forward ${chain}_forward $ { -i "$ifname" }
  37                 fw $action i n PREROUTING ${chain}_prerouting ^ { -i "$ifname" }
  38                 fw $action i r PREROUTING ${chain}_notrack    ^ { -i "$ifname" }
  39         }
  40
  41         local old_zones old_ifname
  42         config_get old_zones core "${iface}_zone"
  43         [ -n "$old_zones" ] && {
  44                 config_get old_ifname core "${iface}_ifname"
  45                 for z in $old_zones; do
  46                         fw_log info "removing $iface ($old_ifname) from zone $z"
  47                         fw__do_rules del zone_$z $old_ifname
  48
  49                         ACTION=remove ZONE="$z" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
  50                 done
  51                 uci_revert_state firewall core "${iface}_zone"
  52                 uci_revert_state firewall core "${iface}_ifname"
  53         }
  54         [ "$action" == del ] && return
  55
  56         local new_zones
  57         load_zone() {
  58                 fw_config_get_zone "$1"
  59                 list_contains zone_network "$iface" || return
  60
  61                 fw_log info "adding $iface ($ifname) to zone $zone_name"
  62                 fw__do_rules add zone_${zone_name} "$ifname"
  63                 append new_zones $zone_name
  64
  65                 ACTION=add ZONE="$zone_name" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
  66         }
  67         config_foreach load_zone zone
  68
  69         uci_set_state firewall core "${iface}_zone" "$new_zones"
  70         uci_set_state firewall core "${iface}_ifname" "$ifname"
  71
  72         fw_sysctl_interface $ifname
  73
  74         fw_callback post interface
  75 }
  76
  77 fw_sysctl_interface() {
  78         local ifname=$1
  79         {
  80                 sysctl -w net.ipv4.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS
  81                 sysctl -w net.ipv6.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS
  82                 sysctl -w net.ipv4.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE
  83                 sysctl -w net.ipv6.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE
  84         } >/dev/null 2>/dev/null
  85 }
  86