'use strict';
+'require view';
'require ui';
'require rpc';
'require uci';
'require form';
+'require firewall as fwmodel';
'require tools.firewall as fwtool';
'require tools.widgets as widgets';
-function fmt(fmt /*, ...*/) {
- var repl = [], wrap = false;
-
- for (var i = 1; i < arguments.length; i++) {
- if (L.dom.elem(arguments[i])) {
- switch (arguments[i].nodeType) {
- case 1:
- repl.push(arguments[i].outerHTML);
- wrap = true;
- break;
-
- case 3:
- repl.push(arguments[i].data);
- break;
-
- case 11:
- var span = E('span');
- span.appendChild(arguments[i]);
- repl.push(span.innerHTML);
- wrap = true;
- break;
-
- default:
- repl.push('');
- }
- }
- else {
- repl.push(arguments[i]);
- }
- }
+function rule_proto_txt(s, ctHelpers) {
+ var family = (uci.get('firewall', s, 'family') || '').toLowerCase().replace(/^(?:all|\*)$/, 'any');
+ var dip = uci.get('firewall', s, 'dest_ip') || '';
+ var proto = L.toArray(uci.get('firewall', s, 'proto')).filter(function(p) {
+ return (p != '*' && p != 'any' && p != 'all');
+ }).map(function(p) {
+ var pr = fwtool.lookupProto(p);
+ return {
+ num: pr[0],
+ name: pr[1],
+ types: (pr[0] == 1 || pr[0] == 58) ? L.toArray(uci.get('firewall', s, 'icmp_type')) : null
+ };
+ });
+
+ var m = String(uci.get('firewall', s, 'helper') || '').match(/^(!\s*)?(\S+)$/);
+ var h = m ? {
+ val: m[0].toUpperCase(),
+ inv: m[1],
+ name: (ctHelpers.filter(function(ctH) { return ctH.name.toLowerCase() == m[2].toLowerCase() })[0] || {}).description
+ } : null;
+
+ m = String(uci.get('firewall', s, 'mark')).match(/^(!\s*)?(0x[0-9a-f]{1,8}|[0-9]{1,10})(?:\/(0x[0-9a-f]{1,8}|[0-9]{1,10}))?$/i);
+ var f = m ? {
+ val: m[0].toUpperCase().replace(/X/g, 'x'),
+ inv: m[1],
+ num: '0x%02X'.format(+m[2]),
+ mask: m[3] ? '0x%02X'.format(+m[3]) : null
+ } : null;
+
+ return fwtool.fmt(_('Incoming %{ipv6?%{ipv4?<var>IPv4</var> and <var>IPv6</var>:<var>IPv6</var>}:<var>IPv4</var>}%{proto?, protocol %{proto#%{next?, }%{item.types?<var class="cbi-tooltip-container">%{item.name}<span class="cbi-tooltip">ICMP with types %{item.types#%{next?, }<var>%{item}</var>}</span></var>:<var>%{item.name}</var>}}}%{mark?, mark <var%{mark.inv? data-tooltip="Match fwmarks except %{mark.num}%{mark.mask? with mask %{mark.mask}}.":%{mark.mask? data-tooltip="Mask fwmark value with %{mark.mask} before compare."}}>%{mark.val}</var>}%{helper?, helper %{helper.inv?<var data-tooltip="Match any helper except "%{helper.name}"">%{helper.val}</var>:<var data-tooltip="%{helper.name}">%{helper.val}</var>}}'), {
+ ipv4: ((!family && dip.indexOf(':') == -1) || family == 'any' || (!family && !dip) || family == 'ipv4'),
+ ipv6: ((!family && dip.indexOf(':') != -1) || family == 'any' || family == 'ipv6'),
+ proto: proto,
+ helper: h,
+ mark: f
+ });
+}
+
+function rule_src_txt(s, hosts) {
+ var z = uci.get('firewall', s, 'src');
+
+ return fwtool.fmt(_('From %{src}%{src_ip?, IP %{src_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{src_port?, port %{src_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}%{src_mac?, MAC %{src_mac#%{next?, }<var%{item.inv? data-tooltip="Match MACs except %{item.val}%{item.hint.name? a.k.a. %{item.hint.name}}.":%{item.hint.name? data-tooltip="%{item.hint.name}"}}>%{item.ival}</var>}}'), {
+ src: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(z) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
+ src_ip: fwtool.map_invert(uci.get('firewall', s, 'src_ip'), 'toLowerCase'),
+ src_mac: fwtool.map_invert(uci.get('firewall', s, 'src_mac'), 'toUpperCase').map(function(v) { return Object.assign(v, { hint: hosts[v.val] }) }),
+ src_port: fwtool.map_invert(uci.get('firewall', s, 'src_port'))
+ });
+}
- var rv = fmt.format.apply(fmt, repl);
- return wrap ? E('span', rv) : rv;
+function rule_dest_txt(s) {
+ return fwtool.fmt(_('To %{dest}%{dest_ip?, IP %{dest_ip#%{next?, }<var%{item.inv? data-tooltip="Match IP addresses except %{item.val}."}>%{item.ival}</var>}}%{dest_port?, port %{dest_port#%{next?, }<var%{item.inv? data-tooltip="Match ports except %{item.val}."}>%{item.ival}</var>}}'), {
+ dest: E('span', { 'class': 'zonebadge', 'style': fwmodel.getZoneColorStyle(null) }, [E('em', _('this device'))]),
+ dest_ip: fwtool.map_invert(uci.get('firewall', s, 'src_dip'), 'toLowerCase'),
+ dest_port: fwtool.map_invert(uci.get('firewall', s, 'src_dport'))
+ });
}
-function forward_proto_txt(s) {
- return fmt('%s-%s',
- fwtool.fmt_family(uci.get('firewall', s, 'family')),
- fwtool.fmt_proto(uci.get('firewall', s, 'proto'),
- uci.get('firewall', s, 'icmp_type')) || 'TCP+UDP');
+function rule_limit_txt(s) {
+ var m = String(uci.get('firewall', s, 'limit')).match(/^(\d+)\/([smhd])\w*$/i),
+ l = m ? {
+ num: +m[1],
+ unit: ({ s: _('second'), m: _('minute'), h: _('hour'), d: _('day') })[m[2]],
+ burst: uci.get('firewall', s, 'limit_burst')
+ } : null;
+
+ if (!l)
+ return '';
+
+ return fwtool.fmt(_('Limit matching to <var>%{limit.num}</var> packets per <var>%{limit.unit}</var>%{limit.burst? burst <var>%{limit.burst}</var>}'), { limit: l });
}
-function forward_src_txt(s) {
- var z = fwtool.fmt_zone(uci.get('firewall', s, 'src'), _('any zone')),
- a = fwtool.fmt_ip(uci.get('firewall', s, 'src_ip'), _('any host')),
- p = fwtool.fmt_port(uci.get('firewall', s, 'src_port')),
- m = fwtool.fmt_mac(uci.get('firewall', s, 'src_mac'));
-
- if (p && m)
- return fmt(_('From %s in %s with source %s and %s'), a, z, p, m);
- else if (p || m)
- return fmt(_('From %s in %s with source %s'), a, z, p || m);
- else
- return fmt(_('From %s in %s'), a, z);
+function rule_target_txt(s) {
+ var z = uci.get('firewall', s, 'dest');
+
+ return fwtool.fmt(_('<var data-tooltip="DNAT">Forward</var> to %{dest}%{dest_ip? IP <var>%{dest_ip}</var>}%{dest_port? port <var>%{dest_port}</var>}'), {
+ dest: E('span', { 'class': 'zonebadge', 'style': 'background-color:' + fwmodel.getColorForName((z && z != '*') ? z : null) }, [(z == '*') ? E('em', _('any zone')) : (z ? E('strong', z) : E('em', _('this device')))]),
+ dest_ip: (uci.get('firewall', s, 'dest_ip') || '').toLowerCase(),
+ dest_port: uci.get('firewall', s, 'dest_port')
+ });
}
-function forward_via_txt(s) {
- var a = fwtool.fmt_ip(uci.get('firewall', s, 'src_dip'), _('any router IP')),
- p = fwtool.fmt_port(uci.get('firewall', s, 'src_dport'));
+function validate_opt_family(m, section_id, opt) {
+ var dopt = m.section.getOption('dest_ip'),
+ fmopt = m.section.getOption('family');
+
+ if (!dopt.isValid(section_id) && opt != 'dest_ip')
+ return true;
+ if (!fmopt.isValid(section_id) && opt != 'family')
+ return true;
+
+ var dip = dopt.formvalue(section_id) || '',
+ fm = fmopt.formvalue(section_id) || '';
+
+ if (fm == '' || (fm == 'any' && dip == '') || (fm == 'ipv6' && (dip.indexOf(':') != -1 || dip == '')) || (fm == 'ipv4' && dip.indexOf(':') == -1))
+ return true;
- if (p)
- return fmt(_('Via %s at %s'), a, p);
- else
- return fmt(_('Via %s'), a);
+ return _('Address family, Internal IP address must match');
}
-return L.view.extend({
+return view.extend({
callHostHints: rpc.declare({
+ object: 'luci-rpc',
+ method: 'getHostHints',
+ expect: { '': {} }
+ }),
+
+ callConntrackHelpers: rpc.declare({
object: 'luci',
- method: 'host_hints'
+ method: 'getConntrackHelpers',
+ expect: { result: [] }
+ }),
+
+ callNetworkDevices: rpc.declare({
+ object: 'luci-rpc',
+ method: 'getNetworkDevices',
+ expect: { '': {} }
}),
load: function() {
return Promise.all([
- this.callHostHints()
+ this.callHostHints(),
+ this.callConntrackHelpers(),
+ this.callNetworkDevices(),
+ uci.load('firewall')
]);
},
render: function(data) {
+ if (fwtool.checkLegacySNAT())
+ return fwtool.renderMigration();
+ else
+ return this.renderForwards(data);
+ },
+
+ renderForwards: function(data) {
var hosts = data[0],
+ ctHelpers = data[1],
+ devs = data[2],
m, s, o;
+ var fw4 = L.hasSystemFeature('firewall4');
m = new form.Map('firewall', _('Firewall - Port Forwards'),
_('Port forwarding allows remote computers on the Internet to connect to a specific computer or service within the private LAN.'));
return uci.get('firewall', section_id, 'name') || _('Unnamed forward');
};
+ s.handleAdd = function(ev) {
+ var config_name = this.uciconfig || this.map.config,
+ section_id = uci.add(config_name, this.sectiontype);
+
+ uci.set(config_name, section_id, 'dest', 'lan');
+ uci.set(config_name, section_id, 'target', 'DNAT');
+
+ m.addedSection = section_id;
+ this.renderMoreOptionsModal(section_id);
+ };
+
o = s.taboption('general', form.Value, 'name', _('Name'));
o.placeholder = _('Unnamed forward');
o.modalonly = true;
+ if (fw4) {
+ o = s.taboption('general', form.ListValue, 'family', _('Restrict to address family'));
+ o.modalonly = true;
+ o.rmempty = true;
+ o.value('any', _('IPv4 and IPv6'));
+ o.value('ipv4', _('IPv4 only'));
+ o.value('ipv6', _('IPv6 only'));
+ o.value('', _('automatic')); // infer from zone or used IP addresses
+ o.cfgvalue = function(section_id) {
+ var val = this.map.data.get(this.map.config, section_id, 'family');
+
+ if (!val)
+ return '';
+ else if (val == 'any' || val == 'all' || val == '*')
+ return 'any';
+ else if (val == 'inet' || String(val).indexOf('4') != -1)
+ return 'ipv4';
+ else if (String(val).indexOf('6') != -1)
+ return 'ipv6';
+ };
+ o.validate = function(section_id, value) {
+ fwtool.updateHostHints(this.map, section_id, 'dest_ip', value, hosts);
+ return !fw4?true:validate_opt_family(this, section_id, 'family');
+ };
+ }
+
o = s.option(form.DummyValue, '_match', _('Match'));
o.modalonly = false;
o.textvalue = function(s) {
return E('small', [
- forward_proto_txt(s), E('br'),
- forward_src_txt(s), E('br'),
- forward_via_txt(s)
+ rule_proto_txt(s, ctHelpers), E('br'),
+ rule_src_txt(s, hosts), E('br'),
+ rule_dest_txt(s), E('br'),
+ rule_limit_txt(s)
]);
};
- o = s.option(form.ListValue, '_dest', _('Forward to'));
+ o = s.option(form.ListValue, '_dest', _('Action'));
o.modalonly = false;
o.textvalue = function(s) {
- var z = fwtool.fmt_zone(uci.get('firewall', s, 'dest'), _('any zone')),
- a = fwtool.fmt_ip(uci.get('firewall', s, 'dest_ip'), _('any host')),
- p = fwtool.fmt_port(uci.get('firewall', s, 'dest_port')) ||
- fwtool.fmt_port(uci.get('firewall', s, 'src_dport'));
-
- if (p)
- return fmt(_('%s, %s in %s'), a, p, z);
- else
- return fmt(_('%s in %s'), a, z);
+ return E('small', [
+ rule_target_txt(s)
+ ]);
};
o = s.option(form.Flag, 'enabled', _('Enable'));
o.default = o.enabled;
o.editable = true;
- o = s.taboption('general', form.Value, 'proto', _('Protocol'));
+ o = s.taboption('general', fwtool.CBIProtocolSelect, 'proto', _('Protocol'));
o.modalonly = true;
o.default = 'tcp udp';
- o.value('tcp udp', 'TCP+UDP');
- o.value('tcp', 'TCP');
- o.value('udp', 'UDP');
- o.value('icmp', 'ICMP');
-
- o.cfgvalue = function(/* ... */) {
- var v = this.super('cfgvalue', arguments);
- return (v == 'tcpudp') ? 'tcp udp' : v;
- };
o = s.taboption('general', widgets.ZoneSelect, 'src', _('Source zone'));
o.modalonly = true;
o.nocreate = true;
o.default = 'wan';
- o = s.taboption('advanced', form.Value, 'src_mac', _('Source MAC address'),
- _('Only match incoming traffic from these MACs.'));
+ o = s.taboption('advanced', form.Value, 'ipset', _('Use ipset'));
+ uci.sections('firewall', 'ipset', function(s) {
+ if (typeof(s.name) == 'string')
+ o.value(s.name, s.comment ? '%s (%s)'.format(s.name, s.comment) : s.name);
+ });
o.modalonly = true;
o.rmempty = true;
- o.datatype = 'neg(macaddr)';
- o.placeholder = E('em', _('any'));
- L.sortedKeys(hosts).forEach(function(mac) {
- o.value(mac, '%s (%s)'.format(
- mac,
- hosts[mac].name || hosts[mac].ipv4 || hosts[mac].ipv6 || '?'
- ));
- });
- o = s.taboption('advanced', form.Value, 'src_ip', _('Source IP address'),
- _('Only match incoming traffic from this IP or range.'));
- o.modalonly = true;
+ o = fwtool.addMACOption(s, 'advanced', 'src_mac', _('Source MAC address'),
+ _('Only match incoming traffic from these MACs.'), hosts);
o.rmempty = true;
- o.datatype = 'neg(ipmask4)';
- o.placeholder = E('em', _('any'));
- L.sortedKeys(hosts, 'ipv4', 'addr').forEach(function(mac) {
- o.value(hosts[mac].ipv4, '%s (%s)'.format(
- hosts[mac].ipv4,
- hosts[mac].name || mac
- ));
- });
+ o.datatype = 'list(neg(macaddr))';
+
+ o = fwtool.addIPOption(s, 'advanced', 'src_ip', _('Source IP address'),
+ _('Only match incoming traffic from this IP or range.'), !fw4?'ipv4':'', hosts);
+ o.rmempty = true;
+ o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';
o = s.taboption('advanced', form.Value, 'src_port', _('Source port'),
_('Only match incoming traffic originating from the given source port or port range on the client host'));
o.rmempty = true;
o.datatype = 'neg(portrange)';
o.placeholder = _('any');
- o.depends('proto', 'tcp');
- o.depends('proto', 'udp');
- o.depends('proto', 'tcp udp');
- o.depends('proto', 'tcpudp');
+ o.depends({ proto: 'tcp', '!contains': true });
+ o.depends({ proto: 'udp', '!contains': true });
- o = s.taboption('advanced', form.Value, 'src_dip', _('External IP address'),
- _('Only match incoming traffic directed at the given IP address.'));
- o.modalonly = true;
+ o = fwtool.addLocalIPOption(s, 'advanced', 'src_dip', _('External IP address'),
+ _('Only match incoming traffic directed at the given IP address.'), devs);
+ o.datatype = !fw4?'neg(ipmask4("true"))':'neg(ipmask("true"))';
o.rmempty = true;
- o.datatype = 'neg(ipmask4)';
- o.placeholder = E('em', _('any'));
- L.sortedKeys(hosts, 'ipv4', 'addr').forEach(function(mac) {
- o.value(hosts[mac].ipv4, '%s (%s)'.format(
- hosts[mac].ipv4,
- hosts[mac].name || mac
- ));
- });
o = s.taboption('general', form.Value, 'src_dport', _('External port'),
_('Match incoming traffic directed at the given destination port or port range on this host'));
o.modalonly = true;
o.rmempty = false;
o.datatype = 'neg(portrange)';
- o.depends('proto', 'tcp');
- o.depends('proto', 'udp');
- o.depends('proto', 'tcp udp');
- o.depends('proto', 'tcpudp');
+ o.depends({ proto: 'tcp', '!contains': true });
+ o.depends({ proto: 'udp', '!contains': true });
o = s.taboption('general', widgets.ZoneSelect, 'dest', _('Internal zone'));
o.modalonly = true;
o.rmempty = true;
o.nocreate = true;
- o.default = 'lan';
- o = s.taboption('general', form.Value, 'dest_ip', _('Internal IP address'),
- _('Redirect matched incoming traffic to the specified internal host'));
- o.modalonly = true;
+ o = fwtool.addIPOption(s, 'general', 'dest_ip', _('Internal IP address'),
+ _('Redirect matched incoming traffic to the specified internal host'), !fw4?'ipv4':'', hosts);
o.rmempty = true;
- o.datatype = 'ipmask4';
- L.sortedKeys(hosts, 'ipv4', 'addr').forEach(function(mac) {
- o.value(hosts[mac].ipv4, '%s (%s)'.format(
- hosts[mac].ipv4,
- hosts[mac].name || mac
- ));
- });
+ o.datatype = !fw4?'ipmask4':'ipmask';
o = s.taboption('general', form.Value, 'dest_port', _('Internal port'),
_('Redirect matched incoming traffic to the given port on the internal host'));
o.rmempty = true;
o.placeholder = _('any');
o.datatype = 'portrange';
- o.depends('proto', 'tcp');
- o.depends('proto', 'udp');
- o.depends('proto', 'tcp udp');
- o.depends('proto', 'tcpudp');
+ o.depends({ proto: 'tcp', '!contains': true });
+ o.depends({ proto: 'udp', '!contains': true });
o = s.taboption('advanced', form.Flag, 'reflection', _('Enable NAT Loopback'));
o.modalonly = true;
o.rmempty = true;
o.default = o.enabled;
- o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
- _('Passes additional arguments to iptables. Use with care!'));
+ o = s.taboption('advanced', form.ListValue, 'reflection_src', _('Loopback source IP'), _('Specifies whether to use the external or the internal IP address for reflected traffic.'));
o.modalonly = true;
- o.rmempty = true;
+ o.depends('reflection', '1');
+ o.value('internal', _('Use internal IP address'));
+ o.value('external', _('Use external IP address'));
+ o.write = function(section_id, value) {
+ uci.set('firewall', section_id, 'reflection_src', (value != 'internal') ? value : null);
+ };
+
+ o = s.taboption('advanced', widgets.ZoneSelect, 'reflection_zone', _('Reflection zones'), _('Zones from which reflection rules shall be created. If unset, only the destination zone is used.'));
+ o.nocreate = true;
+ o.multiple = true;
+ o.modalonly = true;
+ o.depends('reflection', '1');
+
+ o = s.taboption('advanced', form.Value, 'helper', _('Match helper'), _('Match traffic using the specified connection tracking helper.'));
+ o.modalonly = true;
+ o.placeholder = _('any');
+ for (var i = 0; i < ctHelpers.length; i++)
+ o.value(ctHelpers[i].name, '%s (%s)'.format(ctHelpers[i].description, ctHelpers[i].name.toUpperCase()));
+ o.validate = function(section_id, value) {
+ if (value == '' || value == null)
+ return true;
+
+ value = value.replace(/^!\s*/, '');
+
+ for (var i = 0; i < ctHelpers.length; i++)
+ if (value == ctHelpers[i].name)
+ return true;
+
+ return _('Unknown or not installed conntrack helper "%s"').format(value);
+ };
+
+ fwtool.addMarkOption(s, false);
+ fwtool.addLimitOption(s);
+ fwtool.addLimitBurstOption(s);
+
+ if (!L.hasSystemFeature('firewall4')) {
+ o = s.taboption('advanced', form.Value, 'extra', _('Extra arguments'),
+ _('Passes additional arguments to iptables. Use with care!'));
+ o.modalonly = true;
+ o.rmempty = true;
+ }
return m.render();
}