local nodes = {}
- table.insert(nodes, entry({"admin", "network", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw", "Portweiterleitung"), 70))
- table.insert(nodes, entry({"admin", "network", "routing"}, cbi("luci_fw/routing"), i18n("fw_routing", "Routing"), 73))
- table.insert(nodes, entry({"admin", "network", "firewall"}, cbi("luci_fw/firewall"), i18n("fw_fw", "Firewall"), 76))
+ table.insert(nodes, entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("fw_fw"), 60))
+ table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/general"), i18n("fw_zones"), 10))
+ table.insert(nodes, entry({"admin", "network", "firewall", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw"), 20))
+ table.insert(nodes, entry({"admin", "network", "firewall", "forwarding"}, cbi("luci_fw/routing"), i18n("fw_forwarding"), 30))
+ table.insert(nodes, entry({"admin", "network", "firewall", "rules"}, cbi("luci_fw/firewall"), i18n("fw_rules"), 40))
+ table.insert(nodes, entry({"admin", "network", "firewall", "customfwd"}, cbi("luci_fw/customfwd"), i18n("fw_custfwd"), 50))
table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70))
-fw_fw = [[Firewall]]
-fw_portfw = [[Portweiterleitung]]
-fw_routing = [[Routing]]
-fw_fw1 = [[Mit Hilfe der Firewall können Zugriffe auf das Netzwerk
-erlaubt, verboten oder umgeleitet werden.]]
-lucifw_rule_chain = "Kette"
-lucifw_rule_iface = "Eingangsschnittstelle"
-lucifw_rule_oface = "Ausgangsschnittstelle"
-lucifw_rule_source = "Quelladresse"
-lucifw_rule_destination = "Zieladresse"
-lucifw_rule_mac = "MAC-Adresse"
-lucifw_rule_sport = "Quellport"
-lucifw_rule_dport = "Zielport"
-lucifw_rule_tosrc = "Neue Quelladresse [SNAT]"
-lucifw_rule_todest = "Neue Zieladresse [DNAT]"
-lucifw_rule_jump = "Aktion"
-lucifw_rule_command = "Eigener Befehl"
-fw_accept = "annehmen (ACCEPT)"
-fw_reject = "zurückweisen (REJECT)"
-fw_drop = "verwerfen (DROP)"
-fw_log = "protokollieren (LOG)"
-fw_dnat = "Ziel umschreiben (DNAT) [nur Prerouting]"
-fw_masq = "maskieren (MASQUERADE) [nur Postrouting]"
-fw_snat = "Quelle umschreiben (SNAT) [nur Postrouting]"
+fw_portfw = "Portweiterleitung"
+fw_forwarding = "Weiterleitung"
+fw_fw = "Firewall"
+fw_zone = "Zone"
+fw_zones = "Zonen"
+fw_custfwd = "Eigene Weiterleitungen"
+fw_rules = "Eigene Regeln"
+fw_rules1 = "An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren."
+fw_fw1 = "Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen."
+firewall_rule_src = "Eingangszone"
+firewall_rule_dest = "Ausgangszone"
+firewall_rule_srcip = "Quelladresse"
+firewall_rule_destip = "Zieladresse"
+firewall_rule_srcmac = "Quell-MAC-Adresse"
+firewall_rule_srcport = "Quellport"
+firewall_rule_destport = "Zielport"
+firewall_rule_target = "Aktion"
+fw_accept = "annehmen"
+fw_reject = "zurückweisen"
+fw_drop = "verwerfen"
-fw_portfw1 = [[Portweiterleitungen ermöglichen es interne
-Netzwerkdienste von einem anderen externen Netzwerk aus erreichbar zu machen.]]
-lucifw_portfw_iface_desc = "Externe Schnittstelle"
-lucifw_portfw_dport = "Externer Port"
-lucifw_portfw_dport_desc = "Einzelner Port oder Erster Port-Letzter Port"
-lucifw_portfw_to = "Interne Adresse"
-lucifw_portfw_to_desc = "IP, IP:Port oder IP:Erster Port-Letzter Port"
+fw_portfw1 = [[Portweiterleitungen ermöglichen es interne Netzwerkdienste aus einem externen Netzwerk heraus erreichbar zu machen.]]
+firewall_redirect_src_desc = "Externe Zone"
+firewall_redirect_srcdport = "Externer Port"
+firewall_redirect_srcdport_desc = "Port od. Erster:Letzter Port"
+firewall_redirect_destip = "Interne Adresse"
+firewall_redirect_destip_desc = "IP-Adresse"
+firewall_redirect_destport = "Interner Port (optional)"
+firewall_redirect_destport_desc = "Port od. Erster:Letzter Port"
+firewall_redirect_srcip = firewall_rule_srcip
+firewall_redirect_srcmac = firewall_rule_srcmac
+firewall_redirect_srcport = firewall_rule_srcport
-fw_routing1 = [[An dieser Stelle wird festlegt, welcher Netzverkehr zwischen einzelnen
-Schnittstellen erlaubt werden soll. Es werden jeweils nur neue Verbindungen
-betrachtet, d.h. Pakete von aufgebauten oder zugehörigen Verbindungen werden automatisch in beide Richtungen
-akzeptiert, auch wenn das Feld "beide Richtungen" nicht explizit gesetzt ist.
-NAT ermöglicht Adressübersetzung.]]
-lucifw_routing_iface = "Eingang"
-lucifw_routing_iface_desc = lucifw_rule_iface
-lucifw_routing_oface = "Ausgang"
-lucifw_routing_oface_desc = lucifw_rule_oface
-lucifw_routing_fwd_desc = "weiterleiten"
-lucifw_routing_nat_desc = "übersetzen"
-lucifw_routing_bidi_desc = "beide Richtungen"
\ No newline at end of file
+fw_forwarding1 = [[An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann.
+Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch
+akzeptiert.]]
+firewall_forwarding_src = "Eingang"
+firewall_forwarding_src_desc = firewall_rule_src
+firewall_forwarding_dest = "Ausgang"
+firewall_forwarding_dest_desc = firewall_rule_dest
+
+firewall_defaults = "Grundeinstellungen"
+firewall_defaults_desc = "Grundeinstellungen die verwendet werden, wenn keine andere Regel angewandt werden kann."
+firewall_defaults_synflood = "Schutz vor SYN-flood-Attacken"
+firewall_defaults_input = "Eingehender Verkehr"
+firewall_defaults_output = "Ausgehender Verkehr"
+firewall_defaults_forward = "Weitergeleiteter Verkehr"
+
+firewall_zone_desc = [[Zonen teilen das Netzwerk in mehrere Bereiche ein um Netzverkehr sicher zu trennen.
+Ein oder mehrere Netzwerke gehören zu einer Zone.
+Das MASQ-Flag legt fest, dass aller ausgehende Netzverkehr einer Zone NAT-maskiert wird.]]
+firewall_zone_input = "Eingehender Verkehr"
+firewall_zone_input_desc = "Standardaktion"
+firewall_zone_output = "Ausgehender Verkehr"
+firewall_zone_output_desc = "Standardaktion"
+firewall_zone_forward = "Weitergeleiteter Verkehr"
+firewall_zone_forward_desc = "Standardaktion"
+firewall_zone_masq = "MASQ"
+firewall_zone_network = "Netzwerke"
+firewall_zone_network_desc = "verbundene Netzwerke"
\ No newline at end of file
fw_portfw = "Port forwarding"
-fw_routing = "Routing"
+fw_forwarding = "Forwarding"
fw_fw = "Firewall"
-fw_fw1 = "Here you can grant, access or redirect network traffic."
-lucifw_rule_chain = "Chain"
-lucifw_rule_iface = "Input interface"
-lucifw_rule_oface = "Output interface"
-lucifw_rule_source = "Source address"
-lucifw_rule_destination = "Destination address"
-lucifw_rule_mac = "MAC-Address"
-lucifw_rule_sport = "Source port"
-lucifw_rule_dport = "Destination port"
-lucifw_rule_tosrc = "New source address [SNAT]"
-lucifw_rule_todest = "New target address [DNAT]"
-lucifw_rule_jump = "Action"
-lucifw_rule_command = "Custom Command"
+fw_zone = "Zone"
+fw_zones = "Zones"
+fw_custfwd = "Custom redirect"
+fw_rules = "Custom Rules"
+fw_rules1 = "Here you can create custom firewall rules to control your network traffic."
+fw_fw1 = "The firewall creates zones over your network interfaces to control network traffic flow."
+firewall_rule_src = "Input Zone"
+firewall_rule_dest = "Output Zone"
+firewall_rule_srcip = "Source address"
+firewall_rule_destip = "Destination address"
+firewall_rule_srcmac = "Source MAC-Address"
+firewall_rule_srcport = "Source port"
+firewall_rule_destport = "Destination port"
+firewall_rule_target = "Action"
fw_accept = "accept"
fw_reject = "reject"
fw_drop = "drop"
-fw_log = "log"
-fw_dnat = "change destination (DNAT) [prerouting only]"
-fw_masq = "masquerade [postrouting only]"
-fw_snat = "change source (SNAT) [postrouting only]"
fw_portfw1 = [[Port forwarding allows to provide network services
in the internal network to an external network.]]
-lucifw_portfw_iface_desc = "External interface"
-lucifw_portfw_dport = "External port"
-lucifw_portfw_dport_desc = "single port or first port-last port"
-lucifw_portfw_to = "Internal address"
-lucifw_portfw_to_desc = "IP, IP:port or IP:first port-last port"
+firewall_redirect_src_desc = "External Zone"
+firewall_redirect_srcdport = "External port"
+firewall_redirect_srcdport_desc = "port or range as first:last"
+firewall_redirect_destip = "Internal address"
+firewall_redirect_destip_desc = "IP-Address"
+firewall_redirect_destport = "Internal port (optional)"
+firewall_redirect_destport_desc = "port or range as first:last"
+firewall_redirect_srcip = firewall_rule_srcip
+firewall_redirect_srcmac = firewall_rule_srcmac
+firewall_redirect_srcport = firewall_rule_srcport
-fw_routing1 = [[Here you can specify which network traffic is allowed to flow between network interfaces.
+fw_forwarding1 = [[Here you can specify which network traffic is allowed to flow between network zones.
Only new connections will be matched. Packets belonging to already open connections are automatically allowed
-to pass the firewall in this case you do not need to set the "bidirectional" flag. NAT provides
-address translation.]]
-lucifw_routing_iface = "Input"
-lucifw_routing_iface_desc = lucifw_rule_iface
-lucifw_routing_oface = "Output"
-lucifw_routing_oface_desc = lucifw_rule_oface
-lucifw_routing_fwd_desc = "forward"
-lucifw_routing_nat_desc = "translate"
-lucifw_routing_bidi_desc = "bidirectional"
\ No newline at end of file
+to pass the firewall.]]
+firewall_forwarding_src = "Input"
+firewall_forwarding_src_desc = firewall_rule_src
+firewall_forwarding_dest = "Output"
+firewall_forwarding_dest_desc = firewall_rule_dest
+
+firewall_defaults = "Defaults"
+firewall_defaults_desc = "These are the default settings that are used if no other rules match."
+firewall_defaults_synflood = "SYN-flood protection"
+firewall_defaults_input = "Incoming Traffic"
+firewall_defaults_output = "Outgoing Traffic"
+firewall_defaults_forward = "Forwarded Traffic"
+
+firewall_zone_desc = [[Zones part the network interfaces into certain isolated areas to separate network traffic.
+One or more networks can belong to a zone. The MASQ-flag enables NAT masquerading for all outgoing traffic on this zone.]]
+firewall_zone_input = "Incoming Traffic"
+firewall_zone_input_desc = "Default Policy"
+firewall_zone_output = "Outgoing Traffic"
+firewall_zone_output_desc = "Default Policy"
+firewall_zone_forward = "Forwarded Traffic"
+firewall_zone_forward_desc = "Default Policy"
+firewall_zone_masq = "MASQ"
+firewall_zone_network = "Networks"
+firewall_zone_network_desc = "contained networks"
\ No newline at end of file
--- /dev/null
+--[[
+LuCI - Lua Configuration Interface
+
+Copyright 2008 Steven Barth <steven@midlink.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+]]--
+require("luci.sys")
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
+
+
+s = m:section(TypedSection, "redirect", "")
+s.addremove = true
+s.anonymous = true
+
+name = s:option(Value, "_name", translate("name"))
+name.rmempty = true
+name.size = 10
+
+iface = s:option(ListValue, "src", translate("fw_zone"))
+iface.default = "wan"
+luci.model.uci.foreach("firewall", "zone",
+ function (section)
+ iface:value(section.name)
+ end)
+
+s:option(Value, "src_ip").optional = true
+s:option(Value, "src_mac").optional = true
+
+sport = s:option(Value, "src_port")
+sport.optional = true
+sport:depends("proto", "tcp")
+sport:depends("proto", "udp")
+
+proto = s:option(ListValue, "proto", translate("protocol"))
+proto.optional = true
+proto:value("")
+proto:value("tcp", "TCP")
+proto:value("udp", "UDP")
+
+dport = s:option(Value, "src_dport")
+dport.size = 5
+dport.optional = true
+dport:depends("proto", "tcp")
+dport:depends("proto", "udp")
+
+to = s:option(Value, "dest_ip")
+for i, dataset in ipairs(luci.sys.net.arptable()) do
+ to:value(dataset["IP address"])
+end
+
+toport = s:option(Value, "dest_port")
+toport.optional = true
+toport.size = 5
+
+return m
$Id$
]]--
-m = Map("luci_fw", translate("fw_fw"), translate("fw_fw1"))
+m = Map("firewall", translate("fw_rules"), translate("fw_rules1"))
s = m:section(TypedSection, "rule", "")
s.addremove = true
s.anonymous = true
-chain = s:option(ListValue, "chain")
-chain:value("forward", "Forward")
-chain:value("input", "Input")
-chain:value("output", "Output")
-chain:value("prerouting", "Prerouting")
-chain:value("postrouting", "Postrouting")
+iface = s:option(ListValue, "src")
+iface:value("")
+iface.rmempty = true
-iface = s:option(ListValue, "iface")
-iface.optional = true
-
-oface = s:option(ListValue, "oface")
+oface = s:option(ListValue, "dest")
oface.optional = true
-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",
function (section)
- if section[".name"] ~= "loopback" then
- iface:value(section[".name"])
- oface:value(section[".name"])
- end
+ iface:value(section.name)
+ oface:value(section.name)
end)
proto = s:option(ListValue, "proto", translate("protocol"))
proto:value("")
proto:value("tcp", "TCP")
proto:value("udp", "UDP")
+proto:value("icmp", "ICMP")
-s:option(Value, "source").optional = true
-s:option(Value, "destination").optional = true
-s:option(Value, "mac").optional = true
+s:option(Value, "src_ip").optional = true
+s:option(Value, "dest_ip").optional = true
+s:option(Value, "src_mac").optional = true
-sport = s:option(Value, "sport")
+sport = s:option(Value, "src_port")
sport.optional = true
sport:depends("proto", "tcp")
sport:depends("proto", "udp")
-dport = s:option(Value, "dport")
+dport = s:option(Value, "dest_port")
dport.optional = true
dport:depends("proto", "tcp")
dport:depends("proto", "udp")
-tosrc = s:option(Value, "tosrc")
-tosrc.optional = true
-tosrc:depends("jump", "SNAT")
-
-tosrc = s:option(Value, "todest")
-tosrc.optional = true
-tosrc:depends("jump", "DNAT")
-
-jump = s:option(ListValue, "jump")
+jump = s:option(ListValue, "target")
jump.rmempty = true
-jump:value("", "")
+jump:value("DROP", translate("fw_drop"))
jump:value("ACCEPT", translate("fw_accept"))
jump:value("REJECT", translate("fw_reject"))
-jump:value("DROP", translate("fw_drop"))
-jump:value("LOG", translate("fw_log"))
-jump:value("DNAT", translate("fw_dnat"))
-jump:value("MASQUERADE", translate("fw_masq"))
-jump:value("SNAT", translate("fw_snat"))
-
-add = s:option(Value, "command")
-add.size = 50
-add.rmempty = true
return m
--- /dev/null
+--[[
+LuCI - Lua Configuration Interface
+
+Copyright 2008 Steven Barth <steven@midlink.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+]]--
+m = Map("firewall", translate("fw_fw"), translate("fw_fw1"))
+
+s = m:section(TypedSection, "defaults")
+s.anonymous = true
+
+s:option(Flag, "syn_flood")
+
+p = {}
+p[1] = s:option(ListValue, "input")
+p[2] = s:option(ListValue, "output")
+p[3] = s:option(ListValue, "forward")
+
+for i, v in ipairs(p) do
+ v:value("DROP", translate("fw_drop"))
+ v:value("ACCEPT", translate("fw_accept"))
+end
+
+
+s = m:section(TypedSection, "zone", translate("fw_zones"))
+s.template = "cbi/tblsection"
+s.anonymous = true
+s.addremove = true
+
+name = s:option(Value, "name", translate("name"))
+name.size = 8
+
+p = {}
+p[1] = s:option(ListValue, "input")
+p[2] = s:option(ListValue, "output")
+p[3] = s:option(ListValue, "forward")
+
+for i, v in ipairs(p) do
+ v:value("DROP", translate("fw_drop"))
+ v:value("ACCEPT", translate("fw_accept"))
+end
+
+s:option(Flag, "masq")
+
+net = s:option(MultiValue, "network")
+net.widget = "select"
+net.rmempty = true
+luci.model.uci.foreach("network", "interface",
+ function (section)
+ if section[".name"] ~= "loopback" then
+ net:value(section[".name"])
+ end
+ end)
+
+function net.cfgvalue(self, section)
+ local value = MultiValue.cfgvalue(self, section)
+ return value or name:cfgvalue(section)
+end
+
+return m
\ No newline at end of file
$Id$
]]--
require("luci.sys")
-m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1"))
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
-s = m:section(TypedSection, "portfw", "")
-s:depends("iface", "wan")
-s.defaults.iface = "wan"
+s = m:section(TypedSection, "redirect", "")
+s:depends("src", "wan")
+s.defaults.src = "wan"
s.template = "cbi/tblsection"
s.addremove = true
s.anonymous = true
-name = s:option(Value, "_name", translate("name") .. translate("cbi_optional"))
+name = s:option(Value, "_name", translate("name"), translate("cbi_optional"))
+name.size = 10
-proto = s:option(ListValue, "proto", translate("protocol"))
+proto = s:option(ListValue, "protocol", translate("protocol"))
proto:value("tcp", "TCP")
proto:value("udp", "UDP")
-proto:value("tcpudp", "TCP + UDP")
-dport = s:option(Value, "dport")
+dport = s:option(Value, "src_dport")
+dport.size = 5
-to = s:option(Value, "to")
+to = s:option(Value, "dest_ip")
+for i, dataset in ipairs(luci.sys.net.arptable()) do
+ to:value(dataset["IP address"])
+end
+
+toport = s:option(Value, "dest_port")
+toport.size = 5
return m
$Id$
]]--
require("luci.sys")
-m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1"))
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
-s = m:section(TypedSection, "portfw", "")
+
+s = m:section(TypedSection, "redirect", "")
s.template = "cbi/tblsection"
s.addremove = true
s.anonymous = true
-iface = s:option(ListValue, "iface", translate("interface"))
+name = s:option(Value, "_name", translate("name"), translate("cbi_optional"))
+name.size = 10
+
+iface = s:option(ListValue, "src", translate("fw_zone"))
iface.default = "wan"
-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",
function (section)
- if section[".name"] ~= "loopback" then
- iface:value(section[".name"])
- end
+ iface:value(section.name)
end)
proto = s:option(ListValue, "proto", translate("protocol"))
proto:value("tcp", "TCP")
proto:value("udp", "UDP")
-proto:value("tcpudp", "TCP + UDP")
-dport = s:option(Value, "dport")
+dport = s:option(Value, "src_dport")
+dport.size = 5
+
+to = s:option(Value, "dest_ip")
+for i, dataset in ipairs(luci.sys.net.arptable()) do
+ to:value(dataset["IP address"])
+end
-to = s:option(Value, "to")
+toport = s:option(Value, "dest_port")
+toport.size = 5
return m
$Id$
]]--
-m = Map("luci_fw", translate("fw_routing"), translate("fw_routing1"))
+m = Map("firewall", translate("fw_forwarding"), translate("fw_forwarding1"))
-s = m:section(TypedSection, "routing", "")
+s = m:section(TypedSection, "forwarding", "")
s.template = "cbi/tblsection"
s.addremove = true
s.anonymous = true
-iface = s:option(ListValue, "iface")
-oface = s:option(ListValue, "oface")
+iface = s:option(ListValue, "src")
+oface = s:option(ListValue, "dest")
-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",
function (section)
- if section[".name"] ~= "loopback" then
- iface:value(section[".name"])
- oface:value(section[".name"])
- end
+ iface:value(section.name)
+ oface:value(section.name)
end)
-s:option(Flag, "fwd", "FWD").rmempty = true
-s:option(Flag, "nat", "NAT").rmempty = true
-s:option(Flag, "bidi", "<->").rmempty = true
-
return m
+++ /dev/null
-
-
\ No newline at end of file
+++ /dev/null
-#!/bin/sh /etc/rc.common
-START=46
-
-apply_portfw() {
- local cfg="$1"
- config_get proto "$cfg" proto
- config_get dport "$cfg" dport
- config_get iface "$cfg" iface
- config_get to "$cfg" to
-
- config_get ifname "$iface" ifname
-
- [ -n "$proto" ] || return 0
- [ -n "$dport" ] || return 0
- [ -n "$ifname" ] || return 0
- [ -n "$to" ] || return 0
-
- dport=$(echo $dport | sed -e 's/-/:/')
-
- ports=$(echo $to | cut -sd: -f2)
- if [ -n "$ports" ]; then
- ports="--dport $(echo $ports | sed -e 's/-/:/')"
- else
- ports="--dport $dport"
- fi
-
- ip=$(echo $to | cut -d: -f1)
-
- if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then
- iptables -t nat -A luci_fw_prerouting -i "$ifname" -p tcp --dport "$dport" -j DNAT --to "$to"
- iptables -A luci_fw_forward -i "$ifname" -p tcp -d "$ip" $ports -j ACCEPT
- fi
-
- if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then
- iptables -t nat -A luci_fw_prerouting -i "$ifname" -p udp --dport "$dport" -j DNAT --to "$to"
- iptables -A luci_fw_forward -i "$ifname" -p udp -d "$ip" $ports -j ACCEPT
- fi
-}
-
-apply_routing() {
- local cfg="$1"
- config_get iface "$cfg" iface
- config_get oface "$cfg" oface
- config_get_bool fwd "$cfg" fwd
- config_get_bool nat "$cfg" nat
- config_get_bool bidi "$cfg" bidi
-
- config_get ifname "$iface" ifname
- config_get ofname "$oface" ifname
-
- [ -n "$ifname" ] || return 0
- [ -n "$ofname" ] || return 0
-
- [ "$fwd" -gt 0 ] && {
- iptables -A luci_fw_forward -i "$ifname" -o "$ofname" -j ACCEPT
- [ "$bidi" -gt 0 ] && iptables -A luci_fw_forward -i "$ofname" -o "$ifname" -j ACCEPT
- }
-
- [ "$nat" -gt 0 ] && {
- config_get ifip "$iface" ipaddr
- config_get ifmask "$iface" netmask
- eval "$(ipcalc.sh $ifip $ifmask)"
-
- iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ofname" -j MASQUERADE
-
- [ "$bidi" -gt 0 ] && {
- config_get ofip "$oface" ipaddr
- config_get ofmask "$oface" netmask
- eval "$(ipcalc.sh $ofip $ofmask)"
-
- iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ifname" -j MASQUERADE
- }
- }
-}
-
-apply_rule() {
- local cfg="$1"
- local cmd=""
-
- config_get chain "$cfg" chain
- [ -n "$chain" ] || return 0
- [ "$chain" == "forward" ] && cmd="$cmd -A luci_fw_forward"
- [ "$chain" == "input" ] && cmd="$cmd -A luci_fw_input"
- [ "$chain" == "output" ] && cmd="$cmd -A luci_fw_output"
- [ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_fw_prerouting"
- [ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting"
-
- config_get iface "$cfg" iface
- config_get ifname "$iface" ifname
- [ -n "$ifname" ] && cmd="$cmd -i $ifname"
-
- config_get oface "$cfg" oface
- config_get ofname "$oface" ifname
- [ -n "$ofname" ] && cmd="$cmd -o $ofname"
-
- config_get proto "$cfg" proto
- [ -n "$proto" ] && cmd="$cmd -p $proto"
-
- config_get source "$cfg" source
- [ -n "$source" ] && cmd="$cmd -s $source"
-
- config_get destination "$cfg" destination
- [ -n "$destination" ] && cmd="$cmd -d $destination"
-
- config_get sport "$cfg" sport
- [ -n "$sport" ] && cmd="$cmd --sport $sport"
-
- config_get dport "$cfg" dport
- [ -n "$dport" ] && cmd="$cmd --dport $dport"
-
- config_get todest "$cfg" todest
- [ -n "$todest" ] && cmd="$cmd --to-destination $todest"
-
- config_get tosrc "$cfg" tosrc
- [ -n "$tosrc" ] && cmd="$cmd --to-source $tosrc"
-
- config_get mac "$cfg" mac
- [ -n "$mac" ] && cmd="$cmd -m mac --mac-source $mac"
-
- config_get jump "$cfg" jump
- [ -n "$jump" ] && cmd="$cmd -j $jump"
-
- config_get command "$cfg" command
- [ -n "$command" ] && cmd="$cmd $command"
-
- iptables $cmd
-}
-
-start() {
- ### Create subchains
- iptables -N luci_fw_input
- iptables -N luci_fw_output
- iptables -N luci_fw_forward
- iptables -t nat -N luci_fw_prerouting
- iptables -t nat -N luci_fw_postrouting
-
- ### Hook in the chains
- iptables -A input_rule -j luci_fw_input
- iptables -A output_rule -j luci_fw_output
- iptables -A forwarding_rule -j luci_fw_forward
- iptables -t nat -A prerouting_rule -j luci_fw_prerouting
- iptables -t nat -A postrouting_rule -j luci_fw_postrouting
-
- ### Scan network interfaces
- include /lib/network
- scan_interfaces
-
- ### Read chains from config
- config_load luci_fw
- config_foreach apply_rule rule
- config_foreach apply_portfw portfw
- config_foreach apply_routing routing
-}
-
-stop() {
- ### Hook out the chains
- iptables -D input_rule -j luci_fw_input
- iptables -D output_rule -j luci_fw_output
- iptables -D forwarding_rule -j luci_fw_forward
- iptables -t nat -D prerouting_rule -j luci_fw_prerouting
- iptables -t nat -D postrouting_rule -j luci_fw_postrouting
-
- ### Clear subchains
- iptables -F luci_fw_input
- iptables -F luci_fw_output
- iptables -F luci_fw_forward
- iptables -t nat -F luci_fw_prerouting
- iptables -t nat -F luci_fw_postrouting
-
- ### Delete subchains
- iptables -X luci_fw_input
- iptables -X luci_fw_output
- iptables -X luci_fw_forward
- iptables -t nat -X luci_fw_prerouting
- iptables -t nat -X luci_fw_postrouting
-}
define Package/luci-app-firewall
$(call Package/luci/webtemplate)
- DEPENDS+=+luci-admin-core
+ DEPENDS+=+luci-admin-core +firewall
TITLE:=Firewall and Portforwarding application
endef
option firewall "/etc/firewall.user"
config event uci_oncommit
- option network "/sbin/luci-reload network firewall luci_fw dnsmasq"
- option wireless "/sbin/luci-reload network firewall luci_fw dnsmasq"
+ option network "/sbin/luci-reload network firewall dnsmasq"
+ option wireless "/sbin/luci-reload network firewall dnsmasq"
option olsr "/sbin/luci-reload olsrd"
option dhcp "/sbin/luci-reload dnsmasq"
option dropbear "/sbin/luci-reload dropbear"
option httpd "/sbin/luci-reload httpd"
option fstab "/sbin/luci-reload fstab"
option qos "/sbin/luci-reload qos"
- option luci_fw "/sbin/luci-reload luci_fw"
+ option firewall "/sbin/luci-reload firewall"
option luci_ethers "/sbin/luci-reload luci_ethers dnsmasq"
option luci_splash "/sbin/luci-reload luci_splash"
option upnpd "/etc/init.d/miniupnpd enabled && /sbin/luci-reload miniupnpd || /etc/init.d/miniupnpd stop"
projects / project / luci.git / commitdiff