OpenWrt XBurst

OpenWrt XBurst Git Source Tree

Root/package/network/config/firewall/files/lib/fw.sh

1	# Copyright (C) 2009-2010 OpenWrt.org
2	# Copyright (C) 2009 Malte S. Stretz
3
4	export FW_4_ERROR=0
5	export FW_6_ERROR=0
6	export FW_i_ERROR=0
7	export FW_e_ERROR=0
8	export FW_a_ERROR=0
9
10	#TODO: remove this
11	[ "${-#*x}" == "$-" ] && {
12	fw() {
13	fw__exec "$@"
14	}
15	} \|\| {
16	fw() {
17	local os=$-
18	set +x
19	fw__exec "$@"
20	local rc=$?
21	set -$os
22	return $rc
23	}
24	}
25
26	fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
27	local cmd fam tab chn tgt pos
28	local i
29	for i in cmd fam tab chn tgt pos; do
30	if [ "$1" -a "$1" != '{' ]; then
31	eval "$i='$1'"
32	shift
33	else
34	eval "$i=-"
35	fi
36	done
37
38	fw__rc() {
39	export FW_${fam#G}_ERROR=$1
40	return $1
41	}
42
43	fw__dualip() {
44	fw $cmd 4 $tab $chn $tgt $pos "$@"
45	fw $cmd 6 $tab $chn $tgt $pos "$@"
46	fw__rc $((FW_4_ERROR \| FW_6_ERROR))
47	}
48
49	fw__autoip() {
50	local ip4 ip6
51	shift
52	while [ "$1" != '}' ]; do
53	case "$1" in
54	:) ip6=1 ;;
55	...) ip4=1 ;;
56	esac
57	shift
58	done
59	shift
60	if [ "${ip4:-4}" == "${ip6:-6}" ]; then
61	echo "fw: can't mix ip4 and ip6" >&2
62	return 1
63	fi
64	local ver=${ip4:+4}${ip6:+6}
65	fam=i
66	fw $cmd ${ver:-i} $tab $chn $tgt $pos "$@"
67	fw__rc $?
68	}
69
70	fw__has() {
71	local tab=${1:-$tab}
72	if [ $tab == '-' ]; then
73	type $app > /dev/null 2> /dev/null
74	fw__rc $(($? & 1))
75	return
76	fi
77	[ "$app" != ip6tables ] \|\| [ "$tab" != nat ]
78	fw__rc $?
79	}
80
81	fw__err() {
82	local err
83	eval "err=\$FW_${fam}_ERROR"
84	fw__rc $err
85	}
86
87	local app=
88	local pol=
89	case "$fam" in
90	*4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables \|\| return ;;
91	*6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables \|\| return ;;
92	i) fw__dualip "$@"; return ;;
93	I) fw__autoip "$@"; return ;;
94	e) app=ebtables ;;
95	a) app=arptables ;;
96	-) fw $cmd i $tab $chn $tgt $pos "$@"; return ;;
97	*) return 254 ;;
98	esac
99	case "$tab" in
100	f) tab=filter ;;
101	m) tab=mangle ;;
102	n) tab=nat ;;
103	r) tab=raw ;;
104	-) tab=filter ;;
105	esac
106	case "$cmd:$chn:$tgt:$pos" in
107	add::-:) cmd=new-chain ;;
108	add:::-) cmd=append ;;
109	add:::$) cmd=append ;;
110	add:::*) cmd=insert ;;
111	del:-::) cmd=delete-chain; fw flush $fam $tab ;;
112	del::-:) cmd=delete-chain; fw flush $fam $tab $chn ;;
113	del:::*) cmd=delete ;;
114	flush:*) ;;
115	policy:*) pol=$tgt; tgt=- ;;
116	has:*) fw__has; return ;;
117	err:*) fw__err; return ;;
118	list:*) cmd="numeric --verbose --$cmd" ;;
119	*) return 254 ;;
120	esac
121	case "$chn" in
122	-) chn= ;;
123	esac
124	case "$tgt" in
125	-) tgt= ;;
126	esac
127
128	local rule_offset
129	case "$pos" in
130	^) pos=1 ;;
131	$) pos= ;;
132	-) pos= ;;
133	+) eval "rule_offset=\${FW__RULE_OFS_${app}_${tab}_${chn}:-1}" ;;
134	esac
135
136	if ! fw__has - family \|\| ! fw__has $tab ; then
137	export FW_${fam}_ERROR=0
138	return 0
139	fi
140
141	case "$fam" in
142	G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;;
143	esac
144
145	if [ $# -gt 0 ]; then
146	shift
147	if [ $cmd == delete ]; then
148	pos=
149	fi
150	fi
151
152	local cmdline="$app --table ${tab} --${cmd} ${chn} ${pol} ${rule_offset:-${pos}} ${tgt:+--jump "$tgt"}"
153	while [ $# -gt 1 ]; do
154	# special parameter handling
155	case "$1:$2" in
156	-p:icmp\|-p:1\|-p:58\|--protocol:icmp\|--protocol:1\|--protocol:58)
157	[ "$app" = ip6tables ] && \
158	cmdline="$cmdline -p icmpv6" \|\| \
159	cmdline="$cmdline -p icmp"
160	shift
161	;;
162	--icmp-type:\|--icmpv6-type:)
163	local icmp_type
164	if [ "$app" = ip6tables ] && fw_check_icmptype6 icmp_type "$2"; then
165	cmdline="$cmdline $icmp_type"
166	elif [ "$app" = iptables ] && fw_check_icmptype4 icmp_type "$2"; then
167	cmdline="$cmdline $icmp_type"
168	else
169	local fam=IPv4; [ "$app" = ip6tables ] && fam=IPv6
170	fw_log info "ICMP type '$2' is not valid for $fam address family, skipping rule"
171	return 1
172	fi
173	shift
174	;;
175	*) cmdline="$cmdline $1" ;;
176	esac
177	shift
178	done
179
180	[ -n "$FW_TRACE" ] && echo $cmdline >&2
181
182	$cmdline
183
184	local rv=$?
185	[ $rv -eq 0 ] && [ -n "$rule_offset" ] && \
186	export -- "FW__RULE_OFS_${app}_${tab}_${chn}=$(($rule_offset + 1))"
187	fw__rc $rv
188	}
189
190	fw_get_port_range() {
191	local _var=$1
192	local _ports=$2
193	local _delim=${3:-:}
194	if [ "$4" ]; then
195	fw_get_port_range $_var "${_ports}-${4}" $_delim
196	return
197	fi
198
199	local _first=${_ports%-*}
200	local _last=${_ports#*-}
201	if [ "${_first#!}" != "${_last#!}" ]; then
202	export -- "$_var=$_first$_delim${_last#!}"
203	else
204	export -- "$_var=$_first"
205	fi
206	}
207
208	fw_get_family_mode() {
209	local _var="$1"
210	local _hint="$2"
211	local _zone="$3"
212	local _mode="$4"
213
214	local _ipv4 _ipv6
215	[ "$_zone" != "*" ] && {
216	[ -n "$FW_ZONES4$FW_ZONES6" ] && {
217	list_contains FW_ZONES4 "$_zone" && _ipv4=1 \|\| _ipv4=0
218	list_contains FW_ZONES6 "$_zone" && _ipv6=1 \|\| _ipv6=0
219	} \|\| {
220	_ipv4=$(uci_get_state firewall core "${_zone}_ipv4" 0)
221	_ipv6=$(uci_get_state firewall core "${_zone}_ipv6" 0)
222	}
223	} \|\| {
224	_ipv4=1
225	_ipv6=1
226	}
227
228	case "$_hint:$_ipv4:$_ipv6" in
229	4:1:\|*:1:0) export -n -- "$_var=G4" ;;
230	6::1\|*:0:1) export -n -- "$_var=G6" ;;
231	*) export -n -- "$_var=$_mode" ;;
232	esac
233	}
234
235	fw_get_negation() {
236	local _var="$1"
237	local _flag="$2"
238	local _value="$3"
239
240	[ "${_value#!}" != "$_value" ] && \
241	export -n -- "$_var=! $_flag ${_value#!}" \|\| \
242	export -n -- "$_var=${_value:+$_flag $_value}"
243	}
244
245	fw_get_subnet4() {
246	local _var="$1"
247	local _flag="$2"
248	local _name="$3"
249
250	local _ipaddr="$(uci_get_state network "${_name#!}" ipaddr)"
251	local _netmask="$(uci_get_state network "${_name#!}" netmask)"
252
253	case "$_ipaddr" in
254	...)
255	[ "${_name#!}" != "$_name" ] && \
256	export -n -- "$_var=! $_flag $_ipaddr/${_netmask:-255.255.255.255}" \|\| \
257	export -n -- "$_var=$_flag $_ipaddr/${_netmask:-255.255.255.255}"
258	return 0
259	;;
260	esac
261
262	export -n -- "$_var="
263	return 1
264	}
265
266	fw_check_icmptype4() {
267	local _var="$1"
268	local _type="$2"
269	case "$_type" in
270	![0-9]*) export -n -- "$_var=! --icmp-type ${_type#!}"; return 0 ;;
271	[0-9]*) export -n -- "$_var=--icmp-type $_type"; return 0 ;;
272	esac
273
274	[ -z "$FW_ICMP4_TYPES" ] && \
275	export FW_ICMP4_TYPES=$(
276	iptables -p icmp -h 2>/dev/null \| \
277	sed -n -e '/^Valid ICMP Types:/ {
278	n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
279	}' \| sort -u
280	)
281
282	local _check
283	for _check in $FW_ICMP4_TYPES; do
284	if [ "$_check" = "${_type#!}" ]; then
285	[ "${_type#!}" != "$_type" ] && \
286	export -n -- "$_var=! --icmp-type ${_type#!}" \|\| \
287	export -n -- "$_var=--icmp-type $_type"
288	return 0
289	fi
290	done
291
292	export -n -- "$_var="
293	return 1
294	}
295
296	fw_check_icmptype6() {
297	local _var="$1"
298	local _type="$2"
299	case "$_type" in
300	![0-9]*) export -n -- "$_var=! --icmpv6-type ${_type#!}"; return 0 ;;
301	[0-9]*) export -n -- "$_var=--icmpv6-type $_type"; return 0 ;;
302	esac
303
304	[ -z "$FW_ICMP6_TYPES" ] && \
305	export FW_ICMP6_TYPES=$(
306	ip6tables -p icmpv6 -h 2>/dev/null \| \
307	sed -n -e '/^Valid ICMPv6 Types:/ {
308	n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
309	}' \| sort -u
310	)
311
312	local _check
313	for _check in $FW_ICMP6_TYPES; do
314	if [ "$_check" = "${_type#!}" ]; then
315	[ "${_type#!}" != "$_type" ] && \
316	export -n -- "$_var=! --icmpv6-type ${_type#!}" \|\| \
317	export -n -- "$_var=--icmpv6-type $_type"
318	return 0
319	fi
320	done
321
322	export -n -- "$_var="
323	return 1
324	}
325

Download this file

Branches:
backfire
history
master
release_2010-11-17
release_2010-12-14
release_2011-02-23
release_2011-05-28
release_2011-08-27
release_2011-11-13
release_2012-03-18
release_2012-04-09
release_2012-10-11
uclibc_nptl

OpenWrt XBurst

OpenWrt XBurst Git Source Tree

Root/package/network/config/firewall/files/lib/fw.sh

interactive