| 1 | # Copyright (C) 2009-2010 OpenWrt.org |
| 2 | |
| 3 | fw_config_get_rule() { |
| 4 | [ "${rule_NAME}" != "$1" ] || return |
| 5 | fw_config_get_section "$1" rule { \ |
| 6 | string _name "$1" \ |
| 7 | string name "" \ |
| 8 | string src "" \ |
| 9 | ipaddr src_ip "" \ |
| 10 | string src_mac "" \ |
| 11 | string src_port "" \ |
| 12 | string dest "" \ |
| 13 | ipaddr dest_ip "" \ |
| 14 | string dest_port "" \ |
| 15 | string icmp_type "" \ |
| 16 | string proto "tcpudp" \ |
| 17 | string target "" \ |
| 18 | string family "" \ |
| 19 | } || return |
| 20 | [ -n "$rule_name" ] || rule_name=$rule__name |
| 21 | [ "$rule_proto" == "icmp" ] || rule_icmp_type= |
| 22 | } |
| 23 | |
| 24 | fw_load_rule() { |
| 25 | fw_config_get_rule "$1" |
| 26 | |
| 27 | [ "$rule_target" != "NOTRACK" ] || [ -n "$rule_src" ] || { |
| 28 | fw_log error "NOTRACK rule ${rule_name}: needs src, skipping" |
| 29 | return 0 |
| 30 | } |
| 31 | |
| 32 | fw_callback pre rule |
| 33 | |
| 34 | fw_get_port_range rule_src_port $rule_src_port |
| 35 | fw_get_port_range rule_dest_port $rule_dest_port |
| 36 | |
| 37 | local table=f |
| 38 | local chain=input |
| 39 | local target="${rule_target:-REJECT}" |
| 40 | if [ "$target" == "NOTRACK" ]; then |
| 41 | table=r |
| 42 | chain="zone_${rule_src}_notrack" |
| 43 | else |
| 44 | [ -n "$rule_src" ] && chain="zone_${rule_src}${rule_dest:+_forward}" |
| 45 | [ -n "$rule_dest" ] && target="zone_${rule_dest}_${target}" |
| 46 | fi |
| 47 | |
| 48 | local mode |
| 49 | fw_get_family_mode mode ${rule_family:-x} $rule_src I |
| 50 | |
| 51 | local src_spec dest_spec |
| 52 | fw_get_negation src_spec '-s' "${rule_src_ip:+$rule_src_ip/$rule_src_ip_prefixlen}" |
| 53 | fw_get_negation dest_spec '-d' "${rule_dest_ip:+$rule_dest_ip/$rule_dest_ip_prefixlen}" |
| 54 | |
| 55 | [ "$rule_proto" == "tcpudp" ] && rule_proto="tcp udp" |
| 56 | for rule_proto in $rule_proto; do |
| 57 | local rule_pos |
| 58 | eval 'rule_pos=$((++FW__RULE_COUNT_'${mode#G}'_'$chain'))' |
| 59 | |
| 60 | fw add $mode $table $chain $target $rule_pos { $rule_src_ip $rule_dest_ip } { \ |
| 61 | $src_spec $dest_spec \ |
| 62 | ${rule_proto:+-p $rule_proto} \ |
| 63 | ${rule_src_port:+--sport $rule_src_port} \ |
| 64 | ${rule_src_mac:+-m mac --mac-source $rule_src_mac} \ |
| 65 | ${rule_dest_port:+--dport $rule_dest_port} \ |
| 66 | ${rule_icmp_type:+--icmp-type $rule_icmp_type} \ |
| 67 | } |
| 68 | done |
| 69 | |
| 70 | fw_callback post rule |
| 71 | } |
| 72 | |
