| 1 | # Copyright (C) 2009-2010 OpenWrt.org |
| 2 | |
| 3 | fw_config_get_rule() { |
| 4 | [ "${rule_NAME}" != "$1" ] || return |
| 5 | fw_config_get_section "$1" rule { \ |
| 6 | string _name "$1" \ |
| 7 | string name "" \ |
| 8 | string src "" \ |
| 9 | ipaddr src_ip "" \ |
| 10 | string src_mac "" \ |
| 11 | string src_port "" \ |
| 12 | string dest "" \ |
| 13 | ipaddr dest_ip "" \ |
| 14 | string dest_port "" \ |
| 15 | string icmp_type "" \ |
| 16 | string proto "tcpudp" \ |
| 17 | string target "" \ |
| 18 | string family "" \ |
| 19 | string limit "" \ |
| 20 | string limit_burst "" \ |
| 21 | string extra "" \ |
| 22 | } || return |
| 23 | [ -n "$rule_name" ] || rule_name=$rule__name |
| 24 | } |
| 25 | |
| 26 | fw_load_rule() { |
| 27 | fw_config_get_rule "$1" |
| 28 | |
| 29 | [ "$rule_target" != "NOTRACK" ] || [ -n "$rule_src" ] || [ "$rule_src" != "*" ] || { |
| 30 | fw_log error "NOTRACK rule ${rule_name}: needs src, skipping" |
| 31 | return 0 |
| 32 | } |
| 33 | |
| 34 | fw_callback pre rule |
| 35 | |
| 36 | local table=f |
| 37 | local chain=input |
| 38 | local target="${rule_target:-REJECT}" |
| 39 | if [ "$target" == "NOTRACK" ]; then |
| 40 | table=r |
| 41 | chain="zone_${rule_src}_notrack" |
| 42 | else |
| 43 | if [ -n "$rule_src" ]; then |
| 44 | if [ "$rule_src" != "*" ]; then |
| 45 | chain="zone_${rule_src}${rule_dest:+_forward}" |
| 46 | else |
| 47 | chain="${rule_dest:+forward}" |
| 48 | chain="${chain:-input}" |
| 49 | fi |
| 50 | fi |
| 51 | |
| 52 | if [ -n "$rule_dest" ]; then |
| 53 | if [ "$rule_dest" != "*" ]; then |
| 54 | target="zone_${rule_dest}_${target}" |
| 55 | elif [ "$target" = REJECT ]; then |
| 56 | target=reject |
| 57 | fi |
| 58 | fi |
| 59 | fi |
| 60 | |
| 61 | local mode |
| 62 | fw_get_family_mode mode ${rule_family:-x} $rule_src I |
| 63 | |
| 64 | local src_spec dest_spec |
| 65 | fw_get_negation src_spec '-s' "${rule_src_ip:+$rule_src_ip/$rule_src_ip_prefixlen}" |
| 66 | fw_get_negation dest_spec '-d' "${rule_dest_ip:+$rule_dest_ip/$rule_dest_ip_prefixlen}" |
| 67 | |
| 68 | [ "$rule_proto" == "tcpudp" ] && rule_proto="tcp udp" |
| 69 | for rule_proto in $rule_proto; do |
| 70 | fw_get_negation rule_proto '-p' "$rule_proto" |
| 71 | for rule_src_port in ${rule_src_port:-""}; do |
| 72 | fw_get_port_range rule_src_port $rule_src_port |
| 73 | fw_get_negation rule_src_port '--sport' "$rule_src_port" |
| 74 | for rule_dest_port in ${rule_dest_port:-""}; do |
| 75 | fw_get_port_range rule_dest_port $rule_dest_port |
| 76 | fw_get_negation rule_dest_port '--dport' "$rule_dest_port" |
| 77 | for rule_src_mac in ${rule_src_mac:-""}; do |
| 78 | fw_get_negation rule_src_mac '--mac-source' "$rule_src_mac" |
| 79 | for rule_icmp_type in ${rule_icmp_type:-""}; do |
| 80 | [ "$rule_proto" = "-p icmp" ] || rule_icmp_type="" |
| 81 | fw add $mode $table $chain $target + \ |
| 82 | { $rule_src_ip $rule_dest_ip } { \ |
| 83 | $src_spec $dest_spec $rule_proto \ |
| 84 | $rule_src_port $rule_dest_port \ |
| 85 | ${rule_src_mac:+-m mac $rule_src_mac} \ |
| 86 | ${rule_icmp_type:+--icmp-type $rule_icmp_type} \ |
| 87 | ${rule_limit:+-m limit --limit $rule_limit \ |
| 88 | ${rule_limit_burst:+--limit-burst $rule_limit_burst}} \ |
| 89 | $rule_extra \ |
| 90 | } |
| 91 | done |
| 92 | done |
| 93 | done |
| 94 | done |
| 95 | done |
| 96 | |
| 97 | fw_callback post rule |
| 98 | } |
| 99 | |
