| 1 | # Copyright (C) 2009-2010 OpenWrt.org |
| 2 | |
| 3 | fw_config_get_rule() { |
| 4 | [ "${rule_NAME}" != "$1" ] || return |
| 5 | fw_config_get_section "$1" rule { \ |
| 6 | string _name "$1" \ |
| 7 | string name "" \ |
| 8 | string src "" \ |
| 9 | ipaddr src_ip "" \ |
| 10 | string src_mac "" \ |
| 11 | string src_port "" \ |
| 12 | string dest "" \ |
| 13 | ipaddr dest_ip "" \ |
| 14 | string dest_port "" \ |
| 15 | string icmp_type "" \ |
| 16 | string proto "tcpudp" \ |
| 17 | string target "" \ |
| 18 | string family "" \ |
| 19 | string limit "" \ |
| 20 | string limit_burst "" \ |
| 21 | string extra "" \ |
| 22 | } || return |
| 23 | [ -n "$rule_name" ] || rule_name=$rule__name |
| 24 | } |
| 25 | |
| 26 | fw_load_rule() { |
| 27 | fw_config_get_rule "$1" |
| 28 | |
| 29 | [ "$rule_target" != "NOTRACK" ] || [ -n "$rule_src" ] || [ "$rule_src" != "*" ] || { |
| 30 | fw_log error "NOTRACK rule ${rule_name}: needs src, skipping" |
| 31 | return 0 |
| 32 | } |
| 33 | |
| 34 | fw_callback pre rule |
| 35 | |
| 36 | local table=f |
| 37 | local chain=input |
| 38 | local target="${rule_target:-REJECT}" |
| 39 | if [ "$target" == "NOTRACK" ]; then |
| 40 | table=r |
| 41 | chain="zone_${rule_src}_notrack" |
| 42 | else |
| 43 | if [ -n "$rule_src" ]; then |
| 44 | if [ "$rule_src" != "*" ]; then |
| 45 | chain="zone_${rule_src}${rule_dest:+_forward}" |
| 46 | else |
| 47 | chain="${rule_dest:+forward}" |
| 48 | chain="${chain:-input}" |
| 49 | fi |
| 50 | fi |
| 51 | |
| 52 | if [ -n "$rule_dest" ]; then |
| 53 | if [ "$rule_dest" != "*" ]; then |
| 54 | target="zone_${rule_dest}_${target}" |
| 55 | elif [ "$target" = REJECT ]; then |
| 56 | target=reject |
| 57 | fi |
| 58 | fi |
| 59 | fi |
| 60 | |
| 61 | local mode |
| 62 | fw_get_family_mode mode ${rule_family:-x} $rule_src I |
| 63 | |
| 64 | local src_spec dest_spec |
| 65 | fw_get_negation src_spec '-s' "${rule_src_ip:+$rule_src_ip/$rule_src_ip_prefixlen}" |
| 66 | fw_get_negation dest_spec '-d' "${rule_dest_ip:+$rule_dest_ip/$rule_dest_ip_prefixlen}" |
| 67 | |
| 68 | [ "$rule_proto" == "tcpudp" ] && rule_proto="tcp udp" |
| 69 | local pr; for pr in $rule_proto; do |
| 70 | local sports dports itypes |
| 71 | case "$pr" in |
| 72 | icmp|icmpv6|1|58) |
| 73 | sports=""; dports="" |
| 74 | itypes="$rule_icmp_type" |
| 75 | ;; |
| 76 | *) |
| 77 | sports="$rule_src_port" |
| 78 | dports="$rule_dest_port" |
| 79 | itypes="" |
| 80 | ;; |
| 81 | esac |
| 82 | |
| 83 | fw_get_negation pr '-p' "$pr" |
| 84 | local sp; for sp in ${sports:-""}; do |
| 85 | fw_get_port_range sp $sp |
| 86 | fw_get_negation sp '--sport' "$sp" |
| 87 | local dp; for dp in ${dports:-""}; do |
| 88 | fw_get_port_range dp $dp |
| 89 | fw_get_negation dp '--dport' "$dp" |
| 90 | local sm; for sm in ${rule_src_mac:-""}; do |
| 91 | fw_get_negation sm '--mac-source' "$sm" |
| 92 | local it; for it in ${itypes:-""}; do |
| 93 | fw_get_negation it '--icmp-type' "$it" |
| 94 | fw add $mode $table $chain $target + \ |
| 95 | { $rule_src_ip $rule_dest_ip } { \ |
| 96 | $src_spec $dest_spec \ |
| 97 | $pr $sp $dp $it \ |
| 98 | ${sm:+-m mac $sm} \ |
| 99 | ${rule_limit:+-m limit --limit $rule_limit \ |
| 100 | ${rule_limit_burst:+--limit-burst $rule_limit_burst}} \ |
| 101 | $rule_extra \ |
| 102 | } |
| 103 | done |
| 104 | done |
| 105 | done |
| 106 | done |
| 107 | done |
| 108 | |
| 109 | fw_callback post rule |
| 110 | } |
| 111 | |
