| 1 | # Copyright (C) 2009-2010 OpenWrt.org |
| 2 | |
| 3 | FW_LIBDIR=${FW_LIBDIR:-/lib/firewall} |
| 4 | |
| 5 | . $FW_LIBDIR/fw.sh |
| 6 | include /lib/network |
| 7 | |
| 8 | fw_start() { |
| 9 | fw_init |
| 10 | |
| 11 | FW_DEFAULTS_APPLIED= |
| 12 | |
| 13 | fw_is_loaded && { |
| 14 | echo "firewall already loaded" >&2 |
| 15 | exit 1 |
| 16 | } |
| 17 | |
| 18 | uci_set_state firewall core "" firewall_state |
| 19 | |
| 20 | fw_clear DROP |
| 21 | |
| 22 | fw_callback pre core |
| 23 | |
| 24 | echo "Loading defaults" |
| 25 | fw_config_once fw_load_defaults defaults |
| 26 | |
| 27 | echo "Loading zones" |
| 28 | config_foreach fw_load_zone zone |
| 29 | |
| 30 | echo "Loading forwardings" |
| 31 | config_foreach fw_load_forwarding forwarding |
| 32 | |
| 33 | echo "Loading redirects" |
| 34 | config_foreach fw_load_redirect redirect |
| 35 | |
| 36 | echo "Loading rules" |
| 37 | config_foreach fw_load_rule rule |
| 38 | |
| 39 | echo "Loading includes" |
| 40 | config_foreach fw_load_include include |
| 41 | |
| 42 | [ -z "$FW_NOTRACK_DISABLED" ] && { |
| 43 | echo "Optimizing conntrack" |
| 44 | config_foreach fw_load_notrack_zone zone |
| 45 | } |
| 46 | |
| 47 | echo "Loading interfaces" |
| 48 | config_foreach fw_configure_interface interface add |
| 49 | |
| 50 | fw_callback post core |
| 51 | |
| 52 | uci_set_state firewall core zones "$FW_ZONES" |
| 53 | uci_set_state firewall core loaded 1 |
| 54 | } |
| 55 | |
| 56 | fw_stop() { |
| 57 | fw_init |
| 58 | |
| 59 | fw_callback pre stop |
| 60 | |
| 61 | local z n i |
| 62 | config_get z core zones |
| 63 | for z in $z; do |
| 64 | config_get n core "${z}_networks" |
| 65 | for n in $n; do |
| 66 | config_get i core "${n}_ifname" |
| 67 | [ -n "$i" ] && env -i ACTION=remove ZONE="$z" \ |
| 68 | INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall |
| 69 | done |
| 70 | |
| 71 | config_get i core "${z}_tcpmss" |
| 72 | [ "$i" == 1 ] && { |
| 73 | fw del i m FORWARD zone_${z}_MSSFIX |
| 74 | fw del i m zone_${z}_MSSFIX |
| 75 | } |
| 76 | done |
| 77 | |
| 78 | fw_clear ACCEPT |
| 79 | |
| 80 | fw_callback post stop |
| 81 | |
| 82 | uci_revert_state firewall |
| 83 | config_clear |
| 84 | |
| 85 | local h |
| 86 | for h in $FW_HOOKS; do unset $h; done |
| 87 | |
| 88 | unset FW_HOOKS |
| 89 | unset FW_INITIALIZED |
| 90 | } |
| 91 | |
| 92 | fw_restart() { |
| 93 | fw_stop |
| 94 | fw_start |
| 95 | } |
| 96 | |
| 97 | fw_reload() { |
| 98 | fw_restart |
| 99 | } |
| 100 | |
| 101 | fw_is_loaded() { |
| 102 | local bool=$(uci_get_state firewall.core.loaded) |
| 103 | return $((! ${bool:-0})) |
| 104 | } |
| 105 | |
| 106 | |
| 107 | fw_die() { |
| 108 | echo "Error:" "$@" >&2 |
| 109 | fw_log error "$@" |
| 110 | fw_stop |
| 111 | exit 1 |
| 112 | } |
| 113 | |
| 114 | fw_log() { |
| 115 | local level="$1" |
| 116 | [ -n "$2" ] && shift || level=notice |
| 117 | [ "$level" != error ] || echo "Error: $@" >&2 |
| 118 | logger -t firewall -p user.$level "$@" |
| 119 | } |
| 120 | |
| 121 | |
| 122 | fw_init() { |
| 123 | [ -z "$FW_INITIALIZED" ] || return 0 |
| 124 | |
| 125 | . $FW_LIBDIR/config.sh |
| 126 | |
| 127 | scan_interfaces |
| 128 | fw_config_append firewall |
| 129 | |
| 130 | local hooks="core stop defaults zone notrack synflood" |
| 131 | local file lib hk pp |
| 132 | for file in $FW_LIBDIR/core_*.sh; do |
| 133 | . $file |
| 134 | hk=$(basename $file .sh) |
| 135 | hk=${hk#core_} |
| 136 | append hooks $hk |
| 137 | done |
| 138 | for file in $FW_LIBDIR/*.sh; do |
| 139 | lib=$(basename $file .sh) |
| 140 | lib=${lib##[0-9][0-9]_} |
| 141 | case $lib in |
| 142 | core*|fw|config|uci_firewall) continue ;; |
| 143 | esac |
| 144 | . $file |
| 145 | for hk in $hooks; do |
| 146 | for pp in pre post; do |
| 147 | type ${lib}_${pp}_${hk}_cb >/dev/null && { |
| 148 | append FW_CB_${pp}_${hk} ${lib} |
| 149 | append FW_HOOKS FW_CB_${pp}_${hk} |
| 150 | } |
| 151 | done |
| 152 | done |
| 153 | done |
| 154 | |
| 155 | fw_callback post init |
| 156 | |
| 157 | FW_INITIALIZED=1 |
| 158 | return 0 |
| 159 | } |
| 160 | |
