summaryrefslogtreecommitdiff
path: root/package/network/config/firewall/files/lib/fw.sh
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/config/firewall/files/lib/fw.sh')
-rw-r--r--package/network/config/firewall/files/lib/fw.sh324
1 files changed, 0 insertions, 324 deletions
diff --git a/package/network/config/firewall/files/lib/fw.sh b/package/network/config/firewall/files/lib/fw.sh
deleted file mode 100644
index ca851e81c0..0000000000
--- a/package/network/config/firewall/files/lib/fw.sh
+++ /dev/null
@@ -1,324 +0,0 @@
-# Copyright (C) 2009-2010 OpenWrt.org
-# Copyright (C) 2009 Malte S. Stretz
-
-export FW_4_ERROR=0
-export FW_6_ERROR=0
-export FW_i_ERROR=0
-export FW_e_ERROR=0
-export FW_a_ERROR=0
-
-#TODO: remove this
-[ "${-#*x}" == "$-" ] && {
- fw() {
- fw__exec "$@"
- }
-} || {
- fw() {
- local os=$-
- set +x
- fw__exec "$@"
- local rc=$?
- set -$os
- return $rc
- }
-}
-
-fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
- local cmd fam tab chn tgt pos
- local i
- for i in cmd fam tab chn tgt pos; do
- if [ "$1" -a "$1" != '{' ]; then
- eval "$i='$1'"
- shift
- else
- eval "$i=-"
- fi
- done
-
- fw__rc() {
- export FW_${fam#G}_ERROR=$1
- return $1
- }
-
- fw__dualip() {
- fw $cmd 4 $tab $chn $tgt $pos "$@"
- fw $cmd 6 $tab $chn $tgt $pos "$@"
- fw__rc $((FW_4_ERROR | FW_6_ERROR))
- }
-
- fw__autoip() {
- local ip4 ip6
- shift
- while [ "$1" != '}' ]; do
- case "$1" in
- *:*) ip6=1 ;;
- *.*.*.*) ip4=1 ;;
- esac
- shift
- done
- shift
- if [ "${ip4:-4}" == "${ip6:-6}" ]; then
- echo "fw: can't mix ip4 and ip6" >&2
- return 1
- fi
- local ver=${ip4:+4}${ip6:+6}
- fam=i
- fw $cmd ${ver:-i} $tab $chn $tgt $pos "$@"
- fw__rc $?
- }
-
- fw__has() {
- local tab=${1:-$tab}
- if [ $tab == '-' ]; then
- type $app > /dev/null 2> /dev/null
- fw__rc $(($? & 1))
- return
- fi
- [ "$app" != ip6tables ] || [ "$tab" != nat ]
- fw__rc $?
- }
-
- fw__err() {
- local err
- eval "err=\$FW_${fam}_ERROR"
- fw__rc $err
- }
-
- local app=
- local pol=
- case "$fam" in
- *4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables || return ;;
- *6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
- i) fw__dualip "$@"; return ;;
- I) fw__autoip "$@"; return ;;
- e) app=ebtables ;;
- a) app=arptables ;;
- -) fw $cmd i $tab $chn $tgt $pos "$@"; return ;;
- *) return 254 ;;
- esac
- case "$tab" in
- f) tab=filter ;;
- m) tab=mangle ;;
- n) tab=nat ;;
- r) tab=raw ;;
- -) tab=filter ;;
- esac
- case "$cmd:$chn:$tgt:$pos" in
- add:*:-:*) cmd=new-chain ;;
- add:*:*:-) cmd=append ;;
- add:*:*:$) cmd=append ;;
- add:*:*:*) cmd=insert ;;
- del:-:*:*) cmd=delete-chain; fw flush $fam $tab ;;
- del:*:-:*) cmd=delete-chain; fw flush $fam $tab $chn ;;
- del:*:*:*) cmd=delete ;;
- flush:*) ;;
- policy:*) pol=$tgt; tgt=- ;;
- has:*) fw__has; return ;;
- err:*) fw__err; return ;;
- list:*) cmd="numeric --verbose --$cmd" ;;
- *) return 254 ;;
- esac
- case "$chn" in
- -) chn= ;;
- esac
- case "$tgt" in
- -) tgt= ;;
- esac
-
- local rule_offset
- case "$pos" in
- ^) pos=1 ;;
- $) pos= ;;
- -) pos= ;;
- +) eval "rule_offset=\${FW__RULE_OFS_${app}_${tab}_${chn}:-1}" ;;
- esac
-
- if ! fw__has - family || ! fw__has $tab ; then
- export FW_${fam}_ERROR=0
- return 0
- fi
-
- case "$fam" in
- G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;;
- esac
-
- if [ $# -gt 0 ]; then
- shift
- if [ $cmd == delete ]; then
- pos=
- fi
- fi
-
- local cmdline="$app --table ${tab} --${cmd} ${chn} ${pol} ${rule_offset:-${pos}} ${tgt:+--jump "$tgt"}"
- while [ $# -gt 1 ]; do
- # special parameter handling
- case "$1:$2" in
- -p:icmp*|-p:1|-p:58|--protocol:icmp*|--protocol:1|--protocol:58)
- [ "$app" = ip6tables ] && \
- cmdline="$cmdline -p icmpv6" || \
- cmdline="$cmdline -p icmp"
- shift
- ;;
- --icmp-type:*|--icmpv6-type:*)
- local icmp_type
- if [ "$app" = ip6tables ] && fw_check_icmptype6 icmp_type "$2"; then
- cmdline="$cmdline $icmp_type"
- elif [ "$app" = iptables ] && fw_check_icmptype4 icmp_type "$2"; then
- cmdline="$cmdline $icmp_type"
- else
- local fam=IPv4; [ "$app" = ip6tables ] && fam=IPv6
- fw_log info "ICMP type '$2' is not valid for $fam address family, skipping rule"
- return 1
- fi
- shift
- ;;
- *) cmdline="$cmdline $1" ;;
- esac
- shift
- done
-
- [ -n "$FW_TRACE" ] && echo $cmdline >&2
-
- $cmdline
-
- local rv=$?
- [ $rv -eq 0 ] && [ -n "$rule_offset" ] && \
- export -- "FW__RULE_OFS_${app}_${tab}_${chn}=$(($rule_offset + 1))"
- fw__rc $rv
-}
-
-fw_get_port_range() {
- local _var=$1
- local _ports=$2
- local _delim=${3:-:}
- if [ "$4" ]; then
- fw_get_port_range $_var "${_ports}-${4}" $_delim
- return
- fi
-
- local _first=${_ports%-*}
- local _last=${_ports#*-}
- if [ "${_first#!}" != "${_last#!}" ]; then
- export -- "$_var=$_first$_delim${_last#!}"
- else
- export -- "$_var=$_first"
- fi
-}
-
-fw_get_family_mode() {
- local _var="$1"
- local _hint="$2"
- local _zone="$3"
- local _mode="$4"
-
- local _ipv4 _ipv6
- [ "$_zone" != "*" ] && {
- [ -n "$FW_ZONES4$FW_ZONES6" ] && {
- list_contains FW_ZONES4 "$_zone" && _ipv4=1 || _ipv4=0
- list_contains FW_ZONES6 "$_zone" && _ipv6=1 || _ipv6=0
- } || {
- _ipv4=$(uci_get_state firewall core "${_zone}_ipv4" 0)
- _ipv6=$(uci_get_state firewall core "${_zone}_ipv6" 0)
- }
- } || {
- _ipv4=1
- _ipv6=1
- }
-
- case "$_hint:$_ipv4:$_ipv6" in
- *4:1:*|*:1:0) export -n -- "$_var=G4" ;;
- *6:*:1|*:0:1) export -n -- "$_var=G6" ;;
- *) export -n -- "$_var=$_mode" ;;
- esac
-}
-
-fw_get_negation() {
- local _var="$1"
- local _flag="$2"
- local _value="$3"
-
- [ "${_value#!}" != "$_value" ] && \
- export -n -- "$_var=! $_flag ${_value#!}" || \
- export -n -- "$_var=${_value:+$_flag $_value}"
-}
-
-fw_get_subnet4() {
- local _var="$1"
- local _flag="$2"
- local _name="$3"
-
- local _ipaddr="$(uci_get_state network "${_name#!}" ipaddr)"
- local _netmask="$(uci_get_state network "${_name#!}" netmask)"
-
- case "$_ipaddr" in
- *.*.*.*)
- [ "${_name#!}" != "$_name" ] && \
- export -n -- "$_var=! $_flag $_ipaddr/${_netmask:-255.255.255.255}" || \
- export -n -- "$_var=$_flag $_ipaddr/${_netmask:-255.255.255.255}"
- return 0
- ;;
- esac
-
- export -n -- "$_var="
- return 1
-}
-
-fw_check_icmptype4() {
- local _var="$1"
- local _type="$2"
- case "$_type" in
- ![0-9]*) export -n -- "$_var=! --icmp-type ${_type#!}"; return 0 ;;
- [0-9]*) export -n -- "$_var=--icmp-type $_type"; return 0 ;;
- esac
-
- [ -z "$FW_ICMP4_TYPES" ] && \
- export FW_ICMP4_TYPES=$(
- iptables -p icmp -h 2>/dev/null | \
- sed -n -e '/^Valid ICMP Types:/ {
- n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
- }' | sort -u
- )
-
- local _check
- for _check in $FW_ICMP4_TYPES; do
- if [ "$_check" = "${_type#!}" ]; then
- [ "${_type#!}" != "$_type" ] && \
- export -n -- "$_var=! --icmp-type ${_type#!}" || \
- export -n -- "$_var=--icmp-type $_type"
- return 0
- fi
- done
-
- export -n -- "$_var="
- return 1
-}
-
-fw_check_icmptype6() {
- local _var="$1"
- local _type="$2"
- case "$_type" in
- ![0-9]*) export -n -- "$_var=! --icmpv6-type ${_type#!}"; return 0 ;;
- [0-9]*) export -n -- "$_var=--icmpv6-type $_type"; return 0 ;;
- esac
-
- [ -z "$FW_ICMP6_TYPES" ] && \
- export FW_ICMP6_TYPES=$(
- ip6tables -p icmpv6 -h 2>/dev/null | \
- sed -n -e '/^Valid ICMPv6 Types:/ {
- n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r
- }' | sort -u
- )
-
- local _check
- for _check in $FW_ICMP6_TYPES; do
- if [ "$_check" = "${_type#!}" ]; then
- [ "${_type#!}" != "$_type" ] && \
- export -n -- "$_var=! --icmpv6-type ${_type#!}" || \
- export -n -- "$_var=--icmpv6-type $_type"
- return 0
- fi
- done
-
- export -n -- "$_var="
- return 1
-}