luci-mod-status: hide iptables firewall status when nft is present

Do not expose the iptables status page as menu item when nftables is present
on the system. Instead add a warning banner to the nftables status page
directing the user to the hidden iptables status page when we encounter
legacy rules on the system.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/nftables.js b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/nftables.js
index da247a45b8c1dcb0ee44431b3952c55d1df1bd32..c5677c1ebbb708fb9e641ac4a59a88e731d3985c 100644 (file)
--- a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/nftables.js
+++ b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/nftables.js
@@ -132,7 +132,11 @@ var action_translations = {
 
 return view.extend({
        load: function() {
-               return L.resolveDefault(fs.exec_direct('/usr/sbin/nft', [ '--json', 'list', 'ruleset' ], 'json'), {});
+               return Promise.all([
+                       L.resolveDefault(fs.exec_direct('/usr/sbin/nft', [ '--json', 'list', 'ruleset' ], 'json'), {}),
+                       L.resolveDefault(fs.exec_direct('/usr/sbin/iptables-save'), ''),
+                       L.resolveDefault(fs.exec_direct('/usr/sbin/ip6tables-save'), '')
+               ]);
        },
 
        isActionExpression: function(expr) {
@@ -662,15 +666,32 @@ return view.extend({
                return node;
        },
 
+       checkLegacyRules: function(ipt4save, ipt6save) {
+               if (ipt4save.match(/\n-A /) || ipt6save.match(/\n-A /)) {
+                       ui.addNotification(_('Legacy rules detected'), [
+                               E('p', _('There are legacy iptables rules present on the system. Mixing iptables and nftables rules is discouraged and may lead to incomplete traffic filtering.')),
+                               E('button', {
+                                       'class': 'btn cbi-button',
+                                       'click': function() { location.href = 'nftables/iptables' }
+                               }, _('Open iptables rules overview…'))
+                       ], 'warning');
+               }
+       },
+
        render: function(data) {
-               var view = E('div');
+               var view = E('div'),
+                   nft = data[0],
+                   ipt = data[1],
+                   ipt6 = data[2];
+
+               this.checkLegacyRules(ipt, ipt6);
 
-               if (!Array.isArray(data.nftables))
-                       return E('em', _('No nftables ruleset load'));
+               if (!Array.isArray(nft.nftables))
+                       return E('em', _('No nftables ruleset loaded.'));
 
-               for (var i = 0; i < data.nftables.length; i++)
-                       if (data.nftables[i].hasOwnProperty('table'))
-                               view.appendChild(this.renderTable(data.nftables, data.nftables[i].table));
+               for (var i = 0; i < nft.nftables.length; i++)
+                       if (nft.nftables[i].hasOwnProperty('table'))
+                               view.appendChild(this.renderTable(nft.nftables, nft.nftables[i].table));
 
                return view;
        },

diff --git a/modules/luci-mod-status/root/usr/share/luci/menu.d/luci-mod-status.json b/modules/luci-mod-status/root/usr/share/luci/menu.d/luci-mod-status.json
index 8aa58e161652fd6524539fd1618f488e1a70ca12..190eef0ad3107a38df8bff2853cbd25057a1b062 100644 (file)
--- a/modules/luci-mod-status/root/usr/share/luci/menu.d/luci-mod-status.json
+++ b/modules/luci-mod-status/root/usr/share/luci/menu.d/luci-mod-status.json
@@ -24,7 +24,7 @@
        },
 
        "admin/status/iptables": {
-               "title": "Firewall (iptables)",
+               "title": "Firewall",
                "order": 3,
                "action": {
                        "type": "view",
@@ -33,14 +33,14 @@
                "depends": {
                        "acl": [ "luci-mod-status-firewall" ],
                        "fs": [
-                               { "/usr/sbin/iptables": "executable" },
-                               { "/usr/sbin/ip6tables": "executable" }
+                               { "/usr/sbin/nft": "absent", "/usr/sbin/iptables": "executable" },
+                               { "/usr/sbin/nft": "absent", "/usr/sbin/ip6tables": "executable" }
                        ]
                }
        },
 
        "admin/status/nftables": {
-               "title": "Firewall (nftables)",
+               "title": "Firewall",
                "order": 3,
                "action": {
                        "type": "view",
@@ -52,6 +52,13 @@
                }
        },
 
+       "admin/status/nftables/iptables": {
+               "action": {
+                       "type": "view",
+                       "path": "status/iptables"
+               }
+       },
+
        "admin/status/logs": {
                "title": "System Log",
                "order": 4,

diff --git a/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json b/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json
index 7ad43200a374a8f47a43a4bbf4a0ced00b8a8cab..f0dab25af20d5a21eff8efd3535d660c92c7dc20 100644 (file)
--- a/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json
+++ b/modules/luci-mod-status/root/usr/share/rpcd/acl.d/luci-mod-status.json
@@ -74,7 +74,9 @@
                                "/usr/sbin/nft --json list ruleset": [ "exec" ],
                                "/usr/sbin/iptables --line-numbers -w -nvxL -t *": [ "exec" ],
                                "/usr/sbin/ip6tables --line-numbers -w -nvxL -t *": [ "exec" ],
-                               "/usr/sbin/ip6tables": [ "list" ]
+                               "/usr/sbin/ip6tables": [ "list" ],
+                               "/usr/sbin/iptables-save": [ "exec" ],
+                               "/usr/sbin/ip6tables-save": [ "exec" ]
                        },
                        "ubus": {
                                "file": [ "stat" ]