From 332d917e902ce949264b96bf4c0d2012db5db98c Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 28 Sep 2010 11:50:14 +0000 Subject: [PATCH] [backfire] firewall: backport r23141, r23142 and r23143 SVN-Revision: 23144 --- package/firewall/Makefile | 2 +- package/firewall/files/reflection.hotplug | 5 +- package/firewall/files/uci_firewall.sh | 57 ++++++++++++++++------- 3 files changed, 46 insertions(+), 18 deletions(-) diff --git a/package/firewall/Makefile b/package/firewall/Makefile index f0946656d5..0445360a39 100644 --- a/package/firewall/Makefile +++ b/package/firewall/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall PKG_VERSION:=1 -PKG_RELEASE:=17 +PKG_RELEASE:=18 include $(INCLUDE_DIR)/package.mk diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug index 76ef6e7a99..e5194af7df 100644 --- a/package/firewall/files/reflection.hotplug +++ b/package/firewall/files/reflection.hotplug @@ -34,7 +34,7 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then config_foreach find_networks_cb zone "$1" } - + setup_fwd() { local cfg="$1" @@ -82,6 +82,9 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then [ "$proto" = tcpudp ] && proto="tcp udp" + [ "${inthost#!}" = "$inthost" ] || return 0 + [ "${exthost#!}" = "$exthost" ] || return 0 + local p for p in ${proto:-tcp udp}; do case "$p" in diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh index 55048f2461..e0cb42e6d1 100755 --- a/package/firewall/files/uci_firewall.sh +++ b/package/firewall/files/uci_firewall.sh @@ -64,6 +64,16 @@ get_portrange() { export -n -- "$_var=${_min:-$_max}" } +get_negation() { + local _var="$1" + local _flag="$2" + local _ipaddr="$3" + + [ "${_ipaddr#!}" != "$_ipaddr" ] && \ + export -n -- "$_var=! $_flag ${_ipaddr#!}" || \ + export -n -- "$_var=${_ipaddr:+$_flag $_ipaddr}" +} + load_policy() { config_get input $1 input config_get output $1 output @@ -108,9 +118,9 @@ create_zone() { if [ "$masq" == "1" ]; then local msrc mdst for msrc in ${masq_src:-0.0.0.0/0}; do - [ "${msrc#!}" != "$msrc" ] && msrc="! -s ${msrc#!}" || msrc="-s $msrc" + get_negation msrc '-s' "$msrc" for mdst in ${masq_dest:-0.0.0.0/0}; do - [ "${mdst#!}" != "$mdst" ] && mdst="! -d ${mdst#!}" || mdst="-d $mdst" + get_negation mdst '-d' "$mdst" $IPTABLES -A zone_${name}_nat -t nat $msrc $mdst -j MASQUERADE done done @@ -353,27 +363,40 @@ fw_rule() { config_get target $1 target config_get ruleset $1 ruleset + [ "$target" != "NOTRACK" ] || [ -n "$src" ] || { + echo "NOTRACK rule needs src" + return + } + + local srcaddr destaddr + get_negation srcaddr '-s' "$src_ip" + get_negation destaddr '-d' "$dest_ip" + local srcports destports get_portrange srcports "$src_port" ":" get_portrange destports "$dest_port" ":" ZONE=input - TARGET=$target - [ -z "$target" ] && target=DROP - [ -n "$src" -a -z "$dest" ] && ZONE=zone_$src - [ -n "$src" -a -n "$dest" ] && ZONE=zone_${src}_forward - [ -n "$dest" ] && TARGET=zone_${dest}_$target + TABLE=filter + TARGET="${target:-DROP}" + + if [ "$TARGET" = "NOTRACK" ]; then + TABLE=raw + ZONE="zone_${src}_notrack" + else + [ -n "$src" ] && ZONE="zone_${src}${dest:+_forward}" + [ -n "$dest" ] && TARGET="zone_${dest}_${TARGET}" + fi eval 'RULE_COUNT=$((++RULE_COUNT_'$ZONE'))' add_rule() { - $IPTABLES -I $ZONE $RULE_COUNT \ + $IPTABLES -t $TABLE -I $ZONE $RULE_COUNT \ + $srcaddr $destaddr \ ${proto:+-p $proto} \ ${icmp_type:+--icmp-type $icmp_type} \ - ${src_ip:+-s $src_ip} \ ${srcports:+--sport $srcports} \ ${src_mac:+-m mac --mac-source $src_mac} \ - ${dest_ip:+-d $dest_ip} \ ${destports:+--dport $destports} \ -j $TARGET } @@ -439,7 +462,7 @@ fw_redirect() { nataddr="$dest_ip" get_portrange natports "$dest_port" "-" - srcdaddr="$src_dip" + get_negation srcdaddr '-d' "$src_dip" get_portrange srcdports "$src_dport" ":" find_item "$src" $CONNTRACK_ZONES || \ @@ -458,7 +481,7 @@ fw_redirect() { nataddr="$src_dip" get_portrange natports "$src_dport" "-" - srcdaddr="$dest_ip" + get_negation srcdaddr '-d' "$dest_ip" get_portrange srcdports "$dest_port" ":" find_item "$dest" $CONNTRACK_ZONES || \ @@ -469,26 +492,28 @@ fw_redirect() { return fi + local srcaddr destaddr + get_negation srcaddr '-s' "$src_ip" + get_negation destaddr '-d' "$dest_ip" + local srcports destports get_portrange srcports "$src_port" ":" get_portrange destports "${dest_port-$src_dport}" ":" add_rule() { $IPTABLES -I $natchain 1 -t nat \ + $srcaddr $srcdaddr \ ${proto:+-p $proto} \ - ${src_ip:+-s $src_ip} \ ${srcports:+--sport $srcports} \ - ${srcdaddr:+-d $srcdaddr} \ ${srcdports:+--dport $srcdports} \ ${src_mac:+-m mac --mac-source $src_mac} \ -j ${target:-DNAT} $natopt $nataddr${natports:+:$natports} [ -n "$dest_ip" ] && \ $IPTABLES -I ${fwdchain:-forward} 1 \ + $srcaddr $destaddr \ ${proto:+-p $proto} \ - ${src_ip:+-s $src_ip} \ ${srcports:+--sport $srcports} \ - ${dest_ip:+-d $dest_ip} \ ${destports:+--dport $destports} \ ${src_mac:+-m mac --mac-source $src_mac} \ -j ACCEPT -- 2.30.2