mirror of https://git.openwrt.org/project/luci.git
* applications/luci-fw: Added support for customizing inter-device routing
* applications/luci-fw: Adapted Firewallscripts to better integrate into OpenWRT networking concept
This commit is contained in:
Steven Barth
parent
3f4f75b107
commit
ba971df2af
|
|
@ -7,6 +7,13 @@ apply_portfw() {
|
|||
config_get dport "$cfg" dport
|
||||
config_get iface "$cfg" iface
|
||||
config_get to "$cfg" to
|
||||
|
||||
config_get ifname "$iface" ifname
|
||||
|
||||
[ -n "$proto" ] || return 0
|
||||
[ -n "$dport" ] || return 0
|
||||
[ -n "$ifname" ] || return 0
|
||||
[ -n "$to" ] || return 0
|
||||
|
||||
ports=$(echo $to | cut -sd: -f2)
|
||||
if [ -n "$ports" ]; then
|
||||
|
|
@ -18,16 +25,52 @@ apply_portfw() {
|
|||
ip=$(echo $to | cut -d: -f1)
|
||||
|
||||
if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then
|
||||
iptables -t nat -A luci_fw_prerouting -i "$iface" -p tcp --dport "$dport" -j DNAT --to "$to"
|
||||
iptables -A luci_fw_forward -i "$iface" -p tcp -d "$ip" $ports -j ACCEPT
|
||||
iptables -t nat -A luci_fw_prerouting -i "$ifname" -p tcp --dport "$dport" -j DNAT --to "$to"
|
||||
iptables -A luci_fw_forward -i "$ifname" -p tcp -d "$ip" $ports -j ACCEPT
|
||||
fi
|
||||
|
||||
if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then
|
||||
iptables -t nat -A luci_fw_prerouting -i "$iface" -p udp --dport "$dport" -j DNAT --to "$to"
|
||||
iptables -A luci_fw_forward -i "$iface" -p udp -d "$ip" $ports -j ACCEPT
|
||||
iptables -t nat -A luci_fw_prerouting -i "$ifname" -p udp --dport "$dport" -j DNAT --to "$to"
|
||||
iptables -A luci_fw_forward -i "$ifname" -p udp -d "$ip" $ports -j ACCEPT
|
||||
fi
|
||||
}
|
||||
|
||||
apply_routing() {
|
||||
local cfg="$1"
|
||||
config_get iface "$cfg" iface
|
||||
config_get oface "$cfg" oface
|
||||
config_get_bool fwd "$cfg" fwd
|
||||
config_get_bool nat "$cfg" nat
|
||||
config_get_bool bidi "$cfg" bidi
|
||||
|
||||
config_get ifname "$iface" ifname
|
||||
config_get ofname "$oface" ifname
|
||||
|
||||
[ -n "$ifname" ] || return 0
|
||||
[ -n "$ofname" ] || return 0
|
||||
|
||||
[ "$fwd" -gt 0 ] && {
|
||||
iptables -A luci_fw_forward -i "$ifname" -o "$ofname" -j ACCEPT
|
||||
[ "$bidi" -gt 0 ] && iptables -A luci_fw_forward -i "$ofname" -o "$ifname" -j ACCEPT
|
||||
}
|
||||
|
||||
[ "$nat" -gt 0 ] && {
|
||||
config_get ifip "$iface" ipaddr
|
||||
config_get ifmask "$iface" netmask
|
||||
eval "$(ipcalc.sh $ifip $ifmask)"
|
||||
|
||||
iptables -t nat -A luci_freifunk_postrouting -s "$NETWORK/$PREFIX" -o "$oface" -j MASQUERADE
|
||||
|
||||
[ "$bidi" -gt 0 ] && {
|
||||
config_get ofip "$oface" ipaddr
|
||||
config_get ofmask "$oface" netmask
|
||||
eval "$(ipcalc.sh $ofip $ofmask)"
|
||||
|
||||
iptables -t nat -A luci_freifunk_postrouting -s "$NETWORK/$PREFIX" -o "$iface" -j MASQUERADE
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
apply_rule() {
|
||||
local cfg="$1"
|
||||
local cmd=""
|
||||
|
|
@ -41,10 +84,12 @@ apply_rule() {
|
|||
[ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting"
|
||||
|
||||
config_get iface "$cfg" iface
|
||||
[ -n "$iface" ] && cmd="$cmd -i $iface"
|
||||
config_get ifname "$iface" ifname
|
||||
[ -n "$ifname" ] && cmd="$cmd -i $ifname"
|
||||
|
||||
config_get oface "$cfg" oface
|
||||
[ -n "$oface" ] && cmd="$cmd -o $oface"
|
||||
config_get ofname "$oface" ifname
|
||||
[ -n "$ofname" ] && cmd="$cmd -o $ofname"
|
||||
|
||||
config_get proto "$cfg" proto
|
||||
[ -n "$proto" ] && cmd="$cmd -p $proto"
|
||||
|
|
@ -94,10 +139,15 @@ start() {
|
|||
iptables -t nat -A prerouting_rule -j luci_fw_prerouting
|
||||
iptables -t nat -A postrouting_rule -j luci_fw_postrouting
|
||||
|
||||
### Scan network interfaces
|
||||
include /lib/network
|
||||
scan_interfaces
|
||||
|
||||
### Read chains from config
|
||||
config_load luci_fw
|
||||
config_foreach apply_portfw portfw
|
||||
config_foreach apply_rule rule
|
||||
config_foreach apply_portfw portfw
|
||||
config_foreach apply_routing routing
|
||||
}
|
||||
|
||||
stop() {
|
||||
|
|
|
|||
|
|
@ -13,8 +13,18 @@ chain:value("output", "Output")
|
|||
chain:value("prerouting", "Prerouting")
|
||||
chain:value("postrouting", "Postrouting")
|
||||
|
||||
s:option(Value, "iface", "Eingangsschnittstelle").optional = true
|
||||
s:option(Value, "oface", "Ausgangsschnittstelle").optional = true
|
||||
iface = s:option(ListValue, "iface", "Eingangsschnittstelle")
|
||||
iface.optional = true
|
||||
|
||||
oface = s:option(ListValue, "oface", "Ausgangsschnittstelle")
|
||||
oface.optional = true
|
||||
|
||||
for k, v in pairs(ffluci.model.uci.sections("network")) do
|
||||
if v[".type"] == "interface" and k ~= "loopback" then
|
||||
iface:value(k)
|
||||
oface:value(k)
|
||||
end
|
||||
end
|
||||
|
||||
proto = s:option(ListValue, "proto", "Protokoll")
|
||||
proto.optional = true
|
||||
|
|
|
|||
|
|
@ -9,9 +9,11 @@ s.addremove = true
|
|||
s.anonymous = true
|
||||
|
||||
iface = s:option(ListValue, "iface", "Schnittstelle", "Externe Schnittstelle")
|
||||
iface:value("")
|
||||
for k,v in pairs(ffluci.sys.net.devices()) do
|
||||
iface:value(v)
|
||||
iface.default = "wan"
|
||||
for k, v in pairs(ffluci.model.uci.sections("network")) do
|
||||
if v[".type"] == "interface" and k ~= "loopback" then
|
||||
iface:value(k)
|
||||
end
|
||||
end
|
||||
|
||||
proto = s:option(ListValue, "proto", "Protokoll")
|
||||
|
|
|
|||
|
|
@ -0,0 +1,28 @@
|
|||
-- ToDo: Translate, Add descriptions and help texts
|
||||
require("ffluci.sys")
|
||||
m = Map("luci_fw", "Routing", [[An dieser Stelle wird festlegt, welcher Netzverkehr zwischen einzelnen
|
||||
Schnittstellen erlaubt werden soll. Es werden jeweils nur neue Verbindungen
|
||||
betrachtet, d.h. Pakete von aufgebauten oder zugehörigen Verbindungen werden automatisch in beide Richtungen
|
||||
akzeptiert, auch wenn das Feld "beide Richtungen" nicht explizit gesetzt ist.
|
||||
NAT ermöglicht Adressübersetzung.]])
|
||||
|
||||
s = m:section(TypedSection, "routing")
|
||||
s.template = "cbi/tblsection"
|
||||
s.addremove = true
|
||||
s.anonymous = true
|
||||
|
||||
iface = s:option(ListValue, "iface", "Eingang", "Eingangsschnittstelle")
|
||||
oface = s:option(ListValue, "oface", "Ausgang", "Ausgangsschnittstelle")
|
||||
|
||||
for k, v in pairs(ffluci.model.uci.sections("network")) do
|
||||
if v[".type"] == "interface" and k ~= "loopback" then
|
||||
iface:value(k)
|
||||
oface:value(k)
|
||||
end
|
||||
end
|
||||
|
||||
s:option(Flag, "fwd", "FWD", "weiterleiten")
|
||||
s:option(Flag, "nat", "NAT", "übersetzen")
|
||||
s:option(Flag, "bidi", "<->", "beide Richtungen")
|
||||
|
||||
return m
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
sel("admin", "network")
|
||||
act("portfw", "Portweiterleitung")
|
||||
act("routing", "Routing")
|
||||
act("firewall", "Firewall")
|
||||
|
|
@ -68,7 +68,7 @@ define Package/ffluci-ff-halle
|
|||
DEPENDS:=ffluci \
|
||||
+ffluci-sgi-haserl +ffluci-mod-freifunk +ffluci-app-firewall +ffluci-app-splash \
|
||||
+olsrd +olsrd-mod-dyn-gw +olsrd-mod-txtinfo +olsrd-mod-nameservice \
|
||||
+kmod-tun
|
||||
+kmod-tun +ip
|
||||
TITLE:=Freifunk Halle Community Meta-Package
|
||||
endef
|
||||
|
||||
|
|
@ -81,7 +81,7 @@ define Package/ffluci-ff-leipzig
|
|||
DEPENDS:=ffluci \
|
||||
+ffluci-sgi-haserl +ffluci-mod-freifunk +ffluci-app-firewall +ffluci-app-splash \
|
||||
+olsrd +olsrd-mod-dyn-gw +olsrd-mod-txtinfo +olsrd-mod-nameservice \
|
||||
+kmod-tun
|
||||
+kmod-tun +ip
|
||||
TITLE:=Freifunk Leipzig Community Meta-Package
|
||||
endef
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue