OpenWrt
/
luci
mirror of https://git.openwrt.org/project/luci.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

* applications/luci-fw: Added support for customizing inter-device routing 

* applications/luci-fw: Adapted Firewallscripts to better integrate into OpenWRT networking concept
This commit is contained in:
Steven Barth 2008-05-14 18:16:51 +00:00
parent 3f4f75b107
commit ba971df2af
6 changed files with 105 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
applications/luci-fw/root/etc/init.d/luci_fw
View File

@ -7,6 +7,13 @@ apply_portfw() {
config_get dport "$cfg" dport config_get dport "$cfg" dport
config_get iface "$cfg" iface config_get iface "$cfg" iface
config_get to "$cfg" to config_get to "$cfg" to
config_get ifname "$iface" ifname
[ -n "$proto" ] || return 0
[ -n "$dport" ] || return 0
[ -n "$ifname" ] || return 0
[ -n "$to" ] || return 0
ports=$(echo $to | cut -sd: -f2) ports=$(echo $to | cut -sd: -f2)
if [ -n "$ports" ]; then if [ -n "$ports" ]; then
@ -18,16 +25,52 @@ apply_portfw() {
ip=$(echo $to | cut -d: -f1) ip=$(echo $to | cut -d: -f1)
if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then
iptables -t nat -A luci_fw_prerouting -i "$iface" -p tcp --dport "$dport" -j DNAT --to "$to" iptables -t nat -A luci_fw_prerouting -i "$ifname" -p tcp --dport "$dport" -j DNAT --to "$to"
iptables -A luci_fw_forward -i "$iface" -p tcp -d "$ip" $ports -j ACCEPT iptables -A luci_fw_forward -i "$ifname" -p tcp -d "$ip" $ports -j ACCEPT
fi fi
if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then
iptables -t nat -A luci_fw_prerouting -i "$iface" -p udp --dport "$dport" -j DNAT --to "$to" iptables -t nat -A luci_fw_prerouting -i "$ifname" -p udp --dport "$dport" -j DNAT --to "$to"
iptables -A luci_fw_forward -i "$iface" -p udp -d "$ip" $ports -j ACCEPT iptables -A luci_fw_forward -i "$ifname" -p udp -d "$ip" $ports -j ACCEPT
fi fi
} }
apply_routing() {
local cfg="$1"
config_get iface "$cfg" iface
config_get oface "$cfg" oface
config_get_bool fwd "$cfg" fwd
config_get_bool nat "$cfg" nat
config_get_bool bidi "$cfg" bidi
config_get ifname "$iface" ifname
config_get ofname "$oface" ifname
[ -n "$ifname" ] || return 0
[ -n "$ofname" ] || return 0
[ "$fwd" -gt 0 ] && {
iptables -A luci_fw_forward -i "$ifname" -o "$ofname" -j ACCEPT
[ "$bidi" -gt 0 ] && iptables -A luci_fw_forward -i "$ofname" -o "$ifname" -j ACCEPT
}
[ "$nat" -gt 0 ] && {
config_get ifip "$iface" ipaddr
config_get ifmask "$iface" netmask
eval "$(ipcalc.sh $ifip $ifmask)"
iptables -t nat -A luci_freifunk_postrouting -s "$NETWORK/$PREFIX" -o "$oface" -j MASQUERADE
[ "$bidi" -gt 0 ] && {
config_get ofip "$oface" ipaddr
config_get ofmask "$oface" netmask
eval "$(ipcalc.sh $ofip $ofmask)"
iptables -t nat -A luci_freifunk_postrouting -s "$NETWORK/$PREFIX" -o "$iface" -j MASQUERADE
}
}
}
apply_rule() { apply_rule() {
local cfg="$1" local cfg="$1"
local cmd="" local cmd=""
@ -41,10 +84,12 @@ apply_rule() {
[ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting" [ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting"
config_get iface "$cfg" iface config_get iface "$cfg" iface
[ -n "$iface" ] && cmd="$cmd -i $iface" config_get ifname "$iface" ifname
[ -n "$ifname" ] && cmd="$cmd -i $ifname"
config_get oface "$cfg" oface config_get oface "$cfg" oface
[ -n "$oface" ] && cmd="$cmd -o $oface" config_get ofname "$oface" ifname
[ -n "$ofname" ] && cmd="$cmd -o $ofname"
config_get proto "$cfg" proto config_get proto "$cfg" proto
[ -n "$proto" ] && cmd="$cmd -p $proto" [ -n "$proto" ] && cmd="$cmd -p $proto"
@ -94,10 +139,15 @@ start() {
iptables -t nat -A prerouting_rule -j luci_fw_prerouting iptables -t nat -A prerouting_rule -j luci_fw_prerouting
iptables -t nat -A postrouting_rule -j luci_fw_postrouting iptables -t nat -A postrouting_rule -j luci_fw_postrouting
### Scan network interfaces
include /lib/network
scan_interfaces
### Read chains from config ### Read chains from config
config_load luci_fw config_load luci_fw
config_foreach apply_portfw portfw
config_foreach apply_rule rule config_foreach apply_rule rule
config_foreach apply_portfw portfw
config_foreach apply_routing routing
} }
stop() { stop() {

14
applications/luci-fw/src/model/cbi/admin_network/firewall.lua
View File

@ -13,8 +13,18 @@ chain:value("output", "Output")
chain:value("prerouting", "Prerouting") chain:value("prerouting", "Prerouting")
chain:value("postrouting", "Postrouting") chain:value("postrouting", "Postrouting")
s:option(Value, "iface", "Eingangsschnittstelle").optional = true iface = s:option(ListValue, "iface", "Eingangsschnittstelle")
s:option(Value, "oface", "Ausgangsschnittstelle").optional = true iface.optional = true
oface = s:option(ListValue, "oface", "Ausgangsschnittstelle")
oface.optional = true
for k, v in pairs(ffluci.model.uci.sections("network")) do
if v[".type"] == "interface" and k ~= "loopback" then
iface:value(k)
oface:value(k)
end
end
proto = s:option(ListValue, "proto", "Protokoll") proto = s:option(ListValue, "proto", "Protokoll")
proto.optional = true proto.optional = true

8
applications/luci-fw/src/model/cbi/admin_network/portfw.lua
View File

@ -9,9 +9,11 @@ s.addremove = true
s.anonymous = true s.anonymous = true
iface = s:option(ListValue, "iface", "Schnittstelle", "Externe Schnittstelle") iface = s:option(ListValue, "iface", "Schnittstelle", "Externe Schnittstelle")
iface:value("") iface.default = "wan"
for k,v in pairs(ffluci.sys.net.devices()) do for k, v in pairs(ffluci.model.uci.sections("network")) do
iface:value(v) if v[".type"] == "interface" and k ~= "loopback" then
iface:value(k)
end
end end
proto = s:option(ListValue, "proto", "Protokoll") proto = s:option(ListValue, "proto", "Protokoll")

28
applications/luci-fw/src/model/cbi/admin_network/routing.lua Normal file
View File

@ -0,0 +1,28 @@
-- ToDo: Translate, Add descriptions and help texts
require("ffluci.sys")
m = Map("luci_fw", "Routing", [[An dieser Stelle wird festlegt, welcher Netzverkehr zwischen einzelnen
Schnittstellen erlaubt werden soll. Es werden jeweils nur neue Verbindungen
betrachtet, d.h. Pakete von aufgebauten oder zugehörigen Verbindungen werden automatisch in beide Richtungen
akzeptiert, auch wenn das Feld "beide Richtungen" nicht explizit gesetzt ist.
NAT ermöglicht Adressübersetzung.]])
s = m:section(TypedSection, "routing")
s.template = "cbi/tblsection"
s.addremove = true
s.anonymous = true
iface = s:option(ListValue, "iface", "Eingang", "Eingangsschnittstelle")
oface = s:option(ListValue, "oface", "Ausgang", "Ausgangsschnittstelle")
for k, v in pairs(ffluci.model.uci.sections("network")) do
if v[".type"] == "interface" and k ~= "loopback" then
iface:value(k)
oface:value(k)
end
end
s:option(Flag, "fwd", "FWD", "weiterleiten")
s:option(Flag, "nat", "NAT", "übersetzen")
s:option(Flag, "bidi", "<->", "beide Richtungen")
return m

1
applications/luci-fw/src/model/menu/50luci-fw.lua
View File

@ -1,3 +1,4 @@
sel("admin", "network") sel("admin", "network")
act("portfw", "Portweiterleitung") act("portfw", "Portweiterleitung")
act("routing", "Routing")
act("firewall", "Firewall") act("firewall", "Firewall")

4
contrib/package/ffluci/Makefile
View File

@ -68,7 +68,7 @@ define Package/ffluci-ff-halle
DEPENDS:=ffluci \ DEPENDS:=ffluci \
+ffluci-sgi-haserl +ffluci-mod-freifunk +ffluci-app-firewall +ffluci-app-splash \ +ffluci-sgi-haserl +ffluci-mod-freifunk +ffluci-app-firewall +ffluci-app-splash \
+olsrd +olsrd-mod-dyn-gw +olsrd-mod-txtinfo +olsrd-mod-nameservice \ +olsrd +olsrd-mod-dyn-gw +olsrd-mod-txtinfo +olsrd-mod-nameservice \
+kmod-tun +kmod-tun +ip
TITLE:=Freifunk Halle Community Meta-Package TITLE:=Freifunk Halle Community Meta-Package
endef endef
@ -81,7 +81,7 @@ define Package/ffluci-ff-leipzig
DEPENDS:=ffluci \ DEPENDS:=ffluci \
+ffluci-sgi-haserl +ffluci-mod-freifunk +ffluci-app-firewall +ffluci-app-splash \ +ffluci-sgi-haserl +ffluci-mod-freifunk +ffluci-app-firewall +ffluci-app-splash \
+olsrd +olsrd-mod-dyn-gw +olsrd-mod-txtinfo +olsrd-mod-nameservice \ +olsrd +olsrd-mod-dyn-gw +olsrd-mod-txtinfo +olsrd-mod-nameservice \
+kmod-tun +kmod-tun +ip
TITLE:=Freifunk Leipzig Community Meta-Package TITLE:=Freifunk Leipzig Community Meta-Package
endef endef