diff options
| author | Roman Yeryomin <roman@advem.lv> | 2013-05-26 01:02:55 +0300 |
|---|---|---|
| committer | Roman Yeryomin <roman@advem.lv> | 2013-05-26 01:02:55 +0300 |
| commit | 342045a35b1981a89e4bc80842b10c065e1050da (patch) | |
| tree | 4140720b20e8d641c11da882010d6130a75fef21 /package/network/config | |
| parent | 7338133dde8238afce34676214b494c8db96689b (diff) | |
| parent | 1a116ce7818ecee5d167a9c0ebb1a0feca9120e6 (diff) | |
Merge trunk into realtek-unstable
Conflicts:
Config.in
feeds.conf.default
package/base-files/files/etc/hotplug2-common.rules
package/network/config/netifd/files/etc/init.d/network
Diffstat (limited to 'package/network/config')
30 files changed, 738 insertions, 670 deletions
diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile index 05f42a62e..b7e7bba4a 100644 --- a/package/network/config/firewall/Makefile +++ b/package/network/config/firewall/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2008-2012 OpenWrt.org +# Copyright (C) 2008-2013 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall PKG_VERSION:=2 -PKG_RELEASE:=53 +PKG_RELEASE:=60 include $(INCLUDE_DIR)/package.mk diff --git a/package/network/config/firewall/files/lib/core_forwarding.sh b/package/network/config/firewall/files/lib/core_forwarding.sh index c4a968143..2ea03f0eb 100644 --- a/package/network/config/firewall/files/lib/core_forwarding.sh +++ b/package/network/config/firewall/files/lib/core_forwarding.sh @@ -17,14 +17,14 @@ fw_load_forwarding() { fw_callback pre forwarding - local chain=forward + local chain=delegate_forward [ -n "$forwarding_src" ] && { chain=zone_${forwarding_src}_forward } local target=ACCEPT [ -n "$forwarding_dest" ] && { - target=zone_${forwarding_dest}_ACCEPT + target=zone_${forwarding_dest}_dest_ACCEPT } local mode diff --git a/package/network/config/firewall/files/lib/core_init.sh b/package/network/config/firewall/files/lib/core_init.sh index 035647998..404a83690 100644 --- a/package/network/config/firewall/files/lib/core_init.sh +++ b/package/network/config/firewall/files/lib/core_init.sh @@ -115,13 +115,13 @@ fw_load_defaults() { fw add i n POSTROUTING postrouting_rule } - fw add i f input - fw add i f output - fw add i f forward + fw add i f delegate_input + fw add i f delegate_output + fw add i f delegate_forward - fw add i f INPUT input - fw add i f OUTPUT output - fw add i f FORWARD forward + fw add i f INPUT delegate_input + fw add i f OUTPUT delegate_output + fw add i f FORWARD delegate_forward fw add i f reject fw add i f reject REJECT { --reject-with tcp-reset -p tcp } @@ -138,21 +138,28 @@ fw_config_get_zone() { fw_config_get_section "$1" zone { \ string name "$1" \ string network "" \ + string device "" \ + string subnet "" \ string input "$FW_DEFAULT_INPUT_POLICY" \ string output "$FW_DEFAULT_OUTPUT_POLICY" \ string forward "$FW_DEFAULT_FORWARD_POLICY" \ boolean masq 0 \ string masq_src "" \ string masq_dest "" \ + string extra "" \ + string extra_src "" \ + string extra_dest "" \ boolean conntrack 0 \ boolean mtu_fix 0 \ - boolean custom_chains "$FW_ADD_CUSTOM_CHAINS" \ + boolean custom_chains 0 \ boolean log 0 \ string log_limit 10 \ string family "" \ } || return [ -n "$zone_name" ] || zone_name=$zone_NAME - [ -n "$zone_network" ] || zone_network=$zone_name + [ -n "$zone_extra_src" ] || zone_extra_src="$zone_extra" + [ -n "$zone_extra_dest" ] || zone_extra_dest="$zone_extra" + [ -n "$zone_network$zone_subnet$zone_device$zone_extra_src$zone_extra_dest" ] || zone_network=$zone_name } fw_load_zone() { @@ -192,19 +199,22 @@ fw_load_zone() { local chain=zone_${zone_name} - fw add $mode f ${chain}_ACCEPT - fw add $mode f ${chain}_DROP - fw add $mode f ${chain}_REJECT + fw add $mode f ${chain}_src_ACCEPT + fw add $mode f ${chain}_src_DROP + fw add $mode f ${chain}_src_REJECT - # TODO: Rename to ${chain}_input - fw add $mode f ${chain} - fw add $mode f ${chain} ${chain}_${zone_input} $ + fw add $mode f ${chain}_dest_ACCEPT + fw add $mode f ${chain}_dest_DROP + fw add $mode f ${chain}_dest_REJECT + + fw add $mode f ${chain}_input + fw add $mode f ${chain}_input ${chain}_src_${zone_input} $ fw add $mode f ${chain}_forward - fw add $mode f ${chain}_forward ${chain}_${zone_forward} $ + fw add $mode f ${chain}_forward ${chain}_dest_${zone_forward} $ - # TODO: add ${chain}_output - fw add $mode f output ${chain}_${zone_output} $ + fw add $mode f ${chain}_output + fw add $mode f ${chain}_output ${chain}_dest_${zone_output} $ # TODO: Rename to ${chain}_MASQUERADE fw add $mode n ${chain}_nat @@ -223,7 +233,7 @@ fw_load_zone() { fw_die "zone ${zone_name}: custom_chains globally disabled" fw add $mode f input_${zone_name} - fw add $mode f ${chain} input_${zone_name} ^ + fw add $mode f ${chain}_input input_${zone_name} ^ fw add $mode f forwarding_${zone_name} fw add $mode f ${chain}_forward forwarding_${zone_name} ^ @@ -238,13 +248,16 @@ fw_load_zone() { local t for t in REJECT DROP; do - fw add $mode f ${chain}_${t} LOG ^ \ - { -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " } + local d + for d in src dest; do + fw add $mode f ${chain}_${d}_${t} LOG ^ \ + { -m limit --limit $zone_log_limit --log-prefix "$t($d:$zone_name): " } + done done [ $zone_mtu_fix == 1 ] && \ fw add $mode m ${chain}_MSSFIX LOG ^ \ - { -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " } + { -p tcp --tcp-flags SYN,RST SYN -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " } } # NB: if MASQUERADING for IPv6 becomes available we'll need a family check here @@ -267,6 +280,16 @@ fw_load_zone() { done fi + local dev + for dev in ${zone_device:-""}; do + local net + for net in ${zone_subnet:-""}; do + [ -n "$dev" ] || [ -n "$net" ] || continue + fw_do_interface_rules add "${zone_name}" "$dev" "$net" \ + "${zone_extra_src}" "${zone_extra_dest}" + done + done + fw_callback post zone } @@ -293,7 +316,7 @@ fw_load_include() { fw_log error "You cannot use UCI in firewall includes!" >&2 exit 1 } - . $path + . $path ) } diff --git a/package/network/config/firewall/files/lib/core_interface.sh b/package/network/config/firewall/files/lib/core_interface.sh index 3d6718431..9138cbf0c 100644 --- a/package/network/config/firewall/files/lib/core_interface.sh +++ b/package/network/config/firewall/files/lib/core_interface.sh @@ -1,4 +1,4 @@ -# Copyright (C) 2009-2012 OpenWrt.org +# Copyright (C) 2009-2013 OpenWrt.org fw__uci_state_add() { local var="$1" @@ -31,6 +31,73 @@ fw__uci_state_del() { uci_toggle_state firewall core $var "$rest" } +fw_do_interface_rules() { + local action=$1 + local zone=$2 + local chain=zone_${zone} + local ifname=$3 + local subnet=$4 + local extra_src="$5" + local extra_dest="$6" + + local idev odev inet onet mode + fw_get_family_mode mode x $zone i + + fw_get_negation idev '-i' "$ifname" + fw_get_negation odev '-o' "$ifname" + + case "$mode/$subnet" in + # Zone supports v6 only or dual, need v6 + G6/*:*|i/*:*) + fw_get_negation inet '-s' "$subnet" + fw_get_negation onet '-d' "$subnet" + mode=6 + ;; + + # Zone supports v4 only or dual, need v4 + G4/*.*.*.*|i/*.*.*.*) + fw_get_negation inet '-s' "$subnet" + fw_get_negation onet '-d' "$subnet" + mode=4 + ;; + + # Need v6 while zone is v4 + */*:*) fw_log info "zone $zone does not support IPv6 address family, skipping"; return ;; + + # Need v4 while zone is v6 + */*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;; + + # Strip prefix + *) mode="${mode#G}" ;; + esac + + lock /var/run/firewall-interface.lock + + fw $action $mode f ${chain}_dest_ACCEPT ACCEPT $ { $odev $onet $extra_dest } + fw $action $mode f ${chain}_src_ACCEPT ACCEPT $ { $idev $inet $extra_src } + fw $action $mode f ${chain}_dest_DROP DROP $ { $odev $onet $extra_dest } + fw $action $mode f ${chain}_src_DROP DROP $ { $idev $inet $extra_src } + fw $action $mode f ${chain}_dest_REJECT reject $ { $odev $onet $extra_dest } + fw $action $mode f ${chain}_src_REJECT reject $ { $idev $inet $extra_src } + + [ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \ + fw $action $mode m ${chain}_MSSFIX TCPMSS $ \ + { $odev -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet $extra_dest } + + fw $action $mode f delegate_input ${chain}_input $ { $idev $inet $extra_src } + fw $action $mode f delegate_forward ${chain}_forward $ { $idev $inet $extra_src } + fw $action $mode f delegate_output ${chain}_output $ { $odev $onet $extra_dest } + + fw $action $mode n PREROUTING ${chain}_prerouting $ { $idev $inet $extra_src } + fw $action $mode r PREROUTING ${chain}_notrack $ { $idev $inet $extra_src } + fw $action $mode n POSTROUTING ${chain}_nat $ { $odev $onet $extra_dest } + + # Flush conntrack table + echo f >/proc/net/nf_conntrack 2>/dev/null + + lock -u /var/run/firewall-interface.lock +} + fw_configure_interface() { local iface=$1 local action=$2 @@ -52,63 +119,6 @@ fw_configure_interface() { fw_callback pre interface - fw__do_rules() { - local action=$1 - local zone=$2 - local chain=zone_${zone} - local ifname=$3 - local subnet=$4 - - local inet onet mode - fw_get_family_mode mode x $zone i - - case "$mode/$subnet" in - # Zone supports v6 only or dual, need v6 - G6/*:*|i/*:*) - inet="-s $subnet -d ::/0" - onet="-s ::/0 -d $subnet" - mode=6 - ;; - - # Zone supports v4 only or dual, need v4 - G4/*.*.*.*|i/*.*.*.*) - inet="-s $subnet -d 0.0.0.0/0" - onet="-s 0.0.0.0/0 -d $subnet" - mode=4 - ;; - - # Need v6 while zone is v4 - */*:*) fw_log info "zone $zone does not support IPv6 address family, skipping"; return ;; - - # Need v4 while zone is v6 - */*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;; - - # Strip prefix - *) mode="${mode#G}" ;; - esac - - lock /var/run/firewall-interface.lock - - fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -o "$ifname" $onet } - fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -i "$ifname" $inet } - fw $action $mode f ${chain}_DROP DROP $ { -o "$ifname" $onet } - fw $action $mode f ${chain}_DROP DROP $ { -i "$ifname" $inet } - fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet } - fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet } - - [ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \ - fw $action $mode m ${chain}_MSSFIX TCPMSS $ \ - { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet } - - fw $action $mode f input ${chain} $ { -i "$ifname" $inet } - fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet } - fw $action $mode n PREROUTING ${chain}_prerouting $ { -i "$ifname" $inet } - fw $action $mode r PREROUTING ${chain}_notrack $ { -i "$ifname" $inet } - fw $action $mode n POSTROUTING ${chain}_nat $ { -o "$ifname" $onet } - - lock -u /var/run/firewall-interface.lock - } - local old_zones old_ifname old_subnets config_get old_zones core "${iface}_zone" [ -n "$old_zones" ] && { @@ -120,7 +130,7 @@ fw_configure_interface() { local n for n in ${old_subnets:-""}; do fw_log info "removing $iface ($old_ifname${n:+ alias $n}) from zone $z" - fw__do_rules del $z $old_ifname $n + fw_do_interface_rules del $z $old_ifname $n done [ -n "$old_subnets" ] || { @@ -179,7 +189,7 @@ fw_configure_interface() { list_contains zone_network "$iface" || return fw_log info "adding $iface ($ifname${aliasnet:+ alias $aliasnet}) to zone $zone_name" - fw__do_rules add ${zone_name} "$ifname" "$aliasnet" + fw_do_interface_rules add ${zone_name} "$ifname" "$aliasnet" append new_zones $zone_name [ -n "$aliasnet" ] || { @@ -202,4 +212,3 @@ fw_sysctl_interface() { sysctl -w net.ipv6.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE } >/dev/null 2>/dev/null } - diff --git a/package/network/config/firewall/files/lib/core_redirect.sh b/package/network/config/firewall/files/lib/core_redirect.sh index fe396c1c1..9493bc6ae 100644 --- a/package/network/config/firewall/files/lib/core_redirect.sh +++ b/package/network/config/firewall/files/lib/core_redirect.sh @@ -41,7 +41,7 @@ fw_load_redirect() { # in this case match only DNATed traffic and allow it on input, not forward if [ -z "$redirect_dest_ip" ] || /sbin/ifconfig | grep -qE "addr:${redirect_dest_ip//./\\.}\b"; then fwdopt="-m conntrack --ctstate DNAT" - fwdchain="zone_${redirect_src}" + fwdchain="zone_${redirect_src}_input" else fwdchain="zone_${redirect_src}_forward" fi @@ -114,7 +114,7 @@ fw_load_redirect() { $redirect_options \ } - fw add $mode f ${fwdchain:-forward} ACCEPT + \ + fw add $mode f ${fwdchain:-delegate_forward} ACCEPT + \ { $redirect_src_ip $redirect_dest_ip } { \ $srcaddr $destaddr \ $pr \ diff --git a/package/network/config/firewall/files/lib/core_rule.sh b/package/network/config/firewall/files/lib/core_rule.sh index f49c42af5..0ce2122be 100644 --- a/package/network/config/firewall/files/lib/core_rule.sh +++ b/package/network/config/firewall/files/lib/core_rule.sh @@ -34,7 +34,7 @@ fw_load_rule() { fw_callback pre rule local table=f - local chain=input + local chain=delegate_output local target="${rule_target:-REJECT}" if [ "$target" == "NOTRACK" ]; then table=r @@ -42,16 +42,23 @@ fw_load_rule() { else if [ -n "$rule_src" ]; then if [ "$rule_src" != "*" ]; then - chain="zone_${rule_src}${rule_dest:+_forward}" + if [ -n "$rule_dest" ]; then + chain="zone_${rule_src}_forward" + else + chain="zone_${rule_src}_input" + fi else - chain="${rule_dest:+forward}" - chain="${chain:-input}" + chain="${rule_dest:+delegate_forward}" + chain="${chain:-delegate_input}" fi fi if [ -n "$rule_dest" ]; then if [ "$rule_dest" != "*" ]; then - target="zone_${rule_dest}_${target}" + target="zone_${rule_dest}_dest_${target}" + if [ -z "$rule_src" ]; then + chain="zone_${rule_dest}_output" + fi elif [ "$target" = REJECT ]; then target=reject fi diff --git a/package/network/config/firewall/files/lib/fw.sh b/package/network/config/firewall/files/lib/fw.sh index 76e294f56..ca851e81c 100644 --- a/package/network/config/firewall/files/lib/fw.sh +++ b/package/network/config/firewall/files/lib/fw.sh @@ -170,7 +170,7 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> } fw_log info "ICMP type '$2' is not valid for $fam address family, skipping rule" return 1 fi - shift + shift ;; *) cmdline="$cmdline $1" ;; esac diff --git a/package/network/config/firewall/files/reflection.hotplug b/package/network/config/firewall/files/reflection.hotplug index 843c615bc..129a922e4 100644 --- a/package/network/config/firewall/files/reflection.hotplug +++ b/package/network/config/firewall/files/reflection.hotplug @@ -3,34 +3,59 @@ . /lib/functions.sh . /lib/functions/network.sh -if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then - local wanip - network_get_ipaddr wanip wan || return - - iptables -t nat -F nat_reflection_in 2>/dev/null || { - iptables -t nat -N nat_reflection_in - iptables -t nat -A prerouting_rule -j nat_reflection_in +if [ "$ACTION" = "remove" ]; then + + delete_rules_by_comment() { + local table="$1" + local chain="$2" + local comment="$3" + + iptables -t "$table" --line-numbers -nL "$chain" 2>/dev/null | \ + sed -e ' + 1d; + 1! { + \#^[0-9]\+ .* /\* '"$comment"' \*/.*$# { + s/ .*$//; + G; h; + } + }; + $!d; + ' | xargs -n1 iptables -t "$table" -D "$chain" 2>/dev/null } - iptables -t nat -F nat_reflection_out 2>/dev/null || { - iptables -t nat -N nat_reflection_out - iptables -t nat -A postrouting_rule -j nat_reflection_out - } + delete_rules_by_comment nat nat_reflection_in "$INTERFACE" + delete_rules_by_comment nat nat_reflection_out "$INTERFACE" + delete_rules_by_comment filter nat_reflection_fwd "$INTERFACE" + +elif [ "$ACTION" = "add" ]; then + + prepare_chains() { + iptables -t nat -N nat_reflection_in 2>/dev/null && { + iptables -t nat -A prerouting_rule -j nat_reflection_in + } + + iptables -t nat -N nat_reflection_out 2>/dev/null && { + iptables -t nat -A postrouting_rule -j nat_reflection_out + } - iptables -t filter -F nat_reflection_fwd 2>/dev/null || { - iptables -t filter -N nat_reflection_fwd - iptables -t filter -A forwarding_rule -j nat_reflection_fwd + iptables -t filter -N nat_reflection_fwd 2>/dev/null && { + iptables -t filter -A forwarding_rule -j nat_reflection_fwd + } } find_networks() { find_networks_cb() { local cfg="$1" local zone="$2" + local need_masq="${3:-0}" local name config_get name "$cfg" name - [ "$name" = "$zone" ] && { + local masq + config_get_bool masq "$cfg" masq 0 + + [ "$name" = "$zone" ] && [ "$masq" -ge "$need_masq" ] && { local network config_get network "$cfg" network @@ -39,7 +64,7 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then } } - config_foreach find_networks_cb zone "$1" + config_foreach find_networks_cb zone "$@" } setup_fwd() { @@ -51,82 +76,94 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then local src config_get src "$cfg" src + [ "$src" == "$ZONE" ] || return + + local dest + config_get dest "$cfg" dest + [ "$dest" != "*" ] || return local target config_get target "$cfg" target DNAT - - [ "$src" = wan ] && [ "$target" = DNAT ] && { - local dest - config_get dest "$cfg" dest "lan" - [ "$dest" != "*" ] || return - - local net - for net in $(find_networks "$dest"); do - local lannet - network_get_subnet lannet "$net" || return - - local proto - config_get proto "$cfg" proto - - local epmin epmax extport - config_get extport "$cfg" src_dport "1-65535" - [ -n "$extport" ] || return - - epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" - [ "${epmin#!}" != "$epmax" ] || epmax="" - - local ipmin ipmax intport - config_get intport "$cfg" dest_port "$extport" - - ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" - [ "${ipmin#!}" != "$ipmax" ] || ipmax="" - - local exthost - config_get exthost "$cfg" src_dip "$wanip" - - local inthost - config_get inthost "$cfg" dest_ip - [ -n "$inthost" ] || return - - [ "$proto" = all ] && proto="tcp udp" - [ "$proto" = tcpudp ] && proto="tcp udp" - - [ "${inthost#!}" = "$inthost" ] || return 0 - [ "${exthost#!}" = "$exthost" ] || return 0 - - [ "${epmin#!}" != "$epmin" ] && \ - extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \ - extport="--dport $epmin${epmax:+:$epmax}" - - [ "${ipmin#!}" != "$ipmin" ] && \ - intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \ - intport="--dport $ipmin${ipmax:+:$ipmax}" - - local p - for p in ${proto:-tcp udp}; do - case "$p" in - tcp|udp|6|17) - iptables -t nat -A nat_reflection_in \ - -s $lannet -d $exthost \ - -p $p $extport \ - -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} - - iptables -t nat -A nat_reflection_out \ - -s $lannet -d $inthost \ - -p $p $intport \ - -j SNAT --to-source ${lannet%%/*} - - iptables -t filter -A nat_reflection_fwd \ - -s $lannet -d $inthost \ - -p $p $intport \ - -j ACCEPT - ;; - esac - done + [ "$target" = DNAT ] || return + + prepare_chains + + local net + for net in $(find_networks "$dest" 0); do + local intnet + network_get_subnet intnet "$net" || continue + + local proto + config_get proto "$cfg" proto + + local epmin epmax extport + config_get extport "$cfg" src_dport "1-65535" + [ -n "$extport" ] || return + + epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" + [ "${epmin#!}" != "$epmax" ] || epmax="" + + local ipmin ipmax intport + config_get intport "$cfg" dest_port "$extport" + + ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" + [ "${ipmin#!}" != "$ipmax" ] || ipmax="" + + local exthost + config_get exthost "$cfg" src_dip "$extip" + + local inthost + config_get inthost "$cfg" dest_ip + [ -n "$inthost" ] || return + + [ "$proto" = all ] && proto="tcp udp" + [ "$proto" = tcpudp ] && proto="tcp udp" + + [ "${inthost#!}" = "$inthost" ] || return 0 + [ "${exthost#!}" = "$exthost" ] || return 0 + + [ "${epmin#!}" != "$epmin" ] && \ + extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \ + extport="--dport $epmin${epmax:+:$epmax}" + + [ "${ipmin#!}" != "$ipmin" ] && \ + intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \ + intport="--dport $ipmin${ipmax:+:$ipmax}" + + local p + for p in ${proto:-tcp udp}; do + case "$p" in + tcp|udp|6|17) + iptables -t nat -A nat_reflection_in \ + -s $intnet -d $exthost \ + -p $p $extport \ + -m comment --comment "$INTERFACE" \ + -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} + + iptables -t nat -A nat_reflection_out \ + -s $intnet -d $inthost \ + -p $p $intport \ + -m comment --comment "$INTERFACE" \ + -j SNAT --to-source ${intnet%%/*} + + iptables -t filter -A nat_reflection_fwd \ + -s $intnet -d $inthost \ + -p $p $intport \ + -m comment --comment "$INTERFACE" \ + -j ACCEPT + ;; + esac done - } + done } config_load firewall + + local is_masq_zone="$(find_networks "$ZONE" 1)" + [ -n "$is_masq_zone" ] || exit 0 + + local extip + network_get_ipaddr extip "$INTERFACE" || exit 0 + config_foreach setup_fwd redirect fi diff --git a/package/network/config/firewall3/Makefile b/package/network/config/firewall3/Makefile new file mode 100644 index 000000000..b54c98acb --- /dev/null +++ b/package/network/config/firewall3/Makefile @@ -0,0 +1,65 @@ +# +# Copyright (C) 2013 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=firewall3 +PKG_VERSION:=2013-05-24 +PKG_RELEASE:=$(PKG_SOURCE_VERSION) + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=git://nbd.name/firewall3.git +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE_VERSION:=4ecfb8f6fe4920fd1c6904b1ca8730e746111b00 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz +PKG_MAINTAINER:=Jo-Philipp Wich <jow@openwrt.org> + + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/kernel.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/firewall3 + SECTION:=net + CATEGORY:=Network + TITLE:=UCI C Firewall + DEPENDS:=+libubox +libubus +libuci +libip4tc +libip6tc +libxtables +endef + +define Package/firewall3/description + This package provides a config-compatible C implementation of the UCI firewall. +endef + +define Package/firewall3/conffiles +/etc/config/firewall +/etc/firewall.user +endef + +define Build/Compile + $(CP) $(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext.a)) $(PKG_BUILD_DIR)/libext.a + $(CP) $(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext4.a)) $(PKG_BUILD_DIR)/libext4.a + $(CP) $(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext6.a)) $(PKG_BUILD_DIR)/libext6.a + $(call Build/Compile/Default) +endef + +TARGET_CFLAGS += -ffunction-sections -fdata-sections +TARGET_LDFLAGS += -Wl,--gc-sections + +define Package/firewall3/install + $(INSTALL_DIR) $(1)/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3 + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall + $(INSTALL_DIR) $(1)/etc/config/ + $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall + $(INSTALL_DIR) $(1)/etc/ + $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user +endef + +$(eval $(call BuildPackage,firewall3)) diff --git a/package/network/config/firewall3/files/firewall.config b/package/network/config/firewall3/files/firewall.config new file mode 100644 index 000000000..59a45b208 --- /dev/null +++ b/package/network/config/firewall3/files/firewall.config @@ -0,0 +1,176 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 + +config zone + option name lan + option network 'lan' + option input ACCEPT + option output ACCEPT + option forward REJECT + +config zone + option name wan + option network 'wan wan6' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fe80::/10 + option src_port 547 + option dest_ip fe80::/10 + option dest_port 546 + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# include a file with users custom iptables rules +config include + option path /etc/firewall.user + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +# allow IPsec/ESP and ISAKMP passthrough +#config rule +# option src wan +# option dest lan +# option protocol esp +# option target ACCEPT + +#config rule +# option src wan +# option dest lan +# option src_port 500 +# option dest_port 500 +# option proto udp +# option target ACCEPT + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/package/network/config/firewall3/files/firewall.hotplug b/package/network/config/firewall3/files/firewall.hotplug new file mode 100644 index 000000000..34f3afec9 --- /dev/null +++ b/package/network/config/firewall3/files/firewall.hotplug @@ -0,0 +1,10 @@ +#!/bin/sh + +[ "$ACTION" = ifup ] || exit 0 + +/etc/init.d/firewall enabled || exit 0 + +fw3 -q network "$INTERFACE" >/dev/null || exit 0 + +logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)" +fw3 -q reload diff --git a/package/network/config/firewall3/files/firewall.init b/package/network/config/firewall3/files/firewall.init new file mode 100755 index 000000000..64e3a8c12 --- /dev/null +++ b/package/network/config/firewall3/files/firewall.init @@ -0,0 +1,25 @@ +#!/bin/sh /etc/rc.common + +START=19 + +boot() { + # Be silent on boot, firewall might be started by hotplug already, + # so don't complain in syslog. + fw3 -q start +} + +start() { + fw3 start +} + +stop() { + fw3 flush +} + +restart() { + fw3 restart +} + +reload() { + fw3 reload +} diff --git a/package/network/config/firewall3/files/firewall.user b/package/network/config/firewall3/files/firewall.user new file mode 100644 index 000000000..6f799063f --- /dev/null +++ b/package/network/config/firewall3/files/firewall.user @@ -0,0 +1,7 @@ +# This file is interpreted as shell script. +# Put your custom iptables rules here, they will +# be executed with each firewall (re-)start. + +# Internal uci firewall chains are flushed and recreated on reload, so +# put custom rules into the root chains e.g. INPUT or FORWARD or into the +# special user chains, e.g. input_wan_rule or postrouting_lan_rule. diff --git a/package/network/config/ltq-dsl-app/Config.in b/package/network/config/ltq-dsl-app/Config.in deleted file mode 100644 index 728fe65b3..000000000 --- a/package/network/config/ltq-dsl-app/Config.in +++ /dev/null @@ -1,9 +0,0 @@ -config LTQ_DSL_ENABLE_SOAP - bool "Enable SOAP support" - depends on PACKAGE_ltq-dsl-app - default n - -config LTQ_DSL_ENABLE_DSL_EVENT_POLLING - bool "Include Event Polling support" - depends on PACKAGE_ltq-dsl-app - default n diff --git a/package/network/config/ltq-dsl-app/Makefile b/package/network/config/ltq-dsl-app/Makefile deleted file mode 100644 index 664bc5d8e..000000000 --- a/package/network/config/ltq-dsl-app/Makefile +++ /dev/null @@ -1,97 +0,0 @@ -# -# Copyright (C) 2011-2012 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk -include $(INCLUDE_DIR)/kernel.mk - -PKG_NAME:=dsl_cpe_control_danube -PKG_VERSION:=3.24.4.4 -PKG_RELEASE:=2 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_BUILD_DIR:=$(BUILD_DIR)/dsl_cpe_control-$(PKG_VERSION) -PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources/ -PKG_MD5SUM:=ee315306626b68794d3d3636dabfe161 -PKG_MAINTAINER:=John Crispin <blogic@openwrt.org> - -PKG_CONFIG_DEPENDS:=\ - CONFIG_LTQ_DSL_ENABLE_SOAP \ - CONFIG_LTQ_DSL_ENABLE_DSL_EVENT_POLLING - -include $(INCLUDE_DIR)/package.mk - -PKG_BUILD_DEPENDS:=TARGET_lantiq_danube:kmod-ltq-dsl-danube TARGET_lantiq_ar9:kmod-ltq-dsl-ar9 \ - TARGET_lantiq_vr9:kmod-ltq-dsl-vr9 TARGET_lantiq_ase:kmod-ltq-dsl-ase - -define Package/ltq-dsl-app - SECTION:=net - CATEGORY:=Network - TITLE:=Lantiq DSL userland tool - URL:=http://www.lantiq.com/ - DEPENDS:=@TARGET_lantiq&&!(TARGET_lantiq_falcon||TARGET_lantiq_falcon_stable) +libpthread - MENU:=1 -endef - -define Package/ltq-dsl-app/description - Infineon DSL CPE API for Amazon SE, Danube and Vinax. -endef - -define Package/ltq-dsl-app/config - source "$(SOURCE)/Config.in" -endef - -LTQ_DSL_MAX_DEVICE=1 -LTQ_DSL_LINES_PER_DEVICE=1 -LTQ_DSL_CHANNELS_PER_LINE=1 - -CONFIGURE_ARGS += \ - --with-max-device="$(LTQ_DSL_MAX_DEVICE)" \ - --with-lines-per-device="$(LTQ_DSL_LINES_PER_DEVICE)" \ - --with-channels-per-line="$(LTQ_DSL_CHANNELS_PER_LINE)" \ - --enable-danube \ - --enable-driver-include="-I$(STAGING_DIR)/usr/include" \ - --enable-debug-prints \ - --enable-add-appl-cflags="-DMAX_CLI_PIPES=2" \ - --enable-cli-support \ - --enable-cmv-scripts \ - --enable-debug-tool-interface \ - --enable-adsl-led \ - --enable-dsl-ceoc \ - --enable-script-notification \ - --enable-dsl-pm \ - --enable-dsl-pm-total \ - --enable-dsl-pm-history \ - --enable-dsl-pm-showtime \ - --enable-dsl-pm-channel-counters \ - --enable-dsl-pm-datapath-counters \ - --enable-dsl-pm-line-counters \ - --enable-dsl-pm-channel-thresholds \ - --enable-dsl-pm-datapath-thresholds \ - --enable-dsl-pm-line-thresholds \ - --enable-dsl-pm-optional-parameters - -ifeq ($(CONFIG_LTQ_DSL_ENABLE_SOAP),y) -CONFIGURE_ARGS += \ - --enable-soap-support -endif - -ifeq ($(CONFIG_LTQ_DSL_ENABLE_DSL_EVENT_POLLING),y) -CONFIGURE_ARGS += \ - --enable-dsl-event-polling -endif - -TARGET_CFLAGS += -I$(LINUX_DIR)/include - -define Package/ltq-dsl-app/install - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/dsl_control $(1)/etc/init.d/ - - $(INSTALL_DIR) $(1)/sbin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/dsl_cpe_control $(1)/sbin - $(INSTALL_BIN) ./files/dsl_notify.sh $(1)/sbin -endef - -$(eval $(call BuildPackage,ltq-dsl-app)) diff --git a/package/network/config/ltq-dsl-app/files/dsl_control b/package/network/config/ltq-dsl-app/files/dsl_control deleted file mode 100644 index 79961aaed..000000000 --- a/package/network/config/ltq-dsl-app/files/dsl_control +++ /dev/null @@ -1,315 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2012 OpenWrt.org - -START=99 - -EXTRA_COMMANDS="status lucistat" -EXTRA_HELP=" status Get DSL status information - lucistat Get status information if lua friendly format" - -SERVICE_DAEMONIZE=1 -SERVICE_WRITE_PID=1 - -# -# Basic functions to send CLI commands to the dsl_cpe_control daemon -# -dsl_cmd() { - killall -0 dsl_cpe_control && ( - echo "$@" > /tmp/pipe/dsl_cpe0_cmd - cat /tmp/pipe/dsl_cpe0_ack - ) -} -dsl_val() { - echo $(expr "$1" : '.*'$2'=\([-\.[:alnum:]]*\).*') -} - -# -# Simple divide by 10 routine to cope with one decimal place -# -dbt() { - local a=$(expr $1 / 10) - local b=$(expr $1 % 10) - echo "${a}.${b}" -} -# -# Take a number and convert to k or meg -# -scale() { - local val=$1 - local a - local b - - if [ "$val" -gt 1000000 ]; then - a=$(expr $val / 1000) - b=$(expr $a % 1000) - a=$(expr $a / 1000) - printf "%d.%03d Mb" ${a} ${b} - elif [ "$val" -gt 1000 ]; then - a=$(expr $val / 1000) - printf "%d Kb" ${a} - else - echo "${val} b" - fi -} - -# -# Read the data rates for both directions -# -data_rates() { - local csg - local dru - local drd - local sdru - local sdrd - - csg=$(dsl_cmd g997csg 0 1) - drd=$(dsl_val "$csg" ActualDataRate) - - csg=$(dsl_cmd g997csg 0 0) - dru=$(dsl_val "$csg" ActualDataRate) - - [ -z "$drd" ] && drd=0 - [ -z "$dru" ] && dru=0 - - sdrd=$(scale $drd) - sdru=$(scale $dru) - - if [ "$action" = "lucistat" ]; then - echo "dsl.data_rate_down=$drd" - echo "dsl.data_rate_up=$dru" - echo "dsl.data_rate_down_s=\"$sdrd\"" - echo "dsl.data_rate_up_s=\"$sdru\"" - else - echo "Data Rate: ${sdrd}/s / ${sdru}/s" - fi -} - -# -# Chipset -# -chipset() { - local vig - local cs - local csv - - vig=$(dsl_cmd vig) - cs=$(dsl_val "$vig" DSL_ChipSetType) - csv=$(dsl_val "$vig" DSL_ChipSetHWVersion) - - if [ "$action" = "lucistat" ]; then - echo "dsl.chipset=\"${cs} ${csv}\"" - else - echo "Chipset: ${cs} ${csv}" - fi -} - -# -# Work out how long the line has been up -# -line_uptime() { - local ccsg - local et - local etr - local d - local h - local m - local s - local rc="" - - ccsg=$(dsl_cmd pmccsg 0 0 0) - et=$(dsl_val "$ccsg" nElapsedTime) - - [ -z "$et" ] && et=0 - - if [ "$action" = "lucistat" ]; then - echo "dsl.line_uptime=${et}" - return - fi - - d=$(expr $et / 86400) - etr=$(expr $et % 86400) - h=$(expr $etr / 3600) - etr=$(expr $etr % 3600) - m=$(expr $etr / 60) - s=$(expr $etr % 60) - - - [ "${d}${h}${m}${s}" -ne 0 ] && rc="${s}s" - [ "${d}${h}${m}" -ne 0 ] && rc="${m}m ${rc}" - [ "${d}${h}" -ne 0 ] && rc="${h}h ${rc}" - [ "${d}" -ne 0 ] && rc="${d}d ${rc}" - - [ -z "$rc" ] && rc="down" - echo "Line Uptime: ${rc}" -} - -# -# Get noise and attenuation figures -# -line_data() { - local lsg - local latnu - local latnd - local snru - local snrd - - lsg=$(dsl_cmd g997lsg 1 1) - latnd=$(dsl_val "$lsg" LATN) - snrd=$(dsl_val "$lsg" SNR) - - lsg=$(dsl_cmd g997lsg 0 1) - latnu=$(dsl_val "$lsg" LATN) - snru=$(dsl_val "$lsg" SNR) - - [ -z "$latnd" ] && latnd=0 - [ -z "$latnu" ] && latnu=0 - [ -z "$snrd" ] && snrd=0 - [ -z "$snru" ] && snru=0 - - latnd=$(dbt $latnd) - latnu=$(dbt $latnu) - snrd=$(dbt $snrd) - snru=$(dbt $snru) - - if [ "$action" = "lucistat" ]; then - echo "dsl.line_attenuation_down=$latnd" - echo "dsl.line_attenuation_up=$latnu" - echo "dsl.noise_margin_down=$snrd" - echo "dsl.noise_margin_up=$snru" - else - echo "Line Attenuation: ${latnd}dB / ${latnu}dB" - echo "Noise Margin: ${snrd}dB / ${snru}dB" - fi -} - -# -# Is the line up? Or what state is it in? -# -line_state() { - local lsg=$(dsl_cmd lsg) - local ls=$(dsl_val "$lsg" nLineState); - local s; - - case "$ls" in - "0x0") s="not initialized" ;; - "0x1") s="exception" ;; - "0x10") s="not updated" ;; - "0xff") s="idle request" ;; - "0x100") s="idle" ;; - "0x1ff") s="silent request" ;; - "0x200") s="silent" ;; - "0x300") s="handshake" ;; - "0x380") s="full_init" ;; - "0x400") s="discovery" ;; - "0x500") s="training" ;; - "0x600") s="analysis" ;; - "0x700") s="exchange" ;; - "0x800") s="showtime_no_sync" ;; - "0x801") s="showtime_tc_sync" ;; - "0x900") s="fastretrain" ;; - "0xa00") s="lowpower_l2" ;; - "0xb00") s="loopdiagnostic active" ;; - "0xb10") s="loopdiagnostic data exchange" ;; - "0xb20") s="loopdiagnostic data request" ;; - "0xc00") s="loopdiagnostic complete" ;; - "0x1000000") s="test" ;; - "0xd00") s="resync" ;; - "0x3c0") s="short init entry" ;; - "") s="not running daemon"; ls="0xfff" ;; - *) s="unknown" ;; - esac - - if [ $action = "lucistat" ]; then - echo "dsl.line_state_num=$ls" - echo "dsl.line_state_detail=\"$s\"" - if [ "$ls" = "0x801" ]; then - echo "dsl.line_state=\"UP\"" - else - echo "dsl.line_state=\"DOWN\"" - fi - else - if [ "$ls" = "0x801" ]; then - echo "Line State: UP [$ls: $s]" - else - echo "Line State: DOWN [$ls: $s]" - fi - fi -} - -# -# Main status routine -# -status() { - chipset - line_state - data_rates - line_data - line_uptime -} - -# -# Luci (lua) compatible version that's easy to parse -# -lucistat() { - echo "local dsl={}" - status - echo "return dsl" -} - - -annex_b=10_00_10_00_00_04_00_00 -annex_bdmt=10_00_00_00_00_00_00_00 -annex_b2=00_00_10_00_00_00_00_00 -annex_b2p=00_00_00_00_00_04_00_00 -annex_a=04_01_04_00_00_01_00_00 -annex_at1=01_00_00_00_00_00_00_00 -annex_alite=00_01_00_00_00_00_00_00 -annex_admt=04_00_00_00_00_00_00_00 -annex_a2=00_00_04_00_00_00_00_00 -annex_a2p=00_00_00_00_00_01_00_00 -annex_l=00_00_00_00_04_00_00_00 -annex_m=00_00_00_00_40_00_04_00 -annex_m2=00_00_00_00_40_00_00_00 -annex_m2p=00_00_00_00_00_00_04_00 - -# -# Simple start routine -# -start() { - local annex - local fwannex - local xtu - config_load network - config_get annex adsl annex - config_get fwannex adsl fwannex - - # get xtu - eval "xtu=\"\${annex_$annex}\"" - - # check for invalid annex mode - [ -n "${annex}" -a -z "${xtu}" ] && - echo "unknown annex mode $annex" - - # check for invalid fw annex mode - [[ "$fwannex" != "a" && "$fwannex" != "b" ]] && - echo "invalid fwannex: $fwannex" - - # start CPE dsl daemon in the background - service_start /sbin/dsl_cpe_control -i${xtu} \ - -n /sbin/dsl_notify.sh \ - -f /lib/firmware/dsl-fw-${fwannex}.bin -} - -# -# For stop we want to simulate the notification call for when -# the line goes down, so that we can stop the ppp link before -# we die. -# -stop() { - DSL_NOTIFICATION_TYPE="DSL_INTERFACE_STATUS" \ - DSL_INTERFACE_STATUS="DOWN" \ - /sbin/dsl_notify.sh - - service_stop /sbin/dsl_cpe_control -} - diff --git a/package/network/config/ltq-dsl-app/files/dsl_notify.sh b/package/network/config/ltq-dsl-app/files/dsl_notify.sh deleted file mode 100644 index 5e9f3964e..000000000 --- a/package/network/config/ltq-dsl-app/files/dsl_notify.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh -# -# This script is called by dsl_cpe_control whenever there is a DSL event, -# we only actually care about the DSL_INTERFACE_STATUS events as these -# tell us the line has either come up or gone down. -# -# The rest of the code is basically the same at the atm hotplug code -# - -[ "$DSL_NOTIFICATION_TYPE" = "DSL_INTERFACE_STATUS" ] || exit 0 - -. /lib/functions.sh - -include /lib/network -scan_interfaces - -local found=0 -local ifc -for ifc in $interfaces; do - local up - config_get_bool up "$ifc" up 0 - - local auto - config_get_bool auto "$ifc" auto 1 - - local proto - config_get proto "$ifc" proto - - if [ "$DSL_INTERFACE_STATUS" = "UP" ]; then - if [ "$proto" = "pppoa" ] && [ "$up" != 1 ] && [ "$auto" = 1 ]; then - found=1 - ( sleep 1; ifup "$ifc" ) & - fi - else - if [ "$proto" = "pppoa" ] && [ "$up" = 1 ] && [ "$auto" = 1 ]; then - found=1 - ( sleep 1; ifdown "$ifc" ) & - fi - fi -done - -if [ "$found" != 1 ]; then - logger "Found no matching interface for DSL notification ($DSL_INTERFACE_STATUS)" -fi diff --git a/package/network/config/ltq-dsl-app/patches/010-eglibc_compile_fix.patch b/package/network/config/ltq-dsl-app/patches/010-eglibc_compile_fix.patch new file mode 100644 index 000000000..268f868e0 --- /dev/null +++ b/package/network/config/ltq-dsl-app/patches/010-eglibc_compile_fix.patch @@ -0,0 +1,23 @@ +--- a/configure.in ++++ b/configure.in +@@ -29,6 +29,8 @@ AC_C_VOLATILE + #AC_FUNC_STRTOD + #AC_CHECK_FUNCS([ftime gethostbyname gettimeofday localtime_r memset select socket strchr strerror strstr strtoull]) + ++AC_SEARCH_LIBS([clock_gettime],[rt]) ++ + # + # save the configure arguments + # +--- a/src/dsl_cpe_linux.h ++++ b/src/dsl_cpe_linux.h +@@ -45,7 +45,8 @@ + #include <arpa/inet.h> + #include <sys/socket.h> /* socket */ + #include <sys/sem.h> /* semget */ +-#include <semaphore.h> /* sem_t */ ++#include <semaphore.h> /* sem_t */ ++#include <limits.h> + + #ifdef DSL_DEBUG_TOOL_INTERFACE + #include <sys/socket.h> diff --git a/package/network/config/netifd/Makefile b/package/network/config/netifd/Makefile index 242e190bd..e074ab5de 100644 --- a/package/network/config/netifd/Makefile +++ b/package/network/config/netifd/Makefile @@ -1,13 +1,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=netifd -PKG_VERSION:=2012-10-29 +PKG_VERSION:=2013-05-17 PKG_RELEASE=$(PKG_SOURCE_VERSION) PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=git://nbd.name/luci2/netifd.git PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE_VERSION:=c9242aed7daac67b338f6792b06afe78ffc57011 +PKG_SOURCE_VERSION:=2f31bff38d4dc2f36006ded6b8a7d039cb569eaa PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz PKG_MAINTAINER:=Felix Fietkau <nbd@openwrt.org> # PKG_MIRROR_MD5SUM:= diff --git a/package/network/config/netifd/files/etc/hotplug.d/iface/10-sysctl b/package/network/config/netifd/files/etc/hotplug.d/iface/10-sysctl deleted file mode 100644 index ff2ab49c4..000000000 --- a/package/network/config/netifd/files/etc/hotplug.d/iface/10-sysctl +++ /dev/null @@ -1,10 +0,0 @@ -# Skip fake devices (e.g. relayd) -grep -qs "^ *$DEVICE:" /proc/net/dev || exit 0 - -case "$ACTION" in - ifup) - include /lib/network - scan_interfaces - ;; -esac - diff --git a/package/network/config/netifd/files/etc/init.d/network b/package/network/config/netifd/files/etc/init.d/network index 2a4d5539e..429f33dd9 100755 --- a/package/network/config/netifd/files/etc/init.d/network +++ b/package/network/config/netifd/files/etc/init.d/network @@ -19,7 +19,7 @@ start() { include /lib/network setup_switch - sleep 2 + sleep 5 /sbin/wifi down /sbin/wifi up diff --git a/package/network/config/netifd/files/lib/netifd/dhcp.script b/package/network/config/netifd/files/lib/netifd/dhcp.script index 0097a96f8..b365a5352 100755 --- a/package/network/config/netifd/files/lib/netifd/dhcp.script +++ b/package/network/config/netifd/files/lib/netifd/dhcp.script @@ -35,6 +35,30 @@ setup_interface () { done proto_send_update "$INTERFACE" + if [ -n "$IFACE6RD" -a -n "$ip6rd" ]; then + local v4mask="${ip6rd%% *}" + ip6rd="${ip6rd#* }" + local ip6rdprefixlen="${ip6rd%% *}" + ip6rd="${ip6rd#* }" + local ip6rdprefix="${ip6rd%% *}" + ip6rd="${ip6rd#* }" + local ip6rdbr="${ip6rd%% *}" + +uci -q batch <<-EOF >/dev/null +set network.$IFACE6RD.proto=6rd +set network.$IFACE6RD.auto=0 +set network.$IFACE6RD.peeraddr=$ip6rdbr +set network.$IFACE6RD.ip4prefixlen=$v4mask +set network.$IFACE6RD.ip6prefix=$ip6rdprefix +set network.$IFCAE6RD.ip6prefixlen=$ip6rdprefixlen +commit network +EOF + + ifdown "$IFACE6RD" + /etc/init.d/network reload + ifup "$IFACE6RD" + fi + # TODO # [ -n "$ntpsrv" ] && change_state network "$ifc" lease_ntpsrv "$ntpsrv" # [ -n "$timesvr" ] && change_state network "$ifc" lease_timesrv "$timesvr" @@ -56,4 +80,7 @@ case "$1" in ;; esac +# user rules +[ -f /etc/udhcpc.user ] && . /etc/udhcpc.user + exit 0 diff --git a/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh b/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh index 38308785d..a270c681d 100755 --- a/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh +++ b/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh @@ -12,14 +12,15 @@ proto_dhcp_init_config() { proto_config_add_string "vendorid" proto_config_add_boolean "broadcast" proto_config_add_string "reqopts" + proto_config_add_string "iface6rd" } proto_dhcp_setup() { local config="$1" local iface="$2" - local ipaddr hostname clientid vendorid broadcast reqopts - json_get_vars ipaddr hostname clientid vendorid broadcast reqopts + local ipaddr hostname clientid vendorid broadcast reqopts iface6rd + json_get_vars ipaddr hostname clientid vendorid broadcast reqopts iface6rd local opt dhcpopts for opt in $reqopts; do @@ -28,6 +29,7 @@ proto_dhcp_setup() { [ "$broadcast" = 1 ] && broadcast="-B" || broadcast= [ -n "$clientid" ] && clientid="-x 0x3d:${clientid//:/}" || clientid="-C" + [ -n "$iface6rd" ] && proto_export "IFACE6RD=$iface6rd" proto_export "INTERFACE=$config" proto_run_command "$config" udhcpc \ diff --git a/package/network/config/netifd/files/sbin/ifstatus b/package/network/config/netifd/files/sbin/ifstatus index 511cc1d8d..8a951e6e1 100755 --- a/package/network/config/netifd/files/sbin/ifstatus +++ b/package/network/config/netifd/files/sbin/ifstatus @@ -10,4 +10,4 @@ ubus -S list "network.interface.$INTERFACE" >/dev/null || { echo "Interface $INTERFACE not found" exit 1 } -ubus call network.interface."$INTERFACE" status +ubus call network.interface status "{ \"interface\" : \"$INTERFACE\" }" diff --git a/package/network/config/netifd/files/sbin/ifup b/package/network/config/netifd/files/sbin/ifup index e6dbb3541..af3aaa845 100755 --- a/package/network/config/netifd/files/sbin/ifup +++ b/package/network/config/netifd/files/sbin/ifup @@ -6,7 +6,7 @@ setup_wifi= if_call() { local interface="$1" for mode in $modes; do - ubus call $interface $mode + ubus call network.interface $mode "{ \"interface\" : \"$interface\" }" done } @@ -38,7 +38,7 @@ done [ "$modes" = "down up" ] && ubus call network reload if [ -n "$ifup_all" ]; then for interface in `ubus -S list 'network.interface.*'`; do - if_call "$interface" + if_call "${interface##network.interface.}" done [ -n "$setup_wifi" ] && /sbin/wifi up exit @@ -47,7 +47,7 @@ else echo "Interface $1 not found" exit } - if_call "network.interface.$1" + if_call "$1" fi if [ -n "$setup_wifi" ] && grep -sq config /etc/config/wireless; then diff --git a/package/network/config/qos-scripts/files/usr/lib/qos/tcrules.awk b/package/network/config/qos-scripts/files/usr/lib/qos/tcrules.awk index a19b65192..2a8871495 100644 --- a/package/network/config/qos-scripts/files/usr/lib/qos/tcrules.awk +++ b/package/network/config/qos-scripts/files/usr/lib/qos/tcrules.awk @@ -79,7 +79,7 @@ END { # leaf qdisc avpkt = 1200 for (i = 1; i <= n; i++) { - print "tc qdisc add dev "device" parent 1:"class[i]"0 handle "class[i]"00: fq_codel" + print "tc qdisc add dev "device" parent 1:"class[i]"0 handle "class[i]"00: fq_codel limit 800 quantum 300" } # filter rule diff --git a/package/network/config/swconfig/Makefile b/package/network/config/swconfig/Makefile index adc214745..6d1c9db78 100644 --- a/package/network/config/swconfig/Makefile +++ b/package/network/config/swconfig/Makefile @@ -25,10 +25,9 @@ endef TARGET_CPPFLAGS := \ -D_GNU_SOURCE \ -I$(STAGING_DIR)/usr/include/libnl-tiny \ - -I$(LINUX_DIR)/include \ - -I$(LINUX_DIR)/arch/$(LINUX_KARCH)/include \ -I$(PKG_BUILD_DIR) \ - $(TARGET_CPPFLAGS) + $(TARGET_CPPFLAGS) \ + -I$(LINUX_DIR)/user_headers/include define Build/Prepare mkdir -p $(PKG_BUILD_DIR) diff --git a/package/network/config/swconfig/src/cli.c b/package/network/config/swconfig/src/cli.c index 9cd16abb5..2eb73bea3 100644 --- a/package/network/config/swconfig/src/cli.c +++ b/package/network/config/swconfig/src/cli.c @@ -41,6 +41,7 @@ enum { CMD_LOAD, CMD_HELP, CMD_SHOW, + CMD_PORTMAP, }; static void @@ -167,6 +168,7 @@ show_vlan(struct switch_dev *dev, int vlan, bool all) static void print_usage(void) { + printf("swconfig list\n"); printf("swconfig dev <dev> [port <port>|vlan <vlan>] (help|set <key> <value>|get <key>|load <config>|show)\n"); exit(1); } @@ -213,6 +215,12 @@ int main(int argc, char **argv) int cvlan = -1; char *ckey = NULL; char *cvalue = NULL; + char *csegment = NULL; + + if((argc == 2) && !strcmp(argv[1], "list")) { + swlib_list(); + return 0; + } if(argc < 4) print_usage(); @@ -246,6 +254,10 @@ int main(int argc, char **argv) print_usage(); cmd = CMD_LOAD; ckey = argv[++i]; + } else if (!strcmp(arg, "portmap")) { + if (i + 1 < argc) + csegment = argv[++i]; + cmd = CMD_PORTMAP; } else if (!strcmp(arg, "show")) { cmd = CMD_SHOW; } else { @@ -318,6 +330,9 @@ int main(int argc, char **argv) case CMD_HELP: list_attributes(dev); break; + case CMD_PORTMAP: + swlib_print_portmap(dev, csegment); + break; case CMD_SHOW: if (cport >= 0 || cvlan >= 0) { if (cport >= 0) diff --git a/package/network/config/swconfig/src/swlib.c b/package/network/config/swconfig/src/swlib.c index de08717e3..7de3a604e 100644 --- a/package/network/config/swconfig/src/swlib.c +++ b/package/network/config/swconfig/src/swlib.c @@ -41,11 +41,16 @@ static struct genl_family *family; static struct nlattr *tb[SWITCH_ATTR_MAX + 1]; static int refcount = 0; -static struct nla_policy port_policy[] = { +static struct nla_policy port_policy[SWITCH_ATTR_MAX] = { [SWITCH_PORT_ID] = { .type = NLA_U32 }, [SWITCH_PORT_FLAG_TAGGED] = { .type = NLA_FLAG }, }; +static struct nla_policy portmap_policy[SWITCH_PORTMAP_MAX] = { + [SWITCH_PORTMAP_SEGMENT] = { .type = NLA_STRING }, + [SWITCH_PORTMAP_VIRT] = { .type = NLA_U32 }, +}; + static inline void * swlib_alloc(size_t size) { @@ -574,6 +579,41 @@ struct swlib_scan_arg { }; static int +add_port_map(struct switch_dev *dev, struct nlattr *nla) +{ + struct nlattr *p; + int err = 0, idx = 0; + int remaining; + + dev->maps = malloc(sizeof(struct switch_portmap) * dev->ports); + if (!dev->maps) + return -1; + memset(dev->maps, 0, sizeof(struct switch_portmap) * dev->ports); + + nla_for_each_nested(p, nla, remaining) { + struct nlattr *tb[SWITCH_PORTMAP_MAX+1]; + + if (idx >= dev->ports) + continue; + + err = nla_parse_nested(tb, SWITCH_PORTMAP_MAX, p, portmap_policy); + if (err < 0) + continue; + + + if (tb[SWITCH_PORTMAP_SEGMENT] && tb[SWITCH_PORTMAP_VIRT]) { + dev->maps[idx].segment = strdup(nla_get_string(tb[SWITCH_PORTMAP_SEGMENT])); + dev->maps[idx].virt = nla_get_u32(tb[SWITCH_PORTMAP_VIRT]); + } + idx++; + } + +out: + return err; +} + + +static int add_switch(struct nl_msg *msg, void *arg) { struct swlib_scan_arg *sa = arg; @@ -610,6 +650,8 @@ add_switch(struct nl_msg *msg, void *arg) dev->vlans = nla_get_u32(tb[SWITCH_ATTR_VLANS]); if (tb[SWITCH_ATTR_CPU_PORT]) dev->cpu_port = nla_get_u32(tb[SWITCH_ATTR_CPU_PORT]); + if (tb[SWITCH_ATTR_PORTMAP]) + add_port_map(dev, tb[SWITCH_ATTR_PORTMAP]); if (!sa->head) { sa->head = dev; @@ -624,6 +666,64 @@ done: return NL_SKIP; } +static int +list_switch(struct nl_msg *msg, void *arg) +{ + struct swlib_scan_arg *sa = arg; + struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); + struct switch_dev *dev; + const char *name; + const char *alias; + + if (nla_parse(tb, SWITCH_ATTR_MAX, genlmsg_attrdata(gnlh, 0), genlmsg_attrlen(gnlh, 0), NULL) < 0) + goto done; + + if (!tb[SWITCH_ATTR_DEV_NAME] || !tb[SWITCH_ATTR_NAME]) + goto done; + + printf("Found: %s - %s\n", nla_get_string(tb[SWITCH_ATTR_DEV_NAME]), + nla_get_string(tb[SWITCH_ATTR_ALIAS])); + +done: + return NL_SKIP; +} + +void +swlib_list(void) +{ + if (swlib_priv_init() < 0) + return; + swlib_call(SWITCH_CMD_GET_SWITCH, list_switch, NULL, NULL); + swlib_priv_free(); +} + +void +swlib_print_portmap(struct switch_dev *dev, char *segment) +{ + int i; + + if (segment) { + if (!strcmp(segment, "cpu")) { + printf("%d ", dev->cpu_port); + } else if (!strcmp(segment, "disabled")) { + for (i = 0; i < dev->ports; i++) + if (!dev->maps[i].segment) + printf("%d ", i); + } else for (i = 0; i < dev->ports; i++) { + if (dev->maps[i].segment && !strcmp(dev->maps[i].segment, segment)) + printf("%d ", i); + } + } else { + printf("%s - %s\n", dev->dev_name, dev->name); + for (i = 0; i < dev->ports; i++) + if (i == dev->cpu_port) + printf("port%d:\tcpu\n", i); + else if (dev->maps[i].segment) + printf("port%d:\t%s.%d\n", i, dev->maps[i].segment, dev->maps[i].virt); + else + printf("port%d:\tdisabled\n", i); + } +} struct switch_dev * swlib_connect(const char *name) diff --git a/package/network/config/swconfig/src/swlib.h b/package/network/config/swconfig/src/swlib.h index ff73969c8..016f74b4f 100644 --- a/package/network/config/swconfig/src/swlib.h +++ b/package/network/config/swconfig/src/swlib.h @@ -109,6 +109,7 @@ enum swlib_port_flags { struct switch_dev; struct switch_attr; struct switch_port; +struct switch_port_map; struct switch_val; struct uci_package; @@ -123,6 +124,7 @@ struct switch_dev { struct switch_attr *ops; struct switch_attr *port_ops; struct switch_attr *vlan_ops; + struct switch_portmap *maps; struct switch_dev *next; void *priv; }; @@ -154,6 +156,22 @@ struct switch_port { unsigned int flags; }; +struct switch_portmap { + unsigned int virt; + const char *segment; +}; + +/** + * swlib_list: list all switches + */ +void swlib_list(void); + +/** + * swlib_print_portmap: get portmap + * @dev: switch device struct + */ +void swlib_print_portmap(struct switch_dev *dev, char *segment); + /** * swlib_connect: connect to the switch through netlink * @name: name of the ethernet interface, |