diff options
Diffstat (limited to 'package/network/config')
57 files changed, 5433 insertions, 0 deletions
diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile new file mode 100644 index 000000000..b7e7bba4a --- /dev/null +++ b/package/network/config/firewall/Makefile @@ -0,0 +1,58 @@ +# +# Copyright (C) 2008-2013 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. + +include $(TOPDIR)/rules.mk + +PKG_NAME:=firewall + +PKG_VERSION:=2 +PKG_RELEASE:=60 + +include $(INCLUDE_DIR)/package.mk + +define Package/firewall + SECTION:=net + CATEGORY:=Base system + URL:=http://openwrt.org/ + TITLE:=OpenWrt firewall + MAINTAINER:=Jo-Philipp Wich <xm@subsignal.org> + DEPENDS:=+iptables +kmod-ipt-conntrack +kmod-ipt-nat + PKGARCH:=all +endef + +define Package/firewall/description + UCI based firewall for OpenWrt +endef + +define Build/Compile + true +endef + +define Package/firewall/conffiles +/etc/config/firewall +/etc/firewall.user +endef + +define Package/firewall/install + $(INSTALL_DIR) $(1)/lib/firewall + $(INSTALL_DATA) ./files/lib/*.sh $(1)/lib/firewall + $(INSTALL_DIR) $(1)/sbin + $(INSTALL_BIN) ./files/bin/fw $(1)/sbin + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall + $(INSTALL_DIR) $(1)/etc/init.d/ + $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall + $(INSTALL_DIR) $(1)/etc/hotplug.d/firewall + $(INSTALL_DATA) ./files/reflection.hotplug $(1)/etc/hotplug.d/firewall/10-nat-reflection + $(INSTALL_DIR) $(1)/etc + $(INSTALL_DATA) ./files/firewall.user $(1)/etc + $(INSTALL_DIR) $(1)/lib/upgrade/keep.d + $(INSTALL_DATA) ./files/firewall.upgrade $(1)/lib/upgrade/keep.d/firewall +endef + +$(eval $(call BuildPackage,firewall)) diff --git a/package/network/config/firewall/files/bin/fw b/package/network/config/firewall/files/bin/fw new file mode 100644 index 000000000..5d20cc83e --- /dev/null +++ b/package/network/config/firewall/files/bin/fw @@ -0,0 +1,49 @@ +#!/bin/sh +FW_LIBDIR=/lib/firewall + +. /lib/functions.sh +. ${FW_LIBDIR}/fw.sh + +case "$(type fw)" in + *function) ;; + *) exit 255;; +esac + +usage() { + echo $0 "<command>" "<family>" "<table>" "<chain>" "<target>" "{" "<rules>" "}" + exit 0 +} + +cmd=$1 +shift +case "$cmd" in + --help|help) usage ;; + start|stop|reload|restart) + . ${FW_LIBDIR}/core.sh + fw_$cmd + exit $? + ;; +esac + +fam=$1 +shift +case "$fam" in + ip) + fam=i + if [ $# -gt 2 ]; then + for p in $(seq 2 $(($# - 1))); do + if eval "[ \$$p == '}' ]"; then + fam=I + break + fi + done + fi ;; + ip4) fam=4 ;; + ip6) fam=6 ;; + arp) fam=a ;; + eth) fam=e ;; + -*) exec $0 $cmd ${fam##*-} "$@" ;; +esac + +fw "$cmd" "$fam" "$@" +exit $? diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config new file mode 100644 index 000000000..a87413904 --- /dev/null +++ b/package/network/config/firewall/files/firewall.config @@ -0,0 +1,176 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 + +config zone + option name lan + option network 'lan' + option input ACCEPT + option output ACCEPT + option forward REJECT + +config zone + option name wan + option network 'wan' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fe80::/10 + option src_port 547 + option dest_ip fe80::/10 + option dest_port 546 + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# include a file with users custom iptables rules +config include + option path /etc/firewall.user + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +# allow IPsec/ESP and ISAKMP passthrough +#config rule +# option src wan +# option dest lan +# option protocol esp +# option target ACCEPT + +#config rule +# option src wan +# option dest lan +# option src_port 500 +# option dest_port 500 +# option proto udp +# option target ACCEPT + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/package/network/config/firewall/files/firewall.hotplug b/package/network/config/firewall/files/firewall.hotplug new file mode 100644 index 000000000..52e779848 --- /dev/null +++ b/package/network/config/firewall/files/firewall.hotplug @@ -0,0 +1,22 @@ +#!/bin/sh +# This script is executed as part of the hotplug event with +# HOTPLUG_TYPE=iface, triggered by various scripts when an interface +# is configured (ACTION=ifup) or deconfigured (ACTION=ifdown). The +# interface is available as INTERFACE, the real device as DEVICE. + +[ "$DEVICE" == "lo" ] && exit 0 + +. /lib/functions.sh +. /lib/firewall/core.sh + +fw_init +fw_is_loaded || exit 0 + +case "$ACTION" in + ifup) + fw_configure_interface "$INTERFACE" add "$DEVICE" & + ;; + ifdown) + fw_configure_interface "$INTERFACE" del "$DEVICE" + ;; +esac diff --git a/package/network/config/firewall/files/firewall.init b/package/network/config/firewall/files/firewall.init new file mode 100755 index 000000000..a2fd0a0e9 --- /dev/null +++ b/package/network/config/firewall/files/firewall.init @@ -0,0 +1,27 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2008-2010 OpenWrt.org + +START=45 + +FW_LIBDIR=/lib/firewall + +fw() { + . $FW_LIBDIR/core.sh + fw_$1 +} + +start() { + fw start +} + +stop() { + fw stop +} + +restart() { + fw restart +} + +reload() { + fw reload +} diff --git a/package/network/config/firewall/files/firewall.upgrade b/package/network/config/firewall/files/firewall.upgrade new file mode 100644 index 000000000..64f63eb39 --- /dev/null +++ b/package/network/config/firewall/files/firewall.upgrade @@ -0,0 +1 @@ +/etc/firewall.user diff --git a/package/network/config/firewall/files/firewall.user b/package/network/config/firewall/files/firewall.user new file mode 100644 index 000000000..1ccbd0165 --- /dev/null +++ b/package/network/config/firewall/files/firewall.user @@ -0,0 +1,4 @@ +# This file is interpreted as shell script. +# Put your custom iptables rules here, they will +# be executed with each firewall (re-)start. + diff --git a/package/network/config/firewall/files/lib/config.sh b/package/network/config/firewall/files/lib/config.sh new file mode 100644 index 000000000..8b2399fc8 --- /dev/null +++ b/package/network/config/firewall/files/lib/config.sh @@ -0,0 +1,101 @@ +# Copyright (C) 2009-2010 OpenWrt.org +# Copyright (C) 2009 Malte S. Stretz <http://msquadrat.de> +# +# This is a temporary file, I hope to have some of this stuff merged into +# /lib/functions.sh (without the fw_ prefix of course) one day. + +fw_config_append() { # <package> + CONFIG_APPEND=1 config_load "$@" + unset CONFIG_APPEND +} + +fw_config_once() { # <function> <type> + local func=$1 + local type=$2 + shift 2 + + local config=cfg00nil + fw_config__once() { + config=$1 + } + config_foreach fw_config__once "$type" + + $func $config "$@" +} + +fw_config_get_section() { # <config> <prefix> <type> <name> <default> ... + local config=$1 + local prefix=$2 + shift 2 + + [ -n "$config" ] || return 1 + [ -n "$prefix" ] && { + prefix="${prefix}_" + export ${NO_EXPORT:+-n} -- "${prefix}NAME"="${config}" + config_get "${prefix}TYPE" "$config" TYPE + } + + local enabled + config_get_bool enabled "$config" enabled 1 + [ $enabled -eq 1 ] || return 1 + + [ "$1" == '{' ] && shift + while [ $# -ge 3 ]; do + local type=$1 + local name=$2 + local dflt=$3 + shift 3 + # TODO: Move handling of defaults to /lib/functions.sh + # and get replace the case block with the following + # two lines: + # type=${type#string} + # config_get${type:+_${type}} "${prefix}${name}" "$config" "$name" "$dflt" || return + case "$type" in + string) + local tmp + config_get tmp "$config" "$name" || return + [ -z "$tmp" ] && tmp=$dflt + export ${NO_EXPORT:+-n} -- "${prefix}${name}=${tmp}" + continue + ;; + boolean) + type=bool + ;; + esac; + + local cmd=${prefix}config_get_${type} + type $cmd > /dev/null || { + cmd=config_get_${type} + } + type $cmd > /dev/null || { + echo "config type $type (for $name) not supported" >&2 + return 1 + } + $cmd "${prefix}${name}" "$config" "$name" "$dflt" || return + done +} + +config_get_ipaddr() { + local varn=$1 + local conf=$2 + local name=$3 + local dflt=$4 + + local addr + config_get addr "$conf" "$name" || return + [ -n "$addr" ] || addr=$dflt + + local mask=${addr#*/} + [ "$mask" != "$addr" ] || mask= + addr=${addr%/*} + + local vers= + case "$addr" in + *:*) vers=6; mask="${mask:-128}" ;; + *.*) vers=4; mask="${mask:-32}" ;; + esac + + export ${NO_EXPORT:+-n} -- "${varn}=${addr}" + export ${NO_EXPORT:+-n} -- "${varn}_prefixlen=${mask}" + export ${NO_EXPORT:+-n} -- "${varn}_version=${vers}" +} diff --git a/package/network/config/firewall/files/lib/core.sh b/package/network/config/firewall/files/lib/core.sh new file mode 100644 index 000000000..93d4d2e29 --- /dev/null +++ b/package/network/config/firewall/files/lib/core.sh @@ -0,0 +1,159 @@ +# Copyright (C) 2009-2010 OpenWrt.org + +FW_LIBDIR=${FW_LIBDIR:-/lib/firewall} + +. $FW_LIBDIR/fw.sh +include /lib/network + +fw_start() { + fw_init + + FW_DEFAULTS_APPLIED= + + fw_is_loaded && { + echo "firewall already loaded" >&2 + exit 1 + } + + uci_set_state firewall core "" firewall_state + + fw_clear DROP + + fw_callback pre core + + echo "Loading defaults" + fw_config_once fw_load_defaults defaults + + echo "Loading zones" + config_foreach fw_load_zone zone + + echo "Loading forwardings" + config_foreach fw_load_forwarding forwarding + + echo "Loading rules" + config_foreach fw_load_rule rule + + echo "Loading redirects" + config_foreach fw_load_redirect redirect + + echo "Loading includes" + config_foreach fw_load_include include + + [ -z "$FW_NOTRACK_DISABLED" ] && { + echo "Optimizing conntrack" + config_foreach fw_load_notrack_zone zone + } + + echo "Loading interfaces" + config_foreach fw_configure_interface interface add + + fw_callback post core + + uci_set_state firewall core zones "$FW_ZONES" + uci_set_state firewall core loaded 1 +} + +fw_stop() { + fw_init + + fw_callback pre stop + + local z n i + config_get z core zones + for z in $z; do + config_get n core "${z}_networks" + for n in $n; do + config_get i core "${n}_ifname" + [ -n "$i" ] && env -i ACTION=remove ZONE="$z" \ + INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall + done + + config_get i core "${z}_tcpmss" + [ "$i" == 1 ] && { + fw del i m FORWARD zone_${z}_MSSFIX + fw del i m zone_${z}_MSSFIX + } + done + + fw_clear ACCEPT + + fw_callback post stop + + uci_revert_state firewall + config_clear + + local h + for h in $FW_HOOKS; do unset $h; done + + unset FW_HOOKS + unset FW_INITIALIZED +} + +fw_restart() { + fw_stop + fw_start +} + +fw_reload() { + fw_restart +} + +fw_is_loaded() { + local bool=$(uci_get_state firewall.core.loaded) + return $((! ${bool:-0})) +} + + +fw_die() { + echo "Error:" "$@" >&2 + fw_log error "$@" + fw_stop + exit 1 +} + +fw_log() { + local level="$1" + [ -n "$2" ] && shift || level=notice + [ "$level" != error ] || echo "Error: $@" >&2 + logger -t firewall -p user.$level "$@" +} + + +fw_init() { + [ -z "$FW_INITIALIZED" ] || return 0 + + . $FW_LIBDIR/config.sh + + scan_interfaces + fw_config_append firewall + + local hooks="core stop defaults zone notrack synflood" + local file lib hk pp + for file in $FW_LIBDIR/core_*.sh; do + . $file + hk=$(basename $file .sh) + hk=${hk#core_} + append hooks $hk + done + for file in $FW_LIBDIR/*.sh; do + lib=$(basename $file .sh) + lib=${lib##[0-9][0-9]_} + case $lib in + core*|fw|config|uci_firewall) continue ;; + esac + . $file + for hk in $hooks; do + for pp in pre post; do + type ${lib}_${pp}_${hk}_cb >/dev/null && { + append FW_CB_${pp}_${hk} ${lib} + append FW_HOOKS FW_CB_${pp}_${hk} + } + done + done + done + + fw_callback post init + + FW_INITIALIZED=1 + return 0 +} diff --git a/package/network/config/firewall/files/lib/core_forwarding.sh b/package/network/config/firewall/files/lib/core_forwarding.sh new file mode 100644 index 000000000..2ea03f0eb --- /dev/null +++ b/package/network/config/firewall/files/lib/core_forwarding.sh @@ -0,0 +1,44 @@ +# Copyright (C) 2009-2010 OpenWrt.org + +fw_config_get_forwarding() { + [ "${forwarding_NAME}" != "$1" ] || return + fw_config_get_section "$1" forwarding { \ + string _name "$1" \ + string name "" \ + string src "" \ + string dest "" \ + string family "" \ + } || return + [ -n "$forwarding_name" ] || forwarding_name=$forwarding__name +} + +fw_load_forwarding() { + fw_config_get_forwarding "$1" + + fw_callback pre forwarding + + local chain=delegate_forward + [ -n "$forwarding_src" ] && { + chain=zone_${forwarding_src}_forward + } + + local target=ACCEPT + [ -n "$forwarding_dest" ] && { + target=zone_${forwarding_dest}_dest_ACCEPT + } + + local mode + fw_get_family_mode mode ${forwarding_family:-x} ${forwarding_dest:-${forwarding_src:--}} i + + fw add $mode f $chain $target ^ + + # propagate masq zone flag + [ -n "$forwarding_src" ] && list_contains FW_CONNTRACK_ZONES $forwarding_src && { + append FW_CONNTRACK_ZONES $forwarding_dest + } + [ -n "$forwarding_dest" ] && list_contains FW_CONNTRACK_ZONES $forwarding_dest && { + append FW_CONNTRACK_ZONES $forwarding_src + } + + fw_callback post forwarding +} diff --git a/package/network/config/firewall/files/lib/core_init.sh b/package/network/config/firewall/files/lib/core_init.sh new file mode 100644 index 000000000..404a83690 --- /dev/null +++ b/package/network/config/firewall/files/lib/core_init.sh @@ -0,0 +1,361 @@ +# Copyright (C) 2009-2011 OpenWrt.org +# Copyright (C) 2008 John Crispin <blogic@openwrt.org> + +FW_INITIALIZED= + +FW_ZONES= +FW_ZONES4= +FW_ZONES6= +FW_CONNTRACK_ZONES= +FW_NOTRACK_DISABLED= + +FW_DEFAULTS_APPLIED= +FW_ADD_CUSTOM_CHAINS= +FW_ACCEPT_REDIRECTS= +FW_ACCEPT_SRC_ROUTE= + +FW_DEFAULT_INPUT_POLICY=REJECT +FW_DEFAULT_OUTPUT_POLICY=REJECT +FW_DEFAULT_FORWARD_POLICY=REJECT + +FW_DISABLE_IPV4=0 +FW_DISABLE_IPV6=0 + + +fw_load_defaults() { + fw_config_get_section "$1" defaults { \ + string input $FW_DEFAULT_INPUT_POLICY \ + string output $FW_DEFAULT_OUTPUT_POLICY \ + string forward $FW_DEFAULT_FORWARD_POLICY \ + boolean drop_invalid 0 \ + boolean syn_flood 0 \ + boolean synflood_protect 0 \ + string synflood_rate 25 \ + string synflood_burst 50 \ + boolean tcp_syncookies 1 \ + boolean tcp_ecn 0 \ + boolean tcp_westwood 0 \ + boolean tcp_window_scaling 1 \ + boolean accept_redirects 0 \ + boolean accept_source_route 0 \ + boolean custom_chains 1 \ + boolean disable_ipv6 0 \ + } || return + [ -n "$FW_DEFAULTS_APPLIED" ] && { + fw_log error "duplicate defaults section detected, skipping" + return 1 + } + FW_DEFAULTS_APPLIED=1 + + FW_DEFAULT_INPUT_POLICY=$defaults_input + FW_DEFAULT_OUTPUT_POLICY=$defaults_output + FW_DEFAULT_FORWARD_POLICY=$defaults_forward + + FW_ADD_CUSTOM_CHAINS=$defaults_custom_chains + + FW_ACCEPT_REDIRECTS=$defaults_accept_redirects + FW_ACCEPT_SRC_ROUTE=$defaults_accept_source_route + + FW_DISABLE_IPV6=$defaults_disable_ipv6 + + fw_callback pre defaults + + # Seems like there are only one sysctl for both IP versions. + for s in syncookies ecn westwood window_scaling; do + eval "sysctl -e -w net.ipv4.tcp_${s}=\$defaults_tcp_${s}" >/dev/null + done + fw_sysctl_interface all + + fw add i f INPUT ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED } + fw add i f OUTPUT ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED } + fw add i f FORWARD ACCEPT { -m conntrack --ctstate RELATED,ESTABLISHED } + + [ $defaults_drop_invalid == 1 ] && { + fw add i f INPUT DROP { -m conntrack --ctstate INVALID } + fw add i f OUTPUT DROP { -m conntrack --ctstate INVALID } + fw add i f FORWARD DROP { -m conntrack --ctstate INVALID } + FW_NOTRACK_DISABLED=1 + } + + fw add i f INPUT ACCEPT { -i lo } + fw add i f OUTPUT ACCEPT { -o lo } + + # Compatibility to old 'syn_flood' parameter + [ $defaults_syn_flood == 1 ] && \ + defaults_synflood_protect=1 + + [ "${defaults_synflood_rate%/*}" == "$defaults_synflood_rate" ] && \ + defaults_synflood_rate="$defaults_synflood_rate/second" + + [ $defaults_synflood_protect == 1 ] && { + echo "Loading synflood protection" + fw_callback pre synflood + fw add i f syn_flood + fw add i f syn_flood RETURN { \ + -p tcp --syn \ + -m limit --limit "${defaults_synflood_rate}" --limit-burst "${defaults_synflood_burst}" \ + } + fw add i f syn_flood DROP + fw add i f INPUT syn_flood { -p tcp --syn } + fw_callback post synflood + } + + [ $defaults_custom_chains == 1 ] && { + echo "Adding custom chains" + fw add i f input_rule + fw add i f output_rule + fw add i f forwarding_rule + fw add i n prerouting_rule + fw add i n postrouting_rule + + fw add i f INPUT input_rule + fw add i f OUTPUT output_rule + fw add i f FORWARD forwarding_rule + fw add i n PREROUTING prerouting_rule + fw add i n POSTROUTING postrouting_rule + } + + fw add i f delegate_input + fw add i f delegate_output + fw add i f delegate_forward + + fw add i f INPUT delegate_input + fw add i f OUTPUT delegate_output + fw add i f FORWARD delegate_forward + + fw add i f reject + fw add i f reject REJECT { --reject-with tcp-reset -p tcp } + fw add i f reject REJECT { --reject-with port-unreach } + + fw_set_filter_policy + + fw_callback post defaults +} + + +fw_config_get_zone() { + [ "${zone_NAME}" != "$1" ] || return + fw_config_get_section "$1" zone { \ + string name "$1" \ + string network "" \ + string device "" \ + string subnet "" \ + string input "$FW_DEFAULT_INPUT_POLICY" \ + string output "$FW_DEFAULT_OUTPUT_POLICY" \ + string forward "$FW_DEFAULT_FORWARD_POLICY" \ + boolean masq 0 \ + string masq_src "" \ + string masq_dest "" \ + string extra "" \ + string extra_src "" \ + string extra_dest "" \ + boolean conntrack 0 \ + boolean mtu_fix 0 \ + boolean custom_chains 0 \ + boolean log 0 \ + string log_limit 10 \ + string family "" \ + } || return + [ -n "$zone_name" ] || zone_name=$zone_NAME + [ -n "$zone_extra_src" ] || zone_extra_src="$zone_extra" + [ -n "$zone_extra_dest" ] || zone_extra_dest="$zone_extra" + [ -n "$zone_network$zone_subnet$zone_device$zone_extra_src$zone_extra_dest" ] || zone_network=$zone_name +} + +fw_load_zone() { + fw_config_get_zone "$1" + + list_contains FW_ZONES $zone_name && { + fw_log error "zone ${zone_name}: duplicated zone, skipping" + return 0 + } + append FW_ZONES $zone_name + + fw_callback pre zone + + [ $zone_conntrack = 1 -o $zone_masq = 1 ] && \ + append FW_CONNTRACK_ZONES "$zone_name" + + local mode + case "$zone_family" in + *4) + mode=4 + append FW_ZONES4 $zone_name + uci_set_state firewall core ${zone_name}_ipv4 1 + ;; + *6) + mode=6 + append FW_ZONES6 $zone_name + uci_set_state firewall core ${zone_name}_ipv6 1 + ;; + *) + mode=i + append FW_ZONES4 $zone_name + append FW_ZONES6 $zone_name + uci_set_state firewall core ${zone_name}_ipv4 1 + uci_set_state firewall core ${zone_name}_ipv6 1 + ;; + esac + + local chain=zone_${zone_name} + + fw add $mode f ${chain}_src_ACCEPT + fw add $mode f ${chain}_src_DROP + fw add $mode f ${chain}_src_REJECT + + fw add $mode f ${chain}_dest_ACCEPT + fw add $mode f ${chain}_dest_DROP + fw add $mode f ${chain}_dest_REJECT + + fw add $mode f ${chain}_input + fw add $mode f ${chain}_input ${chain}_src_${zone_input} $ + + fw add $mode f ${chain}_forward + fw add $mode f ${chain}_forward ${chain}_dest_${zone_forward} $ + + fw add $mode f ${chain}_output + fw add $mode f ${chain}_output ${chain}_dest_${zone_output} $ + + # TODO: Rename to ${chain}_MASQUERADE + fw add $mode n ${chain}_nat + fw add $mode n ${chain}_prerouting + + fw add $mode r ${chain}_notrack + + [ $zone_mtu_fix == 1 ] && { + fw add $mode m ${chain}_MSSFIX + fw add $mode m FORWARD ${chain}_MSSFIX ^ + uci_set_state firewall core ${zone_name}_tcpmss 1 + } + + [ $zone_custom_chains == 1 ] && { + [ $FW_ADD_CUSTOM_CHAINS == 1 ] || \ + fw_die "zone ${zone_name}: custom_chains globally disabled" + + fw add $mode f input_${zone_name} + fw add $mode f ${chain}_input input_${zone_name} ^ + + fw add $mode f forwarding_${zone_name} + fw add $mode f ${chain}_forward forwarding_${zone_name} ^ + + fw add $mode n prerouting_${zone_name} + fw add $mode n ${chain}_prerouting prerouting_${zone_name} ^ + } + + [ "$zone_log" == 1 ] && { + [ "${zone_log_limit%/*}" == "$zone_log_limit" ] && \ + zone_log_limit="$zone_log_limit/minute" + + local t + for t in REJECT DROP; do + local d + for d in src dest; do + fw add $mode f ${chain}_${d}_${t} LOG ^ \ + { -m limit --limit $zone_log_limit --log-prefix "$t($d:$zone_name): " } + done + done + + [ $zone_mtu_fix == 1 ] && \ + fw add $mode m ${chain}_MSSFIX LOG ^ \ + { -p tcp --tcp-flags SYN,RST SYN -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " } + } + + # NB: if MASQUERADING for IPv6 becomes available we'll need a family check here + if [ "$zone_masq" == 1 ]; then + local msrc mdst + for msrc in ${zone_masq_src:-0.0.0.0/0}; do + case "$msrc" in + *.*) fw_get_negation msrc '-s' "$msrc" ;; + *) fw_get_subnet4 msrc '-s' "$msrc" || break ;; + esac + + for mdst in ${zone_masq_dest:-0.0.0.0/0}; do + case "$mdst" in + *.*) fw_get_negation mdst '-d' "$mdst" ;; + *) fw_get_subnet4 mdst '-d' "$mdst" || break ;; + esac + + fw add $mode n ${chain}_nat MASQUERADE $ { $msrc $mdst } + done + done + fi + + local dev + for dev in ${zone_device:-""}; do + local net + for net in ${zone_subnet:-""}; do + [ -n "$dev" ] || [ -n "$net" ] || continue + fw_do_interface_rules add "${zone_name}" "$dev" "$net" \ + "${zone_extra_src}" "${zone_extra_dest}" + done + done + + fw_callback post zone +} + +fw_load_notrack_zone() { + fw_config_get_zone "$1" + list_contains FW_CONNTRACK_ZONES "${zone_name}" && return + + fw_callback pre notrack + + fw add i r zone_${zone_name}_notrack NOTRACK $ + + fw_callback post notrack +} + + +fw_load_include() { + local name="$1" + + local path + config_get path ${name} path + + [ -e $path ] && ( + config() { + fw_log error "You cannot use UCI in firewall includes!" >&2 + exit 1 + } + . $path + ) +} + + +fw_clear() { + local policy=$1 + + fw_set_filter_policy $policy + + local tab + for tab in f n r; do + fw del i $tab + done +} + +fw_set_filter_policy() { + local policy=$1 + + local chn tgt + for chn in INPUT OUTPUT FORWARD; do + eval "tgt=\${policy:-\${FW_DEFAULT_${chn}_POLICY}}" + [ $tgt == "REJECT" ] && tgt=reject + [ $tgt == "ACCEPT" -o $tgt == "DROP" ] || { + fw add i f $chn $tgt $ + tgt=DROP + } + fw policy i f $chn $tgt + done +} + + +fw_callback() { + local pp=$1 + local hk=$2 + + local libs lib + eval "libs=\$FW_CB_${pp}_${hk}" + [ -n "$libs" ] || return + for lib in $libs; do + ${lib}_${pp}_${hk}_cb + done +} diff --git a/package/network/config/firewall/files/lib/core_interface.sh b/package/network/config/firewall/files/lib/core_interface.sh new file mode 100644 index 000000000..9138cbf0c --- /dev/null +++ b/package/network/config/firewall/files/lib/core_interface.sh @@ -0,0 +1,214 @@ +# Copyright (C) 2009-2013 OpenWrt.org + +fw__uci_state_add() { + local var="$1" + local item="$2" + + local val="$(uci_get_state firewall core $var)" + local e1; for e1 in $item; do + local e2; for e2 in $val; do + [ "$e1" = "$e2" ] && e1="" + done + val="${val:+$val${e1:+ }}$e1" + done + + uci_toggle_state firewall core $var "$val" +} + +fw__uci_state_del() { + local var="$1" + local item="$2" + + local rest="" + local val="$(uci_get_state firewall core $var)" + local e1; for e1 in $val; do + local e2; for e2 in $item; do + [ "$e1" = "$e2" ] && e1="" + done + rest="${rest:+$rest${e1:+ }}$e1" + done + + uci_toggle_state firewall core $var "$rest" +} + +fw_do_interface_rules() { + local action=$1 + local zone=$2 + local chain=zone_${zone} + local ifname=$3 + local subnet=$4 + local extra_src="$5" + local extra_dest="$6" + + local idev odev inet onet mode + fw_get_family_mode mode x $zone i + + fw_get_negation idev '-i' "$ifname" + fw_get_negation odev '-o' "$ifname" + + case "$mode/$subnet" in + # Zone supports v6 only or dual, need v6 + G6/*:*|i/*:*) + fw_get_negation inet '-s' "$subnet" + fw_get_negation onet '-d' "$subnet" + mode=6 + ;; + + # Zone supports v4 only or dual, need v4 + G4/*.*.*.*|i/*.*.*.*) + fw_get_negation inet '-s' "$subnet" + fw_get_negation onet '-d' "$subnet" + mode=4 + ;; + + # Need v6 while zone is v4 + */*:*) fw_log info "zone $zone does not support IPv6 address family, skipping"; return ;; + + # Need v4 while zone is v6 + */*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;; + + # Strip prefix + *) mode="${mode#G}" ;; + esac + + lock /var/run/firewall-interface.lock + + fw $action $mode f ${chain}_dest_ACCEPT ACCEPT $ { $odev $onet $extra_dest } + fw $action $mode f ${chain}_src_ACCEPT ACCEPT $ { $idev $inet $extra_src } + fw $action $mode f ${chain}_dest_DROP DROP $ { $odev $onet $extra_dest } + fw $action $mode f ${chain}_src_DROP DROP $ { $idev $inet $extra_src } + fw $action $mode f ${chain}_dest_REJECT reject $ { $odev $onet $extra_dest } + fw $action $mode f ${chain}_src_REJECT reject $ { $idev $inet $extra_src } + + [ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \ + fw $action $mode m ${chain}_MSSFIX TCPMSS $ \ + { $odev -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet $extra_dest } + + fw $action $mode f delegate_input ${chain}_input $ { $idev $inet $extra_src } + fw $action $mode f delegate_forward ${chain}_forward $ { $idev $inet $extra_src } + fw $action $mode f delegate_output ${chain}_output $ { $odev $onet $extra_dest } + + fw $action $mode n PREROUTING ${chain}_prerouting $ { $idev $inet $extra_src } + fw $action $mode r PREROUTING ${chain}_notrack $ { $idev $inet $extra_src } + fw $action $mode n POSTROUTING ${chain}_nat $ { $odev $onet $extra_dest } + + # Flush conntrack table + echo f >/proc/net/nf_conntrack 2>/dev/null + + lock -u /var/run/firewall-interface.lock +} + +fw_configure_interface() { + local iface=$1 + local action=$2 + local ifname=$3 + local aliasnet=$4 + + [ "$action" == "add" ] && { + local status=$(uci_get_state network "$iface" up 0) + [ "$status" == 1 ] || [ -n "$aliasnet" ] || return 0 + } + + [ -n "$ifname" ] || { + ifname=$(uci_get_state network "$iface" ifname) + ifname="${ifname%%:*}" + [ -z "$ifname" ] && return 0 + } + + [ "$ifname" == "lo" ] && return 0 + + fw_callback pre interface + + local old_zones old_ifname old_subnets + config_get old_zones core "${iface}_zone" + [ -n "$old_zones" ] && { + config_get old_ifname core "${iface}_ifname" + config_get old_subnets core "${iface}_subnets" + + local z + for z in $old_zones; do + local n + for n in ${old_subnets:-""}; do + fw_log info "removing $iface ($old_ifname${n:+ alias $n}) from zone $z" + fw_do_interface_rules del $z $old_ifname $n + done + + [ -n "$old_subnets" ] || { + fw__uci_state_del "${z}_networks" "$iface" + env -i ACTION=remove ZONE="$z" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall + } + done + + local old_aliases + config_get old_aliases core "${iface}_aliases" + + local a + for a in $old_aliases; do + fw_configure_interface "$a" del "$old_ifname" + done + + uci_revert_state firewall core "${iface}_zone" + uci_revert_state firewall core "${iface}_ifname" + uci_revert_state firewall core "${iface}_subnets" + uci_revert_state firewall core "${iface}_aliases" + } + + [ "$action" == del ] && return + + [ -z "$aliasnet" ] && { + local aliases + config_get aliases "$iface" aliases + + local a + for a in $aliases; do + local ipaddr netmask ip6addr + config_get ipaddr "$a" ipaddr + config_get netmask "$a" netmask + config_get ip6addr "$a" ip6addr + + [ -n "$ipaddr" ] && fw_configure_interface "$a" add "" "$ipaddr${netmask:+/$netmask}" + [ -n "$ip6addr" ] && fw_configure_interface "$a" add "" "$ip6addr" + done + + fw_sysctl_interface $ifname + fw_callback post interface + + uci_toggle_state firewall core "${iface}_aliases" "$aliases" + } || { + local subnets= + config_get subnets core "${iface}_subnets" + append subnets "$aliasnet" + + config_set core "${iface}_subnets" "$subnets" + uci_toggle_state firewall core "${iface}_subnets" "$subnets" + } + + local new_zones= + load_zone() { + fw_config_get_zone "$1" + list_contains zone_network "$iface" || return + + fw_log info "adding $iface ($ifname${aliasnet:+ alias $aliasnet}) to zone $zone_name" + fw_do_interface_rules add ${zone_name} "$ifname" "$aliasnet" + append new_zones $zone_name + + [ -n "$aliasnet" ] || { + fw__uci_state_add "${zone_name}_networks" "${zone_network}" + env -i ACTION=add ZONE="$zone_name" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall + } + } + config_foreach load_zone zone + + uci_toggle_state firewall core "${iface}_zone" "$new_zones" + uci_toggle_state firewall core "${iface}_ifname" "$ifname" +} + +fw_sysctl_interface() { + local ifname=$1 + { + sysctl -w net.ipv4.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS + sysctl -w net.ipv6.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS + sysctl -w net.ipv4.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE + sysctl -w net.ipv6.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE + } >/dev/null 2>/dev/null +} diff --git a/package/network/config/firewall/files/lib/core_redirect.sh b/package/network/config/firewall/files/lib/core_redirect.sh new file mode 100644 index 000000000..9493bc6ae --- /dev/null +++ b/package/network/config/firewall/files/lib/core_redirect.sh @@ -0,0 +1,130 @@ +# Copyright (C) 2009-2010 OpenWrt.org + +fw_config_get_redirect() { + [ "${redirect_NAME}" != "$1" ] || return + fw_config_get_section "$1" redirect { \ + string _name "$1" \ + string name "" \ + string src "" \ + ipaddr src_ip "" \ + ipaddr src_dip "" \ + string src_mac "" \ + string src_port "" \ + string src_dport "" \ + string dest "" \ + ipaddr dest_ip "" \ + string dest_port "" \ + string proto "tcpudp" \ + string family "" \ + string target "DNAT" \ + string extra "" \ + } || return + [ -n "$redirect_name" ] || redirect_name=$redirect__name +} + +fw_load_redirect() { + fw_config_get_redirect "$1" + + fw_callback pre redirect + + local fwdchain natchain natopt nataddr natports srcdaddr srcdports + if [ "$redirect_target" == "DNAT" ]; then + [ -n "${redirect_src#*}" -a -n "$redirect_dest_ip$redirect_dest_port" ] || { + fw_log error "DNAT redirect ${redirect_name}: needs src and dest_ip or dest_port, skipping" + return 0 + } + + fwdopt="" + fwdchain="" + + # Check whether only ports are given or whether the given dest ip is local, + # in this case match only DNATed traffic and allow it on input, not forward + if [ -z "$redirect_dest_ip" ] || /sbin/ifconfig | grep -qE "addr:${redirect_dest_ip//./\\.}\b"; then + fwdopt="-m conntrack --ctstate DNAT" + fwdchain="zone_${redirect_src}_input" + else + fwdchain="zone_${redirect_src}_forward" + fi + + natopt="--to-destination" + natchain="zone_${redirect_src}_prerouting" + nataddr="$redirect_dest_ip" + fw_get_port_range natports "${redirect_dest_port#!}" "-" + + fw_get_negation srcdaddr '-d' "${redirect_src_dip:+$redirect_src_dip/$redirect_src_dip_prefixlen}" + fw_get_port_range srcdports "$redirect_src_dport" ":" + fw_get_negation srcdports '--dport' "$srcdports" + + list_contains FW_CONNTRACK_ZONES $redirect_src || \ + append FW_CONNTRACK_ZONES $redirect_src + + elif [ "$redirect_target" == "SNAT" ]; then + [ -n "${redirect_dest#*}" -a -n "$redirect_src_dip" ] || { + fw_log error "SNAT redirect ${redirect_name}: needs dest and src_dip, skipping" + return 0 + } + + fwdchain="${redirect_src:+zone_${redirect_src}_forward}" + + natopt="--to-source" + natchain="zone_${redirect_dest}_nat" + nataddr="$redirect_src_dip" + fw_get_port_range natports "${redirect_src_dport#!}" "-" + + fw_get_negation srcdaddr '-d' "${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}" + fw_get_port_range srcdports "$redirect_dest_port" ":" + fw_get_negation srcdports '--dport' "$srcdports" + + list_contains FW_CONNTRACK_ZONES $redirect_dest || \ + append FW_CONNTRACK_ZONES $redirect_dest + + else + fw_log error "redirect ${redirect_name}: target must be either DNAT or SNAT, skipping" + return 0 + fi + + local mode + fw_get_family_mode mode ${redirect_family:-x} ${redirect_src:-$redirect_dest} I + + local srcaddr + fw_get_negation srcaddr '-s' "${redirect_src_ip:+$redirect_src_ip/$redirect_src_ip_prefixlen}" + + local srcports + fw_get_port_range srcports "$redirect_src_port" ":" + fw_get_negation srcports '--sport' "$srcports" + + local destaddr + fw_get_negation destaddr '-d' "${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}" + + local destports + fw_get_port_range destports "${redirect_dest_port:-$redirect_src_dport}" ":" + fw_get_negation destports '--dport' "$destports" + + [ "$redirect_proto" == "tcpudp" ] && redirect_proto="tcp udp" + local pr; for pr in $redirect_proto; do + fw_get_negation pr '-p' "$pr" + local sm; for sm in ${redirect_src_mac:-""}; do + fw_get_negation sm '--mac-source' "$sm" + fw add $mode n $natchain $redirect_target + \ + { $redirect_src_ip $redirect_dest_ip } { \ + $srcaddr $srcdaddr $pr \ + $srcports $srcdports \ + ${sm:+-m mac $sm} \ + $natopt $nataddr${natports:+:$natports} \ + $redirect_options \ + } + + fw add $mode f ${fwdchain:-delegate_forward} ACCEPT + \ + { $redirect_src_ip $redirect_dest_ip } { \ + $srcaddr $destaddr \ + $pr \ + $srcports $destports \ + ${sm:+-m mac $sm} \ + $fwdopt \ + $redirect_extra \ + } + done + done + + fw_callback post redirect +} diff --git a/package/network/config/firewall/files/lib/core_rule.sh b/package/network/config/firewall/files/lib/core_rule.sh new file mode 100644 index 000000000..0ce2122be --- /dev/null +++ b/package/network/config/firewall/files/lib/core_rule.sh @@ -0,0 +1,117 @@ +# Copyright (C) 2009-2010 OpenWrt.org + +fw_config_get_rule() { + [ "${rule_NAME}" != "$1" ] || return + fw_config_get_section "$1" rule { \ + string _name "$1" \ + string name "" \ + string src "" \ + ipaddr src_ip "" \ + string src_mac "" \ + string src_port "" \ + string dest "" \ + ipaddr dest_ip "" \ + string dest_port "" \ + string icmp_type "" \ + string proto "tcpudp" \ + string target "" \ + string family "" \ + string limit "" \ + string limit_burst "" \ + string extra "" \ + } || return + [ -n "$rule_name" ] || rule_name=$rule__name +} + +fw_load_rule() { + fw_config_get_rule "$1" + + [ "$rule_target" != "NOTRACK" ] || [ -n "$rule_src" ] || [ "$rule_src" != "*" ] || { + fw_log error "NOTRACK rule ${rule_name}: needs src, skipping" + return 0 + } + + fw_callback pre rule + + local table=f + local chain=delegate_output + local target="${rule_target:-REJECT}" + if [ "$target" == "NOTRACK" ]; then + table=r + chain="zone_${rule_src}_notrack" + else + if [ -n "$rule_src" ]; then + if [ "$rule_src" != "*" ]; then + if [ -n "$rule_dest" ]; then + chain="zone_${rule_src}_forward" + else + chain="zone_${rule_src}_input" + fi + else + chain="${rule_dest:+delegate_forward}" + chain="${chain:-delegate_input}" + fi + fi + + if [ -n "$rule_dest" ]; then + if [ "$rule_dest" != "*" ]; then + target="zone_${rule_dest}_dest_${target}" + if [ -z "$rule_src" ]; then + chain="zone_${rule_dest}_output" + fi + elif [ "$target" = REJECT ]; then + target=reject + fi + fi + fi + + local mode + fw_get_family_mode mode ${rule_family:-x} "$rule_src" I + + local src_spec dest_spec + fw_get_negation src_spec '-s' "${rule_src_ip:+$rule_src_ip/$rule_src_ip_prefixlen}" + fw_get_negation dest_spec '-d' "${rule_dest_ip:+$rule_dest_ip/$rule_dest_ip_prefixlen}" + + [ "$rule_proto" == "tcpudp" ] && rule_proto="tcp udp" + local pr; for pr in $rule_proto; do + local sports dports itypes + case "$pr" in + icmp|icmpv6|1|58) + sports=""; dports="" + itypes="$rule_icmp_type" + ;; + *) + sports="$rule_src_port" + dports="$rule_dest_port" + itypes="" + ;; + esac + + fw_get_negation pr '-p' "$pr" + local sp; for sp in ${sports:-""}; do + fw_get_port_range sp $sp + fw_get_negation sp '--sport' "$sp" + local dp; for dp in ${dports:-""}; do + fw_get_port_range dp $dp + fw_get_negation dp '--dport' "$dp" + local sm; for sm in ${rule_src_mac:-""}; do + fw_get_negation sm '--mac-source' "$sm" + local it; for it in ${itypes:-""}; do + fw_get_negation it '--icmp-type' "$it" + fw add $mode $table $chain $target + \ + { $rule_src_ip $rule_dest_ip } { \ + $src_spec $dest_spec \ + $pr $sp $dp $it \ + ${sm:+-m mac $sm} \ + ${rule_limit:+-m limit --limit $rule_limit \ + ${rule_limit_burst:+--limit-burst $rule_limit_burst}} \ + $rule_extra \ + } + done + done + done + done + done + + fw_callback post rule +} diff --git a/package/network/config/firewall/files/lib/fw.sh b/package/network/config/firewall/files/lib/fw.sh new file mode 100644 index 000000000..ca851e81c --- /dev/null +++ b/package/network/config/firewall/files/lib/fw.sh @@ -0,0 +1,324 @@ +# Copyright (C) 2009-2010 OpenWrt.org +# Copyright (C) 2009 Malte S. Stretz + +export FW_4_ERROR=0 +export FW_6_ERROR=0 +export FW_i_ERROR=0 +export FW_e_ERROR=0 +export FW_a_ERROR=0 + +#TODO: remove this +[ "${-#*x}" == "$-" ] && { + fw() { + fw__exec "$@" + } +} || { + fw() { + local os=$- + set +x + fw__exec "$@" + local rc=$? + set -$os + return $rc + } +} + +fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> } + local cmd fam tab chn tgt pos + local i + for i in cmd fam tab chn tgt pos; do + if [ "$1" -a "$1" != '{' ]; then + eval "$i='$1'" + shift + else + eval "$i=-" + fi + done + + fw__rc() { + export FW_${fam#G}_ERROR=$1 + return $1 + } + + fw__dualip() { + fw $cmd 4 $tab $chn $tgt $pos "$@" + fw $cmd 6 $tab $chn $tgt $pos "$@" + fw__rc $((FW_4_ERROR | FW_6_ERROR)) + } + + fw__autoip() { + local ip4 ip6 + shift + while [ "$1" != '}' ]; do + case "$1" in + *:*) ip6=1 ;; + *.*.*.*) ip4=1 ;; + esac + shift + done + shift + if [ "${ip4:-4}" == "${ip6:-6}" ]; then + echo "fw: can't mix ip4 and ip6" >&2 + return 1 + fi + local ver=${ip4:+4}${ip6:+6} + fam=i + fw $cmd ${ver:-i} $tab $chn $tgt $pos "$@" + fw__rc $? + } + + fw__has() { + local tab=${1:-$tab} + if [ $tab == '-' ]; then + type $app > /dev/null 2> /dev/null + fw__rc $(($? & 1)) + return + fi + [ "$app" != ip6tables ] || [ "$tab" != nat ] + fw__rc $? + } + + fw__err() { + local err + eval "err=\$FW_${fam}_ERROR" + fw__rc $err + } + + local app= + local pol= + case "$fam" in + *4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables || return ;; + *6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;; + i) fw__dualip "$@"; return ;; + I) fw__autoip "$@"; return ;; + e) app=ebtables ;; + a) app=arptables ;; + -) fw $cmd i $tab $chn $tgt $pos "$@"; return ;; + *) return 254 ;; + esac + case "$tab" in + f) tab=filter ;; + m) tab=mangle ;; + n) tab=nat ;; + r) tab=raw ;; + -) tab=filter ;; + esac + case "$cmd:$chn:$tgt:$pos" in + add:*:-:*) cmd=new-chain ;; + add:*:*:-) cmd=append ;; + add:*:*:$) cmd=append ;; + add:*:*:*) cmd=insert ;; + del:-:*:*) cmd=delete-chain; fw flush $fam $tab ;; + del:*:-:*) cmd=delete-chain; fw flush $fam $tab $chn ;; + del:*:*:*) cmd=delete ;; + flush:*) ;; + policy:*) pol=$tgt; tgt=- ;; + has:*) fw__has; return ;; + err:*) fw__err; return ;; + list:*) cmd="numeric --verbose --$cmd" ;; + *) return 254 ;; + esac + case "$chn" in + -) chn= ;; + esac + case "$tgt" in + -) tgt= ;; + esac + + local rule_offset + case "$pos" in + ^) pos=1 ;; + $) pos= ;; + -) pos= ;; + +) eval "rule_offset=\${FW__RULE_OFS_${app}_${tab}_${chn}:-1}" ;; + esac + + if ! fw__has - family || ! fw__has $tab ; then + export FW_${fam}_ERROR=0 + return 0 + fi + + case "$fam" in + G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;; + esac + + if [ $# -gt 0 ]; then + shift + if [ $cmd == delete ]; then + pos= + fi + fi + + local cmdline="$app --table ${tab} --${cmd} ${chn} ${pol} ${rule_offset:-${pos}} ${tgt:+--jump "$tgt"}" + while [ $# -gt 1 ]; do + # special parameter handling + case "$1:$2" in + -p:icmp*|-p:1|-p:58|--protocol:icmp*|--protocol:1|--protocol:58) + [ "$app" = ip6tables ] && \ + cmdline="$cmdline -p icmpv6" || \ + cmdline="$cmdline -p icmp" + shift + ;; + --icmp-type:*|--icmpv6-type:*) + local icmp_type + if [ "$app" = ip6tables ] && fw_check_icmptype6 icmp_type "$2"; then + cmdline="$cmdline $icmp_type" + elif [ "$app" = iptables ] && fw_check_icmptype4 icmp_type "$2"; then + cmdline="$cmdline $icmp_type" + else + local fam=IPv4; [ "$app" = ip6tables ] && fam=IPv6 + fw_log info "ICMP type '$2' is not valid for $fam address family, skipping rule" + return 1 + fi + shift + ;; + *) cmdline="$cmdline $1" ;; + esac + shift + done + + [ -n "$FW_TRACE" ] && echo $cmdline >&2 + + $cmdline + + local rv=$? + [ $rv -eq 0 ] && [ -n "$rule_offset" ] && \ + export -- "FW__RULE_OFS_${app}_${tab}_${chn}=$(($rule_offset + 1))" + fw__rc $rv +} + +fw_get_port_range() { + local _var=$1 + local _ports=$2 + local _delim=${3:-:} + if [ "$4" ]; then + fw_get_port_range $_var "${_ports}-${4}" $_delim + return + fi + + local _first=${_ports%-*} + local _last=${_ports#*-} + if [ "${_first#!}" != "${_last#!}" ]; then + export -- "$_var=$_first$_delim${_last#!}" + else + export -- "$_var=$_first" + fi +} + +fw_get_family_mode() { + local _var="$1" + local _hint="$2" + local _zone="$3" + local _mode="$4" + + local _ipv4 _ipv6 + [ "$_zone" != "*" ] && { + [ -n "$FW_ZONES4$FW_ZONES6" ] && { + list_contains FW_ZONES4 "$_zone" && _ipv4=1 || _ipv4=0 + list_contains FW_ZONES6 "$_zone" && _ipv6=1 || _ipv6=0 + } || { + _ipv4=$(uci_get_state firewall core "${_zone}_ipv4" 0) + _ipv6=$(uci_get_state firewall core "${_zone}_ipv6" 0) + } + } || { + _ipv4=1 + _ipv6=1 + } + + case "$_hint:$_ipv4:$_ipv6" in + *4:1:*|*:1:0) export -n -- "$_var=G4" ;; + *6:*:1|*:0:1) export -n -- "$_var=G6" ;; + *) export -n -- "$_var=$_mode" ;; + esac +} + +fw_get_negation() { + local _var="$1" + local _flag="$2" + local _value="$3" + + [ "${_value#!}" != "$_value" ] && \ + export -n -- "$_var=! $_flag ${_value#!}" || \ + export -n -- "$_var=${_value:+$_flag $_value}" +} + +fw_get_subnet4() { + local _var="$1" + local _flag="$2" + local _name="$3" + + local _ipaddr="$(uci_get_state network "${_name#!}" ipaddr)" + local _netmask="$(uci_get_state network "${_name#!}" netmask)" + + case "$_ipaddr" in + *.*.*.*) + [ "${_name#!}" != "$_name" ] && \ + export -n -- "$_var=! $_flag $_ipaddr/${_netmask:-255.255.255.255}" || \ + export -n -- "$_var=$_flag $_ipaddr/${_netmask:-255.255.255.255}" + return 0 + ;; + esac + + export -n -- "$_var=" + return 1 +} + +fw_check_icmptype4() { + local _var="$1" + local _type="$2" + case "$_type" in + ![0-9]*) export -n -- "$_var=! --icmp-type ${_type#!}"; return 0 ;; + [0-9]*) export -n -- "$_var=--icmp-type $_type"; return 0 ;; + esac + + [ -z "$FW_ICMP4_TYPES" ] && \ + export FW_ICMP4_TYPES=$( + iptables -p icmp -h 2>/dev/null | \ + sed -n -e '/^Valid ICMP Types:/ { + n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r + }' | sort -u + ) + + local _check + for _check in $FW_ICMP4_TYPES; do + if [ "$_check" = "${_type#!}" ]; then + [ "${_type#!}" != "$_type" ] && \ + export -n -- "$_var=! --icmp-type ${_type#!}" || \ + export -n -- "$_var=--icmp-type $_type" + return 0 + fi + done + + export -n -- "$_var=" + return 1 +} + +fw_check_icmptype6() { + local _var="$1" + local _type="$2" + case "$_type" in + ![0-9]*) export -n -- "$_var=! --icmpv6-type ${_type#!}"; return 0 ;; + [0-9]*) export -n -- "$_var=--icmpv6-type $_type"; return 0 ;; + esac + + [ -z "$FW_ICMP6_TYPES" ] && \ + export FW_ICMP6_TYPES=$( + ip6tables -p icmpv6 -h 2>/dev/null | \ + sed -n -e '/^Valid ICMPv6 Types:/ { + n; :r; s/[()]/ /g; s/[[:space:]]\+/\n/g; p; n; b r + }' | sort -u + ) + + local _check + for _check in $FW_ICMP6_TYPES; do + if [ "$_check" = "${_type#!}" ]; then + [ "${_type#!}" != "$_type" ] && \ + export -n -- "$_var=! --icmpv6-type ${_type#!}" || \ + export -n -- "$_var=--icmpv6-type $_type" + return 0 + fi + done + + export -n -- "$_var=" + return 1 +} diff --git a/package/network/config/firewall/files/lib/uci_firewall.sh b/package/network/config/firewall/files/lib/uci_firewall.sh new file mode 100644 index 000000000..7c95a7a93 --- /dev/null +++ b/package/network/config/firewall/files/lib/uci_firewall.sh @@ -0,0 +1,5 @@ +# This file is here for backwards compatibility and to override the +# uci_firewall.sh from an earlier version. +type fw_is_loaded >/dev/null || { + . /lib/firewall/core.sh +} diff --git a/package/network/config/firewall/files/reflection.hotplug b/package/network/config/firewall/files/reflection.hotplug new file mode 100644 index 000000000..129a922e4 --- /dev/null +++ b/package/network/config/firewall/files/reflection.hotplug @@ -0,0 +1,169 @@ +#!/bin/sh + +. /lib/functions.sh +. /lib/functions/network.sh + +if [ "$ACTION" = "remove" ]; then + + delete_rules_by_comment() { + local table="$1" + local chain="$2" + local comment="$3" + + iptables -t "$table" --line-numbers -nL "$chain" 2>/dev/null | \ + sed -e ' + 1d; + 1! { + \#^[0-9]\+ .* /\* '"$comment"' \*/.*$# { + s/ .*$//; + G; h; + } + }; + $!d; + ' | xargs -n1 iptables -t "$table" -D "$chain" 2>/dev/null + } + + delete_rules_by_comment nat nat_reflection_in "$INTERFACE" + delete_rules_by_comment nat nat_reflection_out "$INTERFACE" + delete_rules_by_comment filter nat_reflection_fwd "$INTERFACE" + +elif [ "$ACTION" = "add" ]; then + + prepare_chains() { + iptables -t nat -N nat_reflection_in 2>/dev/null && { + iptables -t nat -A prerouting_rule -j nat_reflection_in + } + + iptables -t nat -N nat_reflection_out 2>/dev/null && { + iptables -t nat -A postrouting_rule -j nat_reflection_out + } + + iptables -t filter -N nat_reflection_fwd 2>/dev/null && { + iptables -t filter -A forwarding_rule -j nat_reflection_fwd + } + } + + find_networks() { + find_networks_cb() { + local cfg="$1" + local zone="$2" + local need_masq="${3:-0}" + + local name + config_get name "$cfg" name + + local masq + config_get_bool masq "$cfg" masq 0 + + [ "$name" = "$zone" ] && [ "$masq" -ge "$need_masq" ] && { + local network + config_get network "$cfg" network + + echo ${network:-$zone} + return 1 + } + } + + config_foreach find_networks_cb zone "$@" + } + + setup_fwd() { + local cfg="$1" + + local reflection + config_get_bool reflection "$cfg" reflection 1 + [ "$reflection" == 1 ] || return + + local src + config_get src "$cfg" src + [ "$src" == "$ZONE" ] || return + + local dest + config_get dest "$cfg" dest + [ "$dest" != "*" ] || return + + local target + config_get target "$cfg" target DNAT + [ "$target" = DNAT ] || return + + prepare_chains + + local net + for net in $(find_networks "$dest" 0); do + local intnet + network_get_subnet intnet "$net" || continue + + local proto + config_get proto "$cfg" proto + + local epmin epmax extport + config_get extport "$cfg" src_dport "1-65535" + [ -n "$extport" ] || return + + epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" + [ "${epmin#!}" != "$epmax" ] || epmax="" + + local ipmin ipmax intport + config_get intport "$cfg" dest_port "$extport" + + ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" + [ "${ipmin#!}" != "$ipmax" ] || ipmax="" + + local exthost + config_get exthost "$cfg" src_dip "$extip" + + local inthost + config_get inthost "$cfg" dest_ip + [ -n "$inthost" ] || return + + [ "$proto" = all ] && proto="tcp udp" + [ "$proto" = tcpudp ] && proto="tcp udp" + + [ "${inthost#!}" = "$inthost" ] || return 0 + [ "${exthost#!}" = "$exthost" ] || return 0 + + [ "${epmin#!}" != "$epmin" ] && \ + extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \ + extport="--dport $epmin${epmax:+:$epmax}" + + [ "${ipmin#!}" != "$ipmin" ] && \ + intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \ + intport="--dport $ipmin${ipmax:+:$ipmax}" + + local p + for p in ${proto:-tcp udp}; do + case "$p" in + tcp|udp|6|17) + iptables -t nat -A nat_reflection_in \ + -s $intnet -d $exthost \ + -p $p $extport \ + -m comment --comment "$INTERFACE" \ + -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} + + iptables -t nat -A nat_reflection_out \ + -s $intnet -d $inthost \ + -p $p $intport \ + -m comment --comment "$INTERFACE" \ + -j SNAT --to-source ${intnet%%/*} + + iptables -t filter -A nat_reflection_fwd \ + -s $intnet -d $inthost \ + -p $p $intport \ + -m comment --comment "$INTERFACE" \ + -j ACCEPT + ;; + esac + done + done + } + + config_load firewall + + local is_masq_zone="$(find_networks "$ZONE" 1)" + [ -n "$is_masq_zone" ] || exit 0 + + local extip + network_get_ipaddr extip "$INTERFACE" || exit 0 + + config_foreach setup_fwd redirect +fi diff --git a/package/network/config/firewall3/Makefile b/package/network/config/firewall3/Makefile new file mode 100644 index 000000000..b54c98acb --- /dev/null +++ b/package/network/config/firewall3/Makefile @@ -0,0 +1,65 @@ +# +# Copyright (C) 2013 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=firewall3 +PKG_VERSION:=2013-05-24 +PKG_RELEASE:=$(PKG_SOURCE_VERSION) + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=git://nbd.name/firewall3.git +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE_VERSION:=4ecfb8f6fe4920fd1c6904b1ca8730e746111b00 +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz +PKG_MAINTAINER:=Jo-Philipp Wich <jow@openwrt.org> + + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/kernel.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/firewall3 + SECTION:=net + CATEGORY:=Network + TITLE:=UCI C Firewall + DEPENDS:=+libubox +libubus +libuci +libip4tc +libip6tc +libxtables +endef + +define Package/firewall3/description + This package provides a config-compatible C implementation of the UCI firewall. +endef + +define Package/firewall3/conffiles +/etc/config/firewall +/etc/firewall.user +endef + +define Build/Compile + $(CP) $(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext.a)) $(PKG_BUILD_DIR)/libext.a + $(CP) $(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext4.a)) $(PKG_BUILD_DIR)/libext4.a + $(CP) $(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext6.a)) $(PKG_BUILD_DIR)/libext6.a + $(call Build/Compile/Default) +endef + +TARGET_CFLAGS += -ffunction-sections -fdata-sections +TARGET_LDFLAGS += -Wl,--gc-sections + +define Package/firewall3/install + $(INSTALL_DIR) $(1)/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3 + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall + $(INSTALL_DIR) $(1)/etc/config/ + $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall + $(INSTALL_DIR) $(1)/etc/ + $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user +endef + +$(eval $(call BuildPackage,firewall3)) diff --git a/package/network/config/firewall3/files/firewall.config b/package/network/config/firewall3/files/firewall.config new file mode 100644 index 000000000..59a45b208 --- /dev/null +++ b/package/network/config/firewall3/files/firewall.config @@ -0,0 +1,176 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 + +config zone + option name lan + option network 'lan' + option input ACCEPT + option output ACCEPT + option forward REJECT + +config zone + option name wan + option network 'wan wan6' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fe80::/10 + option src_port 547 + option dest_ip fe80::/10 + option dest_port 546 + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# include a file with users custom iptables rules +config include + option path /etc/firewall.user + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +# allow IPsec/ESP and ISAKMP passthrough +#config rule +# option src wan +# option dest lan +# option protocol esp +# option target ACCEPT + +#config rule +# option src wan +# option dest lan +# option src_port 500 +# option dest_port 500 +# option proto udp +# option target ACCEPT + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/package/network/config/firewall3/files/firewall.hotplug b/package/network/config/firewall3/files/firewall.hotplug new file mode 100644 index 000000000..34f3afec9 --- /dev/null +++ b/package/network/config/firewall3/files/firewall.hotplug @@ -0,0 +1,10 @@ +#!/bin/sh + +[ "$ACTION" = ifup ] || exit 0 + +/etc/init.d/firewall enabled || exit 0 + +fw3 -q network "$INTERFACE" >/dev/null || exit 0 + +logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)" +fw3 -q reload diff --git a/package/network/config/firewall3/files/firewall.init b/package/network/config/firewall3/files/firewall.init new file mode 100755 index 000000000..64e3a8c12 --- /dev/null +++ b/package/network/config/firewall3/files/firewall.init @@ -0,0 +1,25 @@ +#!/bin/sh /etc/rc.common + +START=19 + +boot() { + # Be silent on boot, firewall might be started by hotplug already, + # so don't complain in syslog. + fw3 -q start +} + +start() { + fw3 start +} + +stop() { + fw3 flush +} + +restart() { + fw3 restart +} + +reload() { + fw3 reload +} diff --git a/package/network/config/firewall3/files/firewall.user b/package/network/config/firewall3/files/firewall.user new file mode 100644 index 000000000..6f799063f --- /dev/null +++ b/package/network/config/firewall3/files/firewall.user @@ -0,0 +1,7 @@ +# This file is interpreted as shell script. +# Put your custom iptables rules here, they will +# be executed with each firewall (re-)start. + +# Internal uci firewall chains are flushed and recreated on reload, so +# put custom rules into the root chains e.g. INPUT or FORWARD or into the +# special user chains, e.g. input_wan_rule or postrouting_lan_rule. diff --git a/package/network/config/ltq-dsl-app/patches/010-eglibc_compile_fix.patch b/package/network/config/ltq-dsl-app/patches/010-eglibc_compile_fix.patch new file mode 100644 index 000000000..268f868e0 --- /dev/null +++ b/package/network/config/ltq-dsl-app/patches/010-eglibc_compile_fix.patch @@ -0,0 +1,23 @@ +--- a/configure.in ++++ b/configure.in +@@ -29,6 +29,8 @@ AC_C_VOLATILE + #AC_FUNC_STRTOD + #AC_CHECK_FUNCS([ftime gethostbyname gettimeofday localtime_r memset select socket strchr strerror strstr strtoull]) + ++AC_SEARCH_LIBS([clock_gettime],[rt]) ++ + # + # save the configure arguments + # +--- a/src/dsl_cpe_linux.h ++++ b/src/dsl_cpe_linux.h +@@ -45,7 +45,8 @@ + #include <arpa/inet.h> + #include <sys/socket.h> /* socket */ + #include <sys/sem.h> /* semget */ +-#include <semaphore.h> /* sem_t */ ++#include <semaphore.h> /* sem_t */ ++#include <limits.h> + + #ifdef DSL_DEBUG_TOOL_INTERFACE + #include <sys/socket.h> diff --git a/package/network/config/netifd/Makefile b/package/network/config/netifd/Makefile new file mode 100644 index 000000000..e074ab5de --- /dev/null +++ b/package/network/config/netifd/Makefile @@ -0,0 +1,46 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=netifd +PKG_VERSION:=2013-05-17 +PKG_RELEASE=$(PKG_SOURCE_VERSION) + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=git://nbd.name/luci2/netifd.git +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE_VERSION:=2f31bff38d4dc2f36006ded6b8a7d039cb569eaa +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz +PKG_MAINTAINER:=Felix Fietkau <nbd@openwrt.org> +# PKG_MIRROR_MD5SUM:= +# CMAKE_INSTALL:=1 + +PKG_LICENSE:=GPLv2 +PKG_LICENSE_FILES:= + +PKG_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/netifd + SECTION:=base + CATEGORY:=Base system + DEPENDS:=+libuci +libnl-tiny +libubus +ubus +ubusd +jshn + TITLE:=OpenWrt Network Interface Configuration Daemon +endef + +TARGET_CFLAGS += \ + -I$(STAGING_DIR)/usr/include/libnl-tiny \ + -I$(STAGING_DIR)/usr/include + +CMAKE_OPTIONS += \ + -DLIBNL_LIBS=-lnl-tiny \ + -DDEBUG=1 + +define Package/netifd/install + $(INSTALL_DIR) $(1)/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/netifd $(1)/sbin/ + $(CP) ./files/* $(1)/ + $(CP) $(PKG_BUILD_DIR)/dummy/netifd-proto.sh $(1)/lib/netifd/ +endef + +$(eval $(call BuildPackage,netifd)) diff --git a/package/network/config/netifd/files/etc/hotplug.d/iface/00-netstate b/package/network/config/netifd/files/etc/hotplug.d/iface/00-netstate new file mode 100644 index 000000000..c50cda6ea --- /dev/null +++ b/package/network/config/netifd/files/etc/hotplug.d/iface/00-netstate @@ -0,0 +1,8 @@ +[ ifup = "$ACTION" ] && { + uci_toggle_state network "$INTERFACE" up 1 + uci_toggle_state network "$INTERFACE" connect_time $(sed -ne 's![^0-9].*$!!p' /proc/uptime) + [ -n "$DEVICE" ] && { + uci_toggle_state network "$INTERFACE" device "$(uci -q get network.$INTERFACE.ifname)" + uci_toggle_state network "$INTERFACE" ifname "$DEVICE" + } +} diff --git a/package/network/config/netifd/files/etc/init.d/network b/package/network/config/netifd/files/etc/init.d/network new file mode 100755 index 000000000..429f33dd9 --- /dev/null +++ b/package/network/config/netifd/files/etc/init.d/network @@ -0,0 +1,47 @@ +#!/bin/sh /etc/rc.common + +START=20 +STOP=90 + +SERVICE_DAEMONIZE=1 +SERVICE_WRITE_PID=1 + +start() { + stop + [ -e /proc/sys/kernel/core_pattern ] && { + ulimit -c unlimited + echo '/tmp/%e.%p.%s.%t.core' > /proc/sys/kernel/core_pattern + } + service_start /sbin/netifd + + setup_switch() { return 0; } + + include /lib/network + setup_switch + + sleep 5 + + /sbin/wifi down + /sbin/wifi up +} + +restart() { + ifdown -a + sleep 1 + start +} + +shutdown() { + ifdown -a + stop +} + +stop() { + service_stop /sbin/netifd +} + +reload() { + ubus call network reload + /sbin/wifi down + /sbin/wifi up +} diff --git a/package/network/config/netifd/files/lib/netifd/dhcp.script b/package/network/config/netifd/files/lib/netifd/dhcp.script new file mode 100755 index 000000000..b365a5352 --- /dev/null +++ b/package/network/config/netifd/files/lib/netifd/dhcp.script @@ -0,0 +1,86 @@ +#!/bin/sh +[ -z "$1" ] && echo "Error: should be run by udhcpc" && exit 1 + +. /lib/functions.sh +. /lib/netifd/netifd-proto.sh + +set_classless_routes() { + local max=128 + local type + while [ -n "$1" -a -n "$2" -a $max -gt 0 ]; do + proto_add_ipv4_route "${1%%/*}" "${1##*/}" "$2" + max=$(($max-1)) + shift 2 + done +} + +setup_interface () { + proto_init_update "*" 1 + proto_add_ipv4_address "$ip" "${subnet:-255.255.255.0}" + # TODO: apply $broadcast + + for i in $router; do + proto_add_ipv4_route 0.0.0.0 0 "$i" + done + + # CIDR STATIC ROUTES (rfc3442) + [ -n "$staticroutes" ] && set_classless_routes $staticroutes + [ -n "$msstaticroutes" ] && set_classless_routes $msstaticroutes + + for dns in $dns; do + proto_add_dns_server "$dns" + done + for domain in $domain; do + proto_add_dns_search "$domain" + done + proto_send_update "$INTERFACE" + + if [ -n "$IFACE6RD" -a -n "$ip6rd" ]; then + local v4mask="${ip6rd%% *}" + ip6rd="${ip6rd#* }" + local ip6rdprefixlen="${ip6rd%% *}" + ip6rd="${ip6rd#* }" + local ip6rdprefix="${ip6rd%% *}" + ip6rd="${ip6rd#* }" + local ip6rdbr="${ip6rd%% *}" + +uci -q batch <<-EOF >/dev/null +set network.$IFACE6RD.proto=6rd +set network.$IFACE6RD.auto=0 +set network.$IFACE6RD.peeraddr=$ip6rdbr +set network.$IFACE6RD.ip4prefixlen=$v4mask +set network.$IFACE6RD.ip6prefix=$ip6rdprefix +set network.$IFCAE6RD.ip6prefixlen=$ip6rdprefixlen +commit network +EOF + + ifdown "$IFACE6RD" + /etc/init.d/network reload + ifup "$IFACE6RD" + fi + + # TODO + # [ -n "$ntpsrv" ] && change_state network "$ifc" lease_ntpsrv "$ntpsrv" + # [ -n "$timesvr" ] && change_state network "$ifc" lease_timesrv "$timesvr" + # [ -n "$hostname" ] && change_state network "$ifc" lease_hostname "$hostname" + # [ -n "$timezone" ] && change_state network "$ifc" lease_timezone "$timezone" +} + +deconfig_interface() { + proto_init_update "*" 0 + proto_send_update "$INTERFACE" +} + +case "$1" in + deconfig) + deconfig_interface + ;; + renew|bound) + setup_interface + ;; +esac + +# user rules +[ -f /etc/udhcpc.user ] && . /etc/udhcpc.user + +exit 0 diff --git a/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh b/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh new file mode 100755 index 000000000..a270c681d --- /dev/null +++ b/package/network/config/netifd/files/lib/netifd/proto/dhcp.sh @@ -0,0 +1,51 @@ +#!/bin/sh + +. /lib/functions.sh +. ../netifd-proto.sh +init_proto "$@" + +proto_dhcp_init_config() { + proto_config_add_string "ipaddr" + proto_config_add_string "netmask" + proto_config_add_string "hostname" + proto_config_add_string "clientid" + proto_config_add_string "vendorid" + proto_config_add_boolean "broadcast" + proto_config_add_string "reqopts" + proto_config_add_string "iface6rd" +} + +proto_dhcp_setup() { + local config="$1" + local iface="$2" + + local ipaddr hostname clientid vendorid broadcast reqopts iface6rd + json_get_vars ipaddr hostname clientid vendorid broadcast reqopts iface6rd + + local opt dhcpopts + for opt in $reqopts; do + append dhcpopts "-O $opt" + done + + [ "$broadcast" = 1 ] && broadcast="-B" || broadcast= + [ -n "$clientid" ] && clientid="-x 0x3d:${clientid//:/}" || clientid="-C" + [ -n "$iface6rd" ] && proto_export "IFACE6RD=$iface6rd" + + proto_export "INTERFACE=$config" + proto_run_command "$config" udhcpc \ + -p /var/run/udhcpc-$iface.pid \ + -s /lib/netifd/dhcp.script \ + -f -t 0 -i "$iface" \ + ${ipaddr:+-r $ipaddr} \ + ${hostname:+-H $hostname} \ + ${vendorid:+-V $vendorid} \ + $clientid $broadcast $dhcpopts +} + +proto_dhcp_teardown() { + local interface="$1" + proto_kill_command "$interface" +} + +add_protocol dhcp + diff --git a/package/network/config/netifd/files/lib/network/config.sh b/package/network/config/netifd/files/lib/network/config.sh new file mode 100755 index 000000000..9128971da --- /dev/null +++ b/package/network/config/netifd/files/lib/network/config.sh @@ -0,0 +1,79 @@ +#!/bin/sh +# Copyright (C) 2011 OpenWrt.org + +. /usr/share/libubox/jshn.sh + +find_config() { + local device="$1" + local ifdev ifl3dev ifobj + for ifobj in `ubus list network.interface.\*`; do + interface="${ifobj##network.interface.}" + ( + json_load "$(ifstatus $interface)" + json_get_var ifdev device + json_get_var ifl3dev l3_device + if [[ "$device" = "$ifdev" ]] || [[ "$device" = "$ifl3dev" ]]; then + echo "$interface" + exit 0 + else + exit 1 + fi + ) && return + done +} + +unbridge() { + return +} + +ubus_call() { + json_init + local _data="$(ubus -S call "$1" "$2")" + [ -z "$_data" ] && return 1 + json_load "$_data" + return 0 +} + + +fixup_interface() { + local config="$1" + local ifname type device l3dev + + config_get type "$config" type + config_get ifname "$config" ifname + config_get device "$config" device "$ifname" + [ "bridge" = "$type" ] && ifname="br-$config" + config_set "$config" device "$ifname" + ubus_call "network.interface.$config" status || return 0 + json_get_var l3dev l3_device + [ -n "$l3dev" ] && ifname="$l3dev" + json_init + config_set "$config" ifname "$ifname" + config_set "$config" device "$device" +} + +scan_interfaces() { + config_load network + config_foreach fixup_interface interface +} + +prepare_interface_bridge() { + local config="$1" + + [ -n "$config" ] || return 0 + ubus call network.interface."$config" prepare +} + +setup_interface() { + local iface="$1" + local config="$2" + + [ -n "$config" ] || return 0 + ubus call network.interface."$config" add_device "{ \"name\": \"$iface\" }" +} + +do_sysctl() { + [ -n "$2" ] && \ + sysctl -n -e -w "$1=$2" >/dev/null || \ + sysctl -n -e "$1" +} diff --git a/package/network/config/netifd/files/sbin/devstatus b/package/network/config/netifd/files/sbin/devstatus new file mode 100755 index 000000000..3c35b26a4 --- /dev/null +++ b/package/network/config/netifd/files/sbin/devstatus @@ -0,0 +1,12 @@ +#!/bin/sh +. /usr/share/libubox/jshn.sh +DEVICE="$1" + +[ -n "$DEVICE" ] || { + echo "Usage: $0 <device>" + exit 1 +} + +json_init +json_add_string name "$DEVICE" +ubus call network.device status "$(json_dump)" diff --git a/package/network/config/netifd/files/sbin/ifdown b/package/network/config/netifd/files/sbin/ifdown new file mode 120000 index 000000000..a0e5c176a --- /dev/null +++ b/package/network/config/netifd/files/sbin/ifdown @@ -0,0 +1 @@ +ifup
\ No newline at end of file diff --git a/package/network/config/netifd/files/sbin/ifstatus b/package/network/config/netifd/files/sbin/ifstatus new file mode 100755 index 000000000..8a951e6e1 --- /dev/null +++ b/package/network/config/netifd/files/sbin/ifstatus @@ -0,0 +1,13 @@ +#!/bin/sh +INTERFACE="$1" + +[ -n "$INTERFACE" ] || { + echo "Usage: $0 <interface>" + exit 1 +} + +ubus -S list "network.interface.$INTERFACE" >/dev/null || { + echo "Interface $INTERFACE not found" + exit 1 +} +ubus call network.interface status "{ \"interface\" : \"$INTERFACE\" }" diff --git a/package/network/config/netifd/files/sbin/ifup b/package/network/config/netifd/files/sbin/ifup new file mode 100755 index 000000000..af3aaa845 --- /dev/null +++ b/package/network/config/netifd/files/sbin/ifup @@ -0,0 +1,79 @@ +#!/bin/sh + +ifup_all= +setup_wifi= + +if_call() { + local interface="$1" + for mode in $modes; do + ubus call network.interface $mode "{ \"interface\" : \"$interface\" }" + done +} + +case "$0" in + *ifdown) modes=down;; + *ifup) + modes="down up" + setup_wifi=1 + ;; + *) echo "Invalid command: $0";; +esac + +while :; do + case "$1" in + -a) + ifup_all=1 + shift + ;; + -w) + setup_wifi= + shift + ;; + *) + break + ;; + esac +done + +[ "$modes" = "down up" ] && ubus call network reload +if [ -n "$ifup_all" ]; then + for interface in `ubus -S list 'network.interface.*'`; do + if_call "${interface##network.interface.}" + done + [ -n "$setup_wifi" ] && /sbin/wifi up + exit +else + ubus -S list "network.interface.$1" > /dev/null || { + echo "Interface $1 not found" + exit + } + if_call "$1" +fi + +if [ -n "$setup_wifi" ] && grep -sq config /etc/config/wireless; then + . /lib/functions.sh + + find_related_radios() { + local wdev wnet + config_get wdev "$1" device + config_get wnet "$1" network + + if [ -n "$wdev" ]; then + for wnet in $wnet; do + if [ "$wnet" = "$network" ]; then + append radio_devs "$wdev" "$N" + fi + done + fi + } + + local radio_devs + local network="$1" + config_load wireless + config_foreach find_related_radios wifi-iface + + local dev + for dev in $(echo "$radio_devs" | sort -u); do + /sbin/wifi up "$dev" + done +fi diff --git a/package/network/config/netifd/files/usr/share/udhcpc/default.script b/package/network/config/netifd/files/usr/share/udhcpc/default.script new file mode 100755 index 000000000..ac765a636 --- /dev/null +++ b/package/network/config/netifd/files/usr/share/udhcpc/default.script @@ -0,0 +1,57 @@ +#!/bin/sh +[ -z "$1" ] && echo "Error: should be run by udhcpc" && exit 1 + +set_classless_routes() { + local max=128 + local type + while [ -n "$1" -a -n "$2" -a $max -gt 0 ]; do + [ ${1##*/} -eq 32 ] && type=host || type=net + echo "udhcpc: adding route for $type $1 via $2" + route add -$type "$1" gw "$2" dev "$interface" + max=$(($max-1)) + shift 2 + done +} + +setup_interface() { + echo "udhcpc: ifconfig $interface $ip netmask ${subnet:-255.255.255.0} broadcast ${broadcast:-+}" + ifconfig $interface $ip netmask ${subnet:-255.255.255.0} broadcast ${broadcast:-+} + + [ -n "$router" ] && [ "$router" != "0.0.0.0" ] && [ "$router" != "255.255.255.255" ] && { + echo "udhcpc: setting default routers: $router" + + local valid_gw="" + for i in $router ; do + route add default gw $i dev $interface + valid_gw="${valid_gw:+$valid_gw|}$i" + done + + eval $(route -n | awk ' + /^0.0.0.0\W{9}('$valid_gw')\W/ {next} + /^0.0.0.0/ {print "route del -net "$1" gw "$2";"} + ') + } + + # CIDR STATIC ROUTES (rfc3442) + [ -n "$staticroutes" ] && set_classless_routes $staticroutes + [ -n "$msstaticroutes" ] && set_classless_routes $msstaticroutes +} + + +applied= +case "$1" in + deconfig) + ifconfig "$interface" 0.0.0.0 + ;; + renew) + setup_interface update + ;; + bound) + setup_interface ifup + ;; +esac + +# user rules +[ -f /etc/udhcpc.user ] && . /etc/udhcpc.user + +exit 0 diff --git a/package/network/config/netifd/patches/001-musl_af_inet_include.patch b/package/network/config/netifd/patches/001-musl_af_inet_include.patch new file mode 100644 index 000000000..510ee0564 --- /dev/null +++ b/package/network/config/netifd/patches/001-musl_af_inet_include.patch @@ -0,0 +1,11 @@ +diff -urN netifd-2012-10-29/utils.c netifd-2012-10-29.new/utils.c +--- netifd-2012-10-29/utils.c 2012-11-23 17:15:39.000000000 +0100 ++++ netifd-2012-10-29.new/utils.c 2012-11-23 17:16:53.409244361 +0100 +@@ -17,6 +17,7 @@ + + #include <arpa/inet.h> + #include <netinet/in.h> ++#include <sys/socket.h> + + void + __vlist_simple_init(struct vlist_simple_tree *tree, int offset) diff --git a/package/network/config/qos-scripts/Makefile b/package/network/config/qos-scripts/Makefile new file mode 100644 index 000000000..a6690a161 --- /dev/null +++ b/package/network/config/qos-scripts/Makefile @@ -0,0 +1,52 @@ +# +# Copyright (C) 2006-2011 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=qos-scripts +PKG_VERSION:=1.2.1 +PKG_RELEASE:=6 + +PKG_MAINTAINER:=Felix Fietkau <nbd@openwrt.org> + +PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME) + +include $(INCLUDE_DIR)/package.mk + +define Package/qos-scripts + SECTION:=utils + CATEGORY:=Base system + DEPENDS:=+tc +kmod-sched-core +kmod-sched-connmark +kmod-ifb +iptables +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-conntrack-extra + TITLE:=QoS scripts + PKGARCH:=all +endef + +define Package/qos-scripts/description + A set of scripts that abstract QoS configuration into a simple + configuration file supporting stanzas that specify any number of QoS + entries. +endef + +define Package/qos-scripts/conffiles +/etc/config/qos +endef + +define Build/Prepare +endef + +define Build/Configure +endef + +define Build/Compile +endef + +define Package/qos-scripts/install + $(INSTALL_DIR) $(1) + $(CP) ./files/* $(1)/ +endef + +$(eval $(call BuildPackage,qos-scripts)) diff --git a/package/network/config/qos-scripts/files/etc/config/qos b/package/network/config/qos-scripts/files/etc/config/qos new file mode 100644 index 000000000..8faff1834 --- /dev/null +++ b/package/network/config/qos-scripts/files/etc/config/qos @@ -0,0 +1,79 @@ +# QoS configuration for OpenWrt + +# INTERFACES: +config interface wan + option classgroup "Default" + option enabled 0 + option upload 128 + option download 1024 + +# RULES: +config classify + option target "Priority" + option ports "22,53" +config classify + option target "Normal" + option proto "tcp" + option ports "20,21,25,80,110,443,993,995" +config classify + option target "Express" + option ports "5190" +config default + option target "Express" + option proto "udp" + option pktsize "-500" +config reclassify + option target "Priority" + option proto "icmp" +config default + option target "Bulk" + option portrange "1024-65535" +config reclassify + option target "Priority" + option proto "tcp" + option pktsize "-128" + option mark "!Bulk" + option tcpflags "SYN" +config reclassify + option target "Priority" + option proto "tcp" + option pktsize "-128" + option mark "!Bulk" + option tcpflags "ACK" + + +# Don't change the stuff below unless you +# really know what it means :) + +config classgroup "Default" + option classes "Priority Express Normal Bulk" + option default "Normal" + + +config class "Priority" + option packetsize 400 + option maxsize 400 + option avgrate 10 + option priority 20 +config class "Priority_down" + option packetsize 1000 + option avgrate 10 + + +config class "Express" + option packetsize 1000 + option maxsize 800 + option avgrate 50 + option priority 10 + +config class "Normal" + option packetsize 1500 + option packetdelay 100 + option avgrate 10 + option priority 5 +config class "Normal_down" + option avgrate 20 + +config class "Bulk" + option avgrate 1 + option packetdelay 200 diff --git a/package/network/config/qos-scripts/files/etc/hotplug.d/iface/10-qos b/package/network/config/qos-scripts/files/etc/hotplug.d/iface/10-qos new file mode 100755 index 000000000..0ced29ac7 --- /dev/null +++ b/package/network/config/qos-scripts/files/etc/hotplug.d/iface/10-qos @@ -0,0 +1,2 @@ +#!/bin/sh +[ "$ACTION" = ifup ] && /etc/init.d/qos enabled && /usr/lib/qos/generate.sh interface "$INTERFACE" | sh diff --git a/package/network/config/qos-scripts/files/etc/init.d/qos b/package/network/config/qos-scripts/files/etc/init.d/qos new file mode 100755 index 000000000..3f711155e --- /dev/null +++ b/package/network/config/qos-scripts/files/etc/init.d/qos @@ -0,0 +1,16 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006 OpenWrt.org + +START=50 + +boot() { + /usr/lib/qos/generate.sh firewall | sh +} + +start() { + qos-start +} + +stop() { + qos-stop +} diff --git a/package/network/config/qos-scripts/files/usr/bin/qos-start b/package/network/config/qos-scripts/files/usr/bin/qos-start new file mode 100755 index 000000000..261ffb42b --- /dev/null +++ b/package/network/config/qos-scripts/files/usr/bin/qos-start @@ -0,0 +1,4 @@ +#!/bin/sh +qos-stop +/usr/lib/qos/generate.sh all | sh + diff --git a/package/network/config/qos-scripts/files/usr/bin/qos-stat b/package/network/config/qos-scripts/files/usr/bin/qos-stat new file mode 100755 index 000000000..78d163888 --- /dev/null +++ b/package/network/config/qos-scripts/files/usr/bin/qos-stat @@ -0,0 +1,67 @@ +#!/bin/sh +# Copyright (C) 2011 OpenWrt.org + +. /lib/functions.sh + +include /lib/network + +get_ifname() { + local interface="$1" + local cfgt + + scan_interfaces + config_get cfgt "$interface" TYPE + [ "$cfgt" == "interface" ] && config_get "$interface" ifname +} + +config_cb() { + config_get TYPE "$CONFIG_SECTION" TYPE + [ "interface" == "$TYPE" ] && { + config_get device "$CONFIG_SECTION" ifname + [ -z "$device" ] && device="$(get_ifname ${CONFIG_SECTION})" + config_set "$CONFIG_SECTION" device "$device" + } +} + +config_load qos + +print_comments() { + echo '' + echo '# Interface: '"$1" + echo '# Direction: '"$2" + echo '# Stats: '"$3" + echo '' +} + +get_device() { + ( config_load network; scan_interfaces; config_get "$1" ifname ) +} + +interface_stats() { + local interface="$1" + local device + + device="$(get_device "$interface")" + [ -z "$device" ] && config_get device "$interface" device + config_get_bool enabled "$interface" enabled 1 + [ -z "$device" -o 1 -ne "$enabled" ] && { + return 1 + } + config_get_bool halfduplex "$interface" halfduplex 0 + + if [ 1 -ne "$halfduplex" ]; then + unset halfduplex + print_comments "$interface" "Egress" "Start" + tc -s class show dev "$device" + print_comments "$interface" "Egress" "End" + id="root" + else + id="" + fi + + print_comments "$interface" "Ingress${halfduplex:+/Egress}" "Start" + tc -s class show dev "$(tc filter show dev $device $id | grep mirred | sed -e 's,.*\(ifb.*\)).*,\1,')" + print_comments "$interface" "Ingress${halfduplex:+/Egress}" "End" +} + +[ -z "$1" ] && config_foreach interface_stats interface || interface_stats "$1" diff --git a/package/network/config/qos-scripts/files/usr/bin/qos-stop b/package/network/config/qos-scripts/files/usr/bin/qos-stop new file mode 100755 index 000000000..7f654d858 --- /dev/null +++ b/package/network/config/qos-scripts/files/usr/bin/qos-stop @@ -0,0 +1,6 @@ +#!/bin/sh +for iface in $(tc qdisc show | grep -E '(hfsc|ingress)' | awk '{print $5}'); do + tc qdisc del dev "$iface" ingress 2>&- >&- + tc qdisc del dev "$iface" root 2>&- >&- +done +/usr/lib/qos/generate.sh firewall stop | sh diff --git a/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh new file mode 100755 index 000000000..440b43f5d --- /dev/null +++ b/package/network/config/qos-scripts/files/usr/lib/qos/generate.sh @@ -0,0 +1,497 @@ +#!/bin/sh +[ -e /lib/functions.sh ] && . /lib/functions.sh || . ./functions.sh +[ -x /sbin/modprobe ] && { + insmod="modprobe" + rmmod="$insmod -r" +} || { + insmod="insmod" + rmmod="rmmod" +} + +add_insmod() { + eval "export isset=\${insmod_$1}" + case "$isset" in + 1) ;; + *) { + [ "$2" ] && append INSMOD "$rmmod $1 >&- 2>&-" "$N" + append INSMOD "$insmod $* >&- 2>&-" "$N"; export insmod_$1=1 + };; + esac +} + +[ -e /etc/config/network ] && { + # only try to parse network config on openwrt + + find_ifname() {( + reset_cb + include /lib/network + scan_interfaces + config_get "$1" ifname + )} +} || { + find_ifname() { + echo "Interface not found." + exit 1 + } +} + +parse_matching_rule() { + local var="$1" + local section="$2" + local options="$3" + local prefix="$4" + local suffix="$5" + local proto="$6" + local mport="" + local ports="" + + append "$var" "$prefix" "$N" + for option in $options; do + case "$option" in + proto) config_get value "$section" proto; proto="${proto:-$value}";; + esac + done + config_get type "$section" TYPE + case "$type" in + classify) unset pkt; append "$var" "-m mark --mark 0/0xff";; + default) pkt=1; append "$var" "-m mark --mark 0/0xff";; + reclassify) pkt=1;; + esac + append "$var" "${proto:+-p $proto}" + for option in $options; do + config_get value "$section" "$option" + + case "$pkt:$option" in + *:srchost) + append "$var" "-s $value" + ;; + *:dsthost) + append "$var" "-d $value" + ;; + *:layer7) + add_insmod ipt_layer7 + add_insmod xt_layer7 + append "$var" "-m layer7 --l7proto $value${pkt:+ --l7pkt}" + ;; + *:ports|*:srcports|*:dstports) + value="$(echo "$value" | sed -e 's,-,:,g')" + lproto=${lproto:-tcp} + case "$proto" in + ""|tcp|udp) append "$var" "-m ${proto:-tcp -p tcp} -m multiport";; + *) unset "$var"; return 0;; + esac + case "$option" in + ports) + config_set "$section" srcports "" + config_set "$section" dstports "" + config_set "$section" portrange "" + append "$var" "--ports $value" + ;; + srcports) + config_set "$section" ports "" + config_set "$section" dstports "" + config_set "$section" portrange "" + append "$var" "--sports $value" + ;; + dstports) + config_set "$section" ports "" + config_set "$section" srcports "" + config_set "$section" portrange "" + append "$var" "--dports $value" + ;; + esac + ports=1 + ;; + *:portrange) + config_set "$section" ports "" + config_set "$section" srcports "" + config_set "$section" dstports "" + value="$(echo "$value" | sed -e 's,-,:,g')" + case "$proto" in + ""|tcp|udp) append "$var" "-m ${proto:-tcp -p tcp} --sport $value --dport $value";; + *) unset "$var"; return 0;; + esac + ports=1 + ;; + *:connbytes) + value="$(echo "$value" | sed -e 's,-,:,g')" + add_insmod ipt_connbytes + append "$var" "-m connbytes --connbytes $value --connbytes-dir both --connbytes-mode bytes" + ;; + *:tos) + add_insmod ipt_tos + case "$value" in + !*) append "$var" "-m tos ! --tos $value";; + *) append "$var" "-m tos --tos $value" + esac + ;; + *:dscp) + add_insmod ipt_dscp + dscp_option="--dscp" + [ -z "${value%%[EBCA]*}" ] && dscp_option="--dscp-class" + case "$value" in + !*) append "$var" "-m dscp ! $dscp_option $value";; + *) append "$var" "-m dscp $dscp_option $value" + esac + ;; + *:direction) + value="$(echo "$value" | sed -e 's,-,:,g')" + if [ "$value" = "out" ]; then + append "$var" "-o $device" + elif [ "$value" = "in" ]; then + append "$var" "-i $device" + fi + ;; + 1:pktsize) + value="$(echo "$value" | sed -e 's,-,:,g')" + add_insmod ipt_length + append "$var" "-m length --length $value" + ;; + 1:limit) + add_insmod ipt_limit + append "$var" "-m limit --limit $value" + ;; + 1:tcpflags) + case "$proto" in + tcp) append "$var" "-m tcp --tcp-flags ALL $value";; + *) unset $var; return 0;; + esac + ;; + 1:mark) + config_get class "${value##!}" classnr + [ -z "$class" ] && continue; + case "$value" in + !*) append "$var" "-m mark ! --mark $class/0xff";; + *) append "$var" "-m mark --mark $class/0xff";; + esac + ;; + 1:TOS) + add_insmod ipt_TOS + config_get TOS "$rule" 'TOS' + suffix="-j TOS --set-tos "${TOS:-"Normal-Service"} + ;; + 1:DSCP) + add_insmod ipt_DSCP + config_get DSCP "$rule" 'DSCP' + [ -z "${DSCP%%[EBCA]*}" ] && set_value="--set-dscp-class $DSCP" \ + || set_value="--set-dscp $DSCP" + suffix="-j DSCP $set_value" + ;; + esac + done + append "$var" "$suffix" + case "$ports:$proto" in + 1:) parse_matching_rule "$var" "$section" "$options" "$prefix" "$suffix" "udp";; + esac +} + +config_cb() { + option_cb() { + return 0 + } + + # Section start + case "$1" in + interface) + config_set "$2" "classgroup" "Default" + config_set "$2" "upload" "128" + ;; + classify|default|reclassify) + option_cb() { + append options "$1" + } + ;; + esac + + # Section end + config_get TYPE "$CONFIG_SECTION" TYPE + case "$TYPE" in + interface) + config_get_bool enabled "$CONFIG_SECTION" enabled 1 + [ 1 -eq "$enabled" ] || return 0 + config_get classgroup "$CONFIG_SECTION" classgroup + config_set "$CONFIG_SECTION" ifbdev "$C" + C=$(($C+1)) + append INTERFACES "$CONFIG_SECTION" + config_set "$classgroup" enabled 1 + config_get device "$CONFIG_SECTION" device + [ -z "$device" ] && { + device="$(find_ifname ${CONFIG_SECTION})" + config_set "$CONFIG_SECTION" device "${device:-eth0}" + } + ;; + classgroup) append CG "$CONFIG_SECTION";; + classify|default|reclassify) + case "$TYPE" in + classify) var="ctrules";; + *) var="rules";; + esac + config_get target "$CONFIG_SECTION" target + config_set "$CONFIG_SECTION" options "$options" + append "$var" "$CONFIG_SECTION" + unset options + ;; + esac +} + + +enum_classes() { + local c="0" + config_get classes "$1" classes + config_get default "$1" default + for class in $classes; do + c="$(($c + 1))" + config_set "${class}" classnr $c + case "$class" in + $default) class_default=$c;; + esac + done + class_default="${class_default:-$c}" +} + +cls_var() { + local varname="$1" + local class="$2" + local name="$3" + local type="$4" + local default="$5" + local tmp tmp1 tmp2 + config_get tmp1 "$class" "$name" + config_get tmp2 "${class}_${type}" "$name" + tmp="${tmp2:-$tmp1}" + tmp="${tmp:-$tmp2}" + export ${varname}="${tmp:-$default}" +} + +tcrules() { + dir=/usr/lib/qos + [ -e $dir/tcrules.awk ] || dir=. + echo "$cstr" | awk \ + -v device="$dev" \ + -v linespeed="$rate" \ + -f $dir/tcrules.awk +} + +start_interface() { + local iface="$1" + local num_ifb="$2" + config_get device "$iface" device + config_get_bool enabled "$iface" enabled 1 + [ -z "$device" -o 1 -ne "$enabled" ] && { + return 1 + } + config_get upload "$iface" upload + config_get_bool halfduplex "$iface" halfduplex + config_get download "$iface" download + config_get classgroup "$iface" classgroup + config_get_bool overhead "$iface" overhead 0 + + download="${download:-${halfduplex:+$upload}}" + enum_classes "$classgroup" + for dir in ${halfduplex:-up} ${download:+down}; do + case "$dir" in + up) + [ "$overhead" = 1 ] && upload=$(($upload * 98 / 100 - (15 * 128 / $upload))) + dev="$device" + rate="$upload" + dl_mode="" + prefix="cls" + ;; + down) + [ "$(ls -d /proc/sys/net/ipv4/conf/ifb* 2>&- | wc -l)" -ne "$num_ifb" ] && add_insmod ifb numifbs="$num_ifb" + config_get ifbdev "$iface" ifbdev + [ "$overhead" = 1 ] && download=$(($download * 98 / 100 - (80 * 1024 / $download))) + dev="ifb$ifbdev" + rate="$download" + dl_mode=1 + prefix="d_cls" + ;; + *) continue;; + esac + cstr= + for class in $classes; do + cls_var pktsize "$class" packetsize $dir 1500 + cls_var pktdelay "$class" packetdelay $dir 0 + cls_var maxrate "$class" limitrate $dir 100 + cls_var prio "$class" priority $dir 1 + cls_var avgrate "$class" avgrate $dir 0 + cls_var qdisc "$class" qdisc $dir "" + cls_var filter "$class" filter $dir "" + config_get classnr "$class" classnr + append cstr "$classnr:$prio:$avgrate:$pktsize:$pktdelay:$maxrate:$qdisc:$filter" "$N" + done + append ${prefix}q "$(tcrules)" "$N" + export dev_${dir}="ifconfig $dev up txqueuelen 5 >&- 2>&- +tc qdisc del dev $dev root >&- 2>&- +tc qdisc add dev $dev root handle 1: hfsc default ${class_default}0 +tc class add dev $dev parent 1: classid 1:1 hfsc sc rate ${rate}kbit ul rate ${rate}kbit" + done + [ -n "$download" ] && { + add_insmod cls_u32 + add_insmod em_u32 + add_insmod act_connmark + add_insmod act_mirred + add_insmod sch_ingress + } + if [ -n "$halfduplex" ]; then + export dev_up="tc qdisc del dev $device root >&- 2>&- +tc qdisc add dev $device root handle 1: hfsc +tc filter add dev $device parent 1: protocol ip prio 10 u32 match u32 0 0 flowid 1:1 action mirred egress redirect dev ifb$ifbdev" + elif [ -n "$download" ]; then + append dev_${dir} "tc qdisc del dev $device ingress >&- 2>&- +tc qdisc add dev $device ingress +tc filter add dev $device parent ffff: protocol ip prio 1 u32 match u32 0 0 flowid 1:1 action connmark action mirred egress redirect dev ifb$ifbdev" "$N" + fi + add_insmod cls_fw + add_insmod sch_hfsc + add_insmod sch_fq_codel + + cat <<EOF +${INSMOD:+$INSMOD$N}${dev_up:+$dev_up +$clsq +}${ifbdev:+$dev_down +$d_clsq +$d_clsl +$d_clsf +} +EOF + unset INSMOD clsq clsf clsl d_clsq d_clsl d_clsf dev_up dev_down +} + +start_interfaces() { + local C="$1" + for iface in $INTERFACES; do + start_interface "$iface" "$C" + done +} + +add_rules() { + local var="$1" + local rules="$2" + local prefix="$3" + + for rule in $rules; do + unset iptrule + config_get target "$rule" target + config_get target "$target" classnr + config_get options "$rule" options + + ## If we want to override the TOS field, let's clear the DSCP field first. + [ ! -z "$(echo $options | grep 'TOS')" ] && { + s_options=${options%%TOS} + add_insmod ipt_DSCP + parse_matching_rule iptrule "$rule" "$s_options" "$prefix" "-j DSCP --set-dscp 0" + append "$var" "$iptrule" "$N" + unset iptrule + } + + parse_matching_rule iptrule "$rule" "$options" "$prefix" "-j MARK --set-mark $target/0xff" + append "$var" "$iptrule" "$N" + done +} + +start_cg() { + local cg="$1" + local iptrules + local pktrules + local sizerules + enum_classes "$cg" + add_rules iptrules "$ctrules" "iptables -t mangle -A qos_${cg}_ct" + config_get classes "$cg" classes + for class in $classes; do + config_get mark "$class" classnr + config_get maxsize "$class" maxsize + [ -z "$maxsize" -o -z "$mark" ] || { + add_insmod ipt_length + append pktrules "iptables -t mangle -A qos_${cg} -m mark --mark $mark/0xff -m length --length $maxsize: -j MARK --set-mark 0/0xff" "$N" + } + done + add_rules pktrules "$rules" "iptables -t mangle -A qos_${cg}" + for iface in $INTERFACES; do + config_get classgroup "$iface" classgroup + config_get device "$iface" device + config_get ifbdev "$iface" ifbdev + config_get upload "$iface" upload + config_get download "$iface" download + config_get halfduplex "$iface" halfduplex + download="${download:-${halfduplex:+$upload}}" + append up "iptables -t mangle -A OUTPUT -o $device -j qos_${cg}" "$N" + append up "iptables -t mangle -A FORWARD -o $device -j qos_${cg}" "$N" + done + cat <<EOF +$INSMOD +iptables -t mangle -N qos_${cg} >&- 2>&- +iptables -t mangle -N qos_${cg}_ct >&- 2>&- +${iptrules:+${iptrules}${N}iptables -t mangle -A qos_${cg}_ct -j CONNMARK --save-mark --mask 0xff} +iptables -t mangle -A qos_${cg} -j CONNMARK --restore-mark --mask 0xff +iptables -t mangle -A qos_${cg} -m mark --mark 0/0xff -j qos_${cg}_ct +$pktrules +$up$N${down:+${down}$N} +EOF + unset INSMOD +} + +start_firewall() { + add_insmod ipt_multiport + add_insmod ipt_CONNMARK + stop_firewall + for group in $CG; do + start_cg $group + done +} + +stop_firewall() { + # Builds up a list of iptables commands to flush the qos_* chains, + # remove rules referring to them, then delete them + + # Print rules in the mangle table, like iptables-save + iptables -t mangle -S | + # Find rules for the qos_* chains + grep '^-N qos_\|-j qos_' | + # Exclude rules in qos_* chains (inter-qos_* refs) + grep -v '^-A qos_' | + # Replace -N with -X and hold, with -F and print + # Replace -A with -D + # Print held lines at the end (note leading newline) + sed -e '/^-N/{s/^-N/-X/;H;s/^-X/-F/}' \ + -e 's/^-A/-D/' \ + -e '${p;g}' | + # Make into proper iptables calls + # Note: awkward in previous call due to hold space usage + sed -n -e 's/^./iptables -t mangle &/p' +} + +C="0" +INTERFACES="" +[ -e ./qos.conf ] && { + . ./qos.conf + config_cb +} || config_load qos + +C="0" +for iface in $INTERFACES; do + export C="$(($C + 1))" +done + +case "$1" in + all) + start_interfaces "$C" + start_firewall + ;; + interface) + start_interface "$2" "$C" + ;; + interfaces) + start_interfaces + ;; + firewall) + case "$2" in + stop) + stop_firewall + ;; + start|"") + start_firewall + ;; + esac + ;; +esac diff --git a/package/network/config/qos-scripts/files/usr/lib/qos/tcrules.awk b/package/network/config/qos-scripts/files/usr/lib/qos/tcrules.awk new file mode 100644 index 000000000..2a8871495 --- /dev/null +++ b/package/network/config/qos-scripts/files/usr/lib/qos/tcrules.awk @@ -0,0 +1,95 @@ +BEGIN { + dmax=100 + if (!(linespeed > 0)) linespeed = 128 + FS=":" + n = 0 +} + +($1 != "") { + n++ + class[n] = $1 + prio[n] = $2 + avgrate[n] = ($3 * linespeed / 100) + pktsize[n] = $4 + delay[n] = $5 + maxrate[n] = ($6 * linespeed / 100) + qdisc[n] = $7 + filter[n] = $8 +} + +END { + allocated = 0 + maxdelay = 0 + + for (i = 1; i <= n; i++) { + # set defaults + if (!(pktsize[i] > 0)) pktsize[i] = 1500 + if (!(prio[i] > 0)) prio[i] = 1 + + allocated += avgrate[i] + sum_prio += prio[i] + if ((avgrate[i] > 0) && !(delay[i] > 0)) { + sum_rtprio += prio[i] + } + } + + # allocation of m1 in rt classes: + # sum(d * m1) must not exceed dmax * (linespeed - allocated) + dmax = 0 + for (i = 1; i <= n; i++) { + if (avgrate[i] > 0) { + rtm2[i] = avgrate[i] + if (delay[i] > 0) { + d[i] = delay[i] + } else { + d[i] = 2 * pktsize[i] * 1000 / (linespeed * 1024) + if (d[i] > dmax) dmax = d[i] + } + } + } + + ds_avail = dmax * (linespeed - allocated) + for (i = 1; i <= n; i++) { + lsm1[i] = 0 + rtm1[i] = 0 + lsm2[i] = linespeed * prio[i] / sum_prio + if ((avgrate[i] > 0) && (d[i] > 0)) { + if (!(delay[i] > 0)) { + ds = ds_avail * prio[i] / sum_rtprio + ds_avail -= ds + rtm1[i] = rtm2[i] + ds/d[i] + } + lsm1[i] = rtm1[i] + } + else { + d[i] = 0 + } + } + + # main qdisc + for (i = 1; i <= n; i++) { + printf "tc class add dev "device" parent 1:1 classid 1:"class[i]"0 hfsc" + if (rtm1[i] > 0) { + printf " rt m1 " int(rtm1[i]) "kbit d " int(d[i] * 1000) "us m2 " int(rtm2[i])"kbit" + } + printf " ls m1 " int(lsm1[i]) "kbit d " int(d[i] * 1000) "us m2 " int(lsm2[i]) "kbit" + print " ul rate " int(maxrate[i]) "kbit" + } + + # leaf qdisc + avpkt = 1200 + for (i = 1; i <= n; i++) { + print "tc qdisc add dev "device" parent 1:"class[i]"0 handle "class[i]"00: fq_codel limit 800 quantum 300" + } + + # filter rule + for (i = 1; i <= n; i++) { + print "tc filter add dev "device" parent 1: prio "class[i]" protocol ip handle "class[i]"/0xff fw flowid 1:"class[i] "0" + filterc=1 + if (filter[i] != "") { + print " tc filter add dev "device" parent "class[i]"00: handle "filterc"0 "filter[i] + filterc=filterc+1 + } + } +} + diff --git a/package/network/config/soloscli/Makefile b/package/network/config/soloscli/Makefile new file mode 100644 index 000000000..9a7cd894f --- /dev/null +++ b/package/network/config/soloscli/Makefile @@ -0,0 +1,45 @@ +# +# Copyright (C) 2006-2011 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=soloscli +PKG_VERSION:=0.11 +PKG_RELEASE:=3 + +PKG_SOURCE:=solos-pci-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=@SF/openadsl +PKG_MD5SUM:=ab3f3fa654ef7c3a402980eca094e690 + +PKG_INSTALL:=1 + +PKG_BUILD_DIR:=$(BUILD_DIR)/solos-pci-$(PKG_VERSION) + +include $(INCLUDE_DIR)/package.mk + +define Package/soloscli + SECTION:=net + CATEGORY:=Network + TITLE:=Configuration utility for Solos ADSL2+ modems + DEPENDS:=+kmod-solos-pci + URL:=http://sourceforge.net/projects/openadsl +endef + +define Package/soloscli/description + This package contains the soloscli utility + for interrogating Traverse Technologies' Solos ADSL2+ modems. +endef + +define Package/soloscli/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/soloscli/soloscli $(1)/usr/bin/ + $(INSTALL_BIN) ./files/solos-log-stats $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/etc/hotplug.d/atm + $(INSTALL_DATA) ./files/etc/hotplug.d/atm/15-solos-init $(1)/etc/hotplug.d/atm/ +endef + +$(eval $(call BuildPackage,soloscli)) diff --git a/package/network/config/soloscli/files/etc/hotplug.d/atm/15-solos-init b/package/network/config/soloscli/files/etc/hotplug.d/atm/15-solos-init new file mode 100644 index 000000000..36d13ea5a --- /dev/null +++ b/package/network/config/soloscli/files/etc/hotplug.d/atm/15-solos-init @@ -0,0 +1,26 @@ +#!/bin/sh + +dialog() { + local tag="$(echo "$1" | cut -d= -f1)" + local value="$(echo "$1" | cut -d= -f2-)" + local response + + response="$(soloscli -s "$port" "$tag" "$value")" + [ $? -ne 0 ] && { + logger "soloscli($port): $tag '$value' returns $response" + } +} + +if [ "$ACTION" = "add" ]; then + include /lib/network + scan_interfaces + + case $DEVICENAME in + solos-pci[0-3]) + port="${DEVICENAME#solos-pci}" + device="solos${port}" + + config_list_foreach wan "$device" dialog + ;; + esac +fi diff --git a/package/network/config/soloscli/files/etc/uci-default/solos b/package/network/config/soloscli/files/etc/uci-default/solos new file mode 100644 index 000000000..7f69da62c --- /dev/null +++ b/package/network/config/soloscli/files/etc/uci-default/solos @@ -0,0 +1,15 @@ +#!/bin/sh + +uci batch <<__EOF__ + +delete network.wan.solos0 + +add_list network.wan.solos0="ActivateLine=Abort" +add_list network.wan.solos0="Retrain=EnableAll" +add_list network.wan.solos0="DetectNoise=Enable" +add_list network.wan.solos0="BisMCapability=Disable" +add_list network.wan.solos0="BisACapability=Disable" +add_list network.wan.solos0="ActivateLine=Start" + +commit network +__EOF__ diff --git a/package/network/config/soloscli/files/solos-log-stats b/package/network/config/soloscli/files/solos-log-stats new file mode 100644 index 000000000..2b75ee30c --- /dev/null +++ b/package/network/config/soloscli/files/solos-log-stats @@ -0,0 +1,19 @@ +#!/bin/sh + +cd /sys/class/atm/ || exit 1 + +for PORT in solos-pci* ; do + + RXRATE=`cat $PORT/parameters/RxBitRate` + TXRATE=`cat $PORT/parameters/TxBitRate` + RXSNR=`cat $PORT/parameters/LocalSNRMargin | sed "s/ dB//"` + TXSNR=`cat $PORT/parameters/RemoteSNRMargin | sed "s/ dB//"` + RXERR=`cat $PORT/parameters/RSUnCorrectedErrorsDn` + TXERR=`cat $PORT/parameters/RSUnCorrectedErrorsUp` + RXFEC=`cat $PORT/parameters/RSCorrectedErrorsDn` + TXFEC=`cat $PORT/parameters/RSCorrectedErrorsUp` + + echo "$RXRATE $RXSNR $RXERR $RXFEC / $TXRATE $TXSNR $TXERR $TXFEC" | + logger -t $PORT +done + diff --git a/package/network/config/soloscli/patches/000-Makefile.patch b/package/network/config/soloscli/patches/000-Makefile.patch new file mode 100644 index 000000000..914d6d886 --- /dev/null +++ b/package/network/config/soloscli/patches/000-Makefile.patch @@ -0,0 +1,21 @@ +--- a/Makefile 2010-06-14 14:17:11.000000000 +1000 ++++ b/Makefile 2010-06-14 14:17:54.000000000 +1000 +@@ -13,6 +13,11 @@ + KDIR ?= /lib/modules/$(shell uname -r)/build + PWD := $(shell pwd) + ++soloscli/soloscli: ++ $(MAKE) -C soloscli ++ ++install: ++ + default: + $(MAKE) -C $(KDIR) M=$(PWD) modules + +@@ -20,5 +25,6 @@ + rm -f *.o *.ko *.mod.c .*.cmd + rm -rf .tmp_versions + rm -f Module.symvers ++ $(MAKE) -C soloscli clean + + endif diff --git a/package/network/config/soloscli/patches/001-newline.patch b/package/network/config/soloscli/patches/001-newline.patch new file mode 100644 index 000000000..4b663e889 --- /dev/null +++ b/package/network/config/soloscli/patches/001-newline.patch @@ -0,0 +1,15 @@ +--- a/soloscli/soloscli.c ++++ b/soloscli/soloscli.c +@@ -238,7 +238,11 @@ + } + if (strcmp(buf,pid) == 0) { + /* printf("Sequence matches.\n"); */ +- printf("%s",bufp); ++ if(buf[(len-1)] == '\n'){ ++ printf("%s",bufp); ++ } else { ++ printf("%s\n",bufp); ++ } + } else { + printf("Sequence incorrect.\n"); + buf[i] = '\n'; diff --git a/package/network/config/swconfig/Makefile b/package/network/config/swconfig/Makefile new file mode 100644 index 000000000..6d1c9db78 --- /dev/null +++ b/package/network/config/swconfig/Makefile @@ -0,0 +1,50 @@ +# +# Copyright (C) 2008-2010 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=swconfig +PKG_RELEASE:=10 + +PKG_MAINTAINER:=Felix Fietkau <nbd@openwrt.org> + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/kernel.mk + +define Package/swconfig + SECTION:=base + CATEGORY:=Base system + DEPENDS:=@!TARGET_brcm47xx +libuci +libnl-tiny + TITLE:=Switch configuration utility +endef + +TARGET_CPPFLAGS := \ + -D_GNU_SOURCE \ + -I$(STAGING_DIR)/usr/include/libnl-tiny \ + -I$(PKG_BUILD_DIR) \ + $(TARGET_CPPFLAGS) \ + -I$(LINUX_DIR)/user_headers/include + +define Build/Prepare + mkdir -p $(PKG_BUILD_DIR) + $(CP) ./src/* $(PKG_BUILD_DIR)/ +endef + +define Build/Compile + CFLAGS="$(TARGET_CPPFLAGS) $(TARGET_CFLAGS)" \ + $(MAKE) -C $(PKG_BUILD_DIR) \ + $(TARGET_CONFIGURE_OPTS) \ + LIBS="$(TARGET_LDFLAGS) -lnl-tiny -lm -luci" +endef + +define Package/swconfig/install + $(INSTALL_DIR) $(1)/sbin $(1)/lib/network + $(INSTALL_BIN) $(PKG_BUILD_DIR)/swconfig $(1)/sbin/swconfig + $(INSTALL_DATA) ./files/switch.sh $(1)/lib/network/ +endef + +$(eval $(call BuildPackage,swconfig)) diff --git a/package/network/config/swconfig/files/switch.sh b/package/network/config/swconfig/files/switch.sh new file mode 100644 index 000000000..18d5fbd2c --- /dev/null +++ b/package/network/config/swconfig/files/switch.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# Copyright (C) 2009 OpenWrt.org + +setup_switch_dev() { + config_get name "$1" name + name="${name:-$1}" + [ -d "/sys/class/net/$name" ] && ifconfig "$name" up + swconfig dev "$name" load network +} + +setup_switch() { + config_load network + config_foreach setup_switch_dev switch +} diff --git a/package/network/config/swconfig/src/Makefile b/package/network/config/swconfig/src/Makefile new file mode 100644 index 000000000..0d56f4315 --- /dev/null +++ b/package/network/config/swconfig/src/Makefile @@ -0,0 +1,12 @@ +ifndef CFLAGS +CFLAGS = -O2 -g -I ../src +endif +LIBS=-lnl -lnl-genl + +all: swconfig + +%.o: %.c + $(CC) $(CFLAGS) -c -o $@ $^ + +swconfig: cli.o swlib.o uci.o + $(CC) $(LDFLAGS) -o $@ $^ $(LIBS) diff --git a/package/network/config/swconfig/src/cli.c b/package/network/config/swconfig/src/cli.c new file mode 100644 index 000000000..2eb73bea3 --- /dev/null +++ b/package/network/config/swconfig/src/cli.c @@ -0,0 +1,355 @@ +/* + * swconfig.c: Switch configuration utility + * + * Copyright (C) 2008 Felix Fietkau <nbd@openwrt.org> + * Copyright (C) 2010 Martin Mares <mj@ucw.cz> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundatio. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <inttypes.h> +#include <errno.h> +#include <stdint.h> +#include <getopt.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <uci.h> + +#include <linux/types.h> +#include <linux/netlink.h> +#include <linux/genetlink.h> +#include <netlink/netlink.h> +#include <netlink/genl/genl.h> +#include <netlink/genl/ctrl.h> +#include <linux/switch.h> +#include "swlib.h" + +enum { + CMD_NONE, + CMD_GET, + CMD_SET, + CMD_LOAD, + CMD_HELP, + CMD_SHOW, + CMD_PORTMAP, +}; + +static void +print_attrs(const struct switch_attr *attr) +{ + int i = 0; + while (attr) { + const char *type; + switch(attr->type) { + case SWITCH_TYPE_INT: + type = "int"; + break; + case SWITCH_TYPE_STRING: + type = "string"; + break; + case SWITCH_TYPE_PORTS: + type = "ports"; + break; + case SWITCH_TYPE_NOVAL: + type = "none"; + break; + default: + type = "unknown"; + break; + } + printf("\tAttribute %d (%s): %s (%s)\n", ++i, type, attr->name, attr->description); + attr = attr->next; + } +} + +static void +list_attributes(struct switch_dev *dev) +{ + printf("%s: %s(%s), ports: %d (cpu @ %d), vlans: %d\n", dev->dev_name, dev->alias, dev->name, dev->ports, dev->cpu_port, dev->vlans); + printf(" --switch\n"); + print_attrs(dev->ops); + printf(" --vlan\n"); + print_attrs(dev->vlan_ops); + printf(" --port\n"); + print_attrs(dev->port_ops); +} + +static void +print_attr_val(const struct switch_attr *attr, const struct switch_val *val) +{ + int i; + + switch (attr->type) { + case SWITCH_TYPE_INT: + printf("%d", val->value.i); + break; + case SWITCH_TYPE_STRING: + printf("%s", val->value.s); + break; + case SWITCH_TYPE_PORTS: + for(i = 0; i < val->len; i++) { + printf("%d%s ", + val->value.ports[i].id, + (val->value.ports[i].flags & + SWLIB_PORT_FLAG_TAGGED) ? "t" : ""); + } + break; + default: + printf("?unknown-type?"); + } +} + +static void +show_attrs(struct switch_dev *dev, struct switch_attr *attr, struct switch_val *val) +{ + while (attr) { + if (attr->type != SWITCH_TYPE_NOVAL) { + printf("\t%s: ", attr->name); + if (swlib_get_attr(dev, attr, val) < 0) + printf("???"); + else + print_attr_val(attr, val); + putchar('\n'); + } + attr = attr->next; + } +} + +static void +show_global(struct switch_dev *dev) +{ + struct switch_val val; + + printf("Global attributes:\n"); + show_attrs(dev, dev->ops, &val); +} + +static void +show_port(struct switch_dev *dev, int port) +{ + struct switch_val val; + + printf("Port %d:\n", port); + val.port_vlan = port; + show_attrs(dev, dev->port_ops, &val); +} + +static void +show_vlan(struct switch_dev *dev, int vlan, bool all) +{ + struct switch_val val; + struct switch_attr *attr; + + val.port_vlan = vlan; + + if (all) { + attr = swlib_lookup_attr(dev, SWLIB_ATTR_GROUP_VLAN, "ports"); + if (swlib_get_attr(dev, attr, &val) < 0) + return; + + if (!val.len) + return; + } + + printf("VLAN %d:\n", vlan); + show_attrs(dev, dev->vlan_ops, &val); +} + +static void +print_usage(void) +{ + printf("swconfig list\n"); + printf("swconfig dev <dev> [port <port>|vlan <vlan>] (help|set <key> <value>|get <key>|load <config>|show)\n"); + exit(1); +} + +static void +swconfig_load_uci(struct switch_dev *dev, const char *name) +{ + struct uci_context *ctx; + struct uci_package *p = NULL; + struct uci_element *e; + int ret = -1; + + ctx = uci_alloc_context(); + if (!ctx) + return; + + uci_load(ctx, name, &p); + if (!p) { + uci_perror(ctx, "Failed to load config file: "); + goto out; + } + + ret = swlib_apply_from_uci(dev, p); + if (ret < 0) + fprintf(stderr, "Failed to apply configuration for switch '%s'\n", dev->dev_name); + +out: + uci_free_context(ctx); + exit(ret); +} + +int main(int argc, char **argv) +{ + int retval = 0; + struct switch_dev *dev; + struct switch_attr *a; + struct switch_val val; + int err; + int i; + + int cmd = CMD_NONE; + char *cdev = NULL; + int cport = -1; + int cvlan = -1; + char *ckey = NULL; + char *cvalue = NULL; + char *csegment = NULL; + + if((argc == 2) && !strcmp(argv[1], "list")) { + swlib_list(); + return 0; + } + + if(argc < 4) + print_usage(); + + if(strcmp(argv[1], "dev")) + print_usage(); + + cdev = argv[2]; + + for(i = 3; i < argc; i++) + { + char *arg = argv[i]; + if (cmd != CMD_NONE) { + print_usage(); + } else if (!strcmp(arg, "port") && i+1 < argc) { + cport = atoi(argv[++i]); + } else if (!strcmp(arg, "vlan") && i+1 < argc) { + cvlan = atoi(argv[++i]); + } else if (!strcmp(arg, "help")) { + cmd = CMD_HELP; + } else if (!strcmp(arg, "set") && i+1 < argc) { + cmd = CMD_SET; + ckey = argv[++i]; + if (i+1 < argc) + cvalue = argv[++i]; + } else if (!strcmp(arg, "get") && i+1 < argc) { + cmd = CMD_GET; + ckey = argv[++i]; + } else if (!strcmp(arg, "load") && i+1 < argc) { + if ((cport >= 0) || (cvlan >= 0)) + print_usage(); + cmd = CMD_LOAD; + ckey = argv[++i]; + } else if (!strcmp(arg, "portmap")) { + if (i + 1 < argc) + csegment = argv[++i]; + cmd = CMD_PORTMAP; + } else if (!strcmp(arg, "show")) { + cmd = CMD_SHOW; + } else { + print_usage(); + } + } + + if (cmd == CMD_NONE) + print_usage(); + if (cport > -1 && cvlan > -1) + print_usage(); + + dev = swlib_connect(cdev); + if (!dev) { + fprintf(stderr, "Failed to connect to the switch\n"); + return 1; + } + + swlib_scan(dev); + + if (cmd == CMD_GET || cmd == CMD_SET) { + if(cport > -1) + a = swlib_lookup_attr(dev, SWLIB_ATTR_GROUP_PORT, ckey); + else if(cvlan > -1) + a = swlib_lookup_attr(dev, SWLIB_ATTR_GROUP_VLAN, ckey); + else + a = swlib_lookup_attr(dev, SWLIB_ATTR_GROUP_GLOBAL, ckey); + + if(!a) + { + fprintf(stderr, "Unknown attribute \"%s\"\n", ckey); + goto out; + } + } + + switch(cmd) + { + case CMD_SET: + if ((a->type != SWITCH_TYPE_NOVAL) && + (cvalue == NULL)) + print_usage(); + + if(cvlan > -1) + cport = cvlan; + + if(swlib_set_attr_string(dev, a, cport, cvalue) < 0) + { + fprintf(stderr, "failed\n"); + retval = -1; + goto out; + } + break; + case CMD_GET: + if(cvlan > -1) + val.port_vlan = cvlan; + if(cport > -1) + val.port_vlan = cport; + if(swlib_get_attr(dev, a, &val) < 0) + { + fprintf(stderr, "failed\n"); + retval = -1; + goto out; + } + print_attr_val(a, &val); + putchar('\n'); + break; + case CMD_LOAD: + swconfig_load_uci(dev, ckey); + break; + case CMD_HELP: + list_attributes(dev); + break; + case CMD_PORTMAP: + swlib_print_portmap(dev, csegment); + break; + case CMD_SHOW: + if (cport >= 0 || cvlan >= 0) { + if (cport >= 0) + show_port(dev, cport); + else + show_vlan(dev, cvlan, false); + } else { + show_global(dev); + for (i=0; i < dev->ports; i++) + show_port(dev, i); + for (i=0; i < dev->vlans; i++) + show_vlan(dev, i, true); + } + break; + } + +out: + swlib_free_all(dev); + return 0; +} diff --git a/package/network/config/swconfig/src/swlib.c b/package/network/config/swconfig/src/swlib.c new file mode 100644 index 000000000..7de3a604e --- /dev/null +++ b/package/network/config/swconfig/src/swlib.c @@ -0,0 +1,786 @@ +/* + * swlib.c: Switch configuration API (user space part) + * + * Copyright (C) 2008 Felix Fietkau <nbd@openwrt.org> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * version 2.1 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <inttypes.h> +#include <errno.h> +#include <stdint.h> +#include <getopt.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <linux/switch.h> +#include "swlib.h" +#include <netlink/netlink.h> +#include <netlink/genl/genl.h> +#include <netlink/genl/family.h> + +//#define DEBUG 1 +#ifdef DEBUG +#define DPRINTF(fmt, ...) fprintf(stderr, "%s(%d): " fmt, __func__, __LINE__, ##__VA_ARGS__) +#else +#define DPRINTF(fmt, ...) do {} while (0) +#endif + +static struct nl_sock *handle; +static struct nl_cache *cache; +static struct genl_family *family; +static struct nlattr *tb[SWITCH_ATTR_MAX + 1]; +static int refcount = 0; + +static struct nla_policy port_policy[SWITCH_ATTR_MAX] = { + [SWITCH_PORT_ID] = { .type = NLA_U32 }, + [SWITCH_PORT_FLAG_TAGGED] = { .type = NLA_FLAG }, +}; + +static struct nla_policy portmap_policy[SWITCH_PORTMAP_MAX] = { + [SWITCH_PORTMAP_SEGMENT] = { .type = NLA_STRING }, + [SWITCH_PORTMAP_VIRT] = { .type = NLA_U32 }, +}; + +static inline void * +swlib_alloc(size_t size) +{ + void *ptr; + + ptr = malloc(size); + if (!ptr) + goto done; + memset(ptr, 0, size); + +done: + return ptr; +} + +static int +wait_handler(struct nl_msg *msg, void *arg) +{ + int *finished = arg; + + *finished = 1; + return NL_STOP; +} + +/* helper function for performing netlink requests */ +static int +swlib_call(int cmd, int (*call)(struct nl_msg *, void *), + int (*data)(struct nl_msg *, void *), void *arg) +{ + struct nl_msg *msg; + struct nl_cb *cb = NULL; + int finished; + int flags = 0; + int err; + + msg = nlmsg_alloc(); + if (!msg) { + fprintf(stderr, "Out of memory!\n"); + exit(1); + } + + if (!data) + flags |= NLM_F_DUMP; + + genlmsg_put(msg, NL_AUTO_PID, NL_AUTO_SEQ, genl_family_get_id(family), 0, flags, cmd, 0); + if (data) { + if (data(msg, arg) < 0) + goto nla_put_failure; + } + + cb = nl_cb_alloc(NL_CB_CUSTOM); + if (!cb) { + fprintf(stderr, "nl_cb_alloc failed.\n"); + exit(1); + } + + err = nl_send_auto_complete(handle, msg); + if (err < 0) { + fprintf(stderr, "nl_send_auto_complete failed: %d\n", err); + goto out; + } + + finished = 0; + + if (call) + nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, call, arg); + + if (data) + nl_cb_set(cb, NL_CB_ACK, NL_CB_CUSTOM, wait_handler, &finished); + else + nl_cb_set(cb, NL_CB_FINISH, NL_CB_CUSTOM, wait_handler, &finished); + + err = nl_recvmsgs(handle, cb); + if (err < 0) { + goto out; + } + + if (!finished) + err = nl_wait_for_ack(handle); + +out: + if (cb) + nl_cb_put(cb); +nla_put_failure: + nlmsg_free(msg); + return err; +} + +static int +send_attr(struct nl_msg *msg, void *arg) +{ + struct switch_val *val = arg; + struct switch_attr *attr = val->attr; + + NLA_PUT_U32(msg, SWITCH_ATTR_ID, attr->dev->id); + NLA_PUT_U32(msg, SWITCH_ATTR_OP_ID, attr->id); + switch(attr->atype) { + case SWLIB_ATTR_GROUP_PORT: + NLA_PUT_U32(msg, SWITCH_ATTR_OP_PORT, val->port_vlan); + break; + case SWLIB_ATTR_GROUP_VLAN: + NLA_PUT_U32(msg, SWITCH_ATTR_OP_VLAN, val->port_vlan); + break; + default: + break; + } + + return 0; + +nla_put_failure: + return -1; +} + +static int +store_port_val(struct nl_msg *msg, struct nlattr *nla, struct switch_val *val) +{ + struct nlattr *p; + int ports = val->attr->dev->ports; + int err = 0; + int remaining; + + if (!val->value.ports) + val->value.ports = malloc(sizeof(struct switch_port) * ports); + + nla_for_each_nested(p, nla, remaining) { + struct nlattr *tb[SWITCH_PORT_ATTR_MAX+1]; + struct switch_port *port; + + if (val->len >= ports) + break; + + err = nla_parse_nested(tb, SWITCH_PORT_ATTR_MAX, p, port_policy); + if (err < 0) + goto out; + + if (!tb[SWITCH_PORT_ID]) + continue; + + port = &val->value.ports[val->len]; + port->id = nla_get_u32(tb[SWITCH_PORT_ID]); + port->flags = 0; + if (tb[SWITCH_PORT_FLAG_TAGGED]) + port->flags |= SWLIB_PORT_FLAG_TAGGED; + + val->len++; + } + +out: + return err; +} + +static int +store_val(struct nl_msg *msg, void *arg) +{ + struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); + struct switch_val *val = arg; + struct switch_attr *attr = val->attr; + + if (!val) + goto error; + + if (nla_parse(tb, SWITCH_ATTR_MAX - 1, genlmsg_attrdata(gnlh, 0), + genlmsg_attrlen(gnlh, 0), NULL) < 0) { + goto error; + } + + if (tb[SWITCH_ATTR_OP_VALUE_INT]) + val->value.i = nla_get_u32(tb[SWITCH_ATTR_OP_VALUE_INT]); + else if (tb[SWITCH_ATTR_OP_VALUE_STR]) + val->value.s = strdup(nla_get_string(tb[SWITCH_ATTR_OP_VALUE_STR])); + else if (tb[SWITCH_ATTR_OP_VALUE_PORTS]) + val->err = store_port_val(msg, tb[SWITCH_ATTR_OP_VALUE_PORTS], val); + + val->err = 0; + return 0; + +error: + return NL_SKIP; +} + +int +swlib_get_attr(struct switch_dev *dev, struct switch_attr *attr, struct switch_val *val) +{ + int cmd; + int err; + + switch(attr->atype) { + case SWLIB_ATTR_GROUP_GLOBAL: + cmd = SWITCH_CMD_GET_GLOBAL; + break; + case SWLIB_ATTR_GROUP_PORT: + cmd = SWITCH_CMD_GET_PORT; + break; + case SWLIB_ATTR_GROUP_VLAN: + cmd = SWITCH_CMD_GET_VLAN; + break; + default: + return -EINVAL; + } + + memset(&val->value, 0, sizeof(val->value)); + val->len = 0; + val->attr = attr; + val->err = -EINVAL; + err = swlib_call(cmd, store_val, send_attr, val); + if (!err) + err = val->err; + + return err; +} + +static int +send_attr_ports(struct nl_msg *msg, struct switch_val *val) +{ + struct nlattr *n; + int i; + + /* TODO implement multipart? */ + if (val->len == 0) + goto done; + n = nla_nest_start(msg, SWITCH_ATTR_OP_VALUE_PORTS); + if (!n) + goto nla_put_failure; + for (i = 0; i < val->len; i++) { + struct switch_port *port = &val->value.ports[i]; + struct nlattr *np; + + np = nla_nest_start(msg, SWITCH_ATTR_PORT); + if (!np) + goto nla_put_failure; + + NLA_PUT_U32(msg, SWITCH_PORT_ID, port->id); + if (port->flags & SWLIB_PORT_FLAG_TAGGED) + NLA_PUT_FLAG(msg, SWITCH_PORT_FLAG_TAGGED); + + nla_nest_end(msg, np); + } + nla_nest_end(msg, n); +done: + return 0; + +nla_put_failure: + return -1; +} + +static int +send_attr_val(struct nl_msg *msg, void *arg) +{ + struct switch_val *val = arg; + struct switch_attr *attr = val->attr; + + if (send_attr(msg, arg)) + goto nla_put_failure; + + switch(attr->type) { + case SWITCH_TYPE_NOVAL: + break; + case SWITCH_TYPE_INT: + NLA_PUT_U32(msg, SWITCH_ATTR_OP_VALUE_INT, val->value.i); + break; + case SWITCH_TYPE_STRING: + if (!val->value.s) + goto nla_put_failure; + NLA_PUT_STRING(msg, SWITCH_ATTR_OP_VALUE_STR, val->value.s); + break; + case SWITCH_TYPE_PORTS: + if (send_attr_ports(msg, val) < 0) + goto nla_put_failure; + break; + default: + goto nla_put_failure; + } + return 0; + +nla_put_failure: + return -1; +} + +int +swlib_set_attr(struct switch_dev *dev, struct switch_attr *attr, struct switch_val *val) +{ + int cmd; + + switch(attr->atype) { + case SWLIB_ATTR_GROUP_GLOBAL: + cmd = SWITCH_CMD_SET_GLOBAL; + break; + case SWLIB_ATTR_GROUP_PORT: + cmd = SWITCH_CMD_SET_PORT; + break; + case SWLIB_ATTR_GROUP_VLAN: + cmd = SWITCH_CMD_SET_VLAN; + break; + default: + return -EINVAL; + } + + val->attr = attr; + return swlib_call(cmd, NULL, send_attr_val, val); +} + +int swlib_set_attr_string(struct switch_dev *dev, struct switch_attr *a, int port_vlan, const char *str) +{ + struct switch_port *ports; + struct switch_val val; + char *ptr; + + memset(&val, 0, sizeof(val)); + val.port_vlan = port_vlan; + switch(a->type) { + case SWITCH_TYPE_INT: + val.value.i = atoi(str); + break; + case SWITCH_TYPE_STRING: + val.value.s = str; + break; + case SWITCH_TYPE_PORTS: + ports = alloca(sizeof(struct switch_port) * dev->ports); + memset(ports, 0, sizeof(struct switch_port) * dev->ports); + val.len = 0; + ptr = (char *)str; + while(ptr && *ptr) + { + while(*ptr && isspace(*ptr)) + ptr++; + + if (!*ptr) + break; + + if (!isdigit(*ptr)) + return -1; + + if (val.len >= dev->ports) + return -1; + + ports[val.len].flags = 0; + ports[val.len].id = strtoul(ptr, &ptr, 10); + while(*ptr && !isspace(*ptr)) { + if (*ptr == 't') + ports[val.len].flags |= SWLIB_PORT_FLAG_TAGGED; + else + return -1; + + ptr++; + } + if (*ptr) + ptr++; + val.len++; + } + val.value.ports = ports; + break; + case SWITCH_TYPE_NOVAL: + if (str && !strcmp(str, "0")) + return 0; + + break; + default: + return -1; + } + return swlib_set_attr(dev, a, &val); +} + + +struct attrlist_arg { + int id; + int atype; + struct switch_dev *dev; + struct switch_attr *prev; + struct switch_attr **head; +}; + +static int +add_id(struct nl_msg *msg, void *arg) +{ + struct attrlist_arg *l = arg; + + NLA_PUT_U32(msg, SWITCH_ATTR_ID, l->id); + + return 0; +nla_put_failure: + return -1; +} + +static int +add_attr(struct nl_msg *msg, void *ptr) +{ + struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); + struct attrlist_arg *arg = ptr; + struct switch_attr *new; + + if (nla_parse(tb, SWITCH_ATTR_MAX - 1, genlmsg_attrdata(gnlh, 0), + genlmsg_attrlen(gnlh, 0), NULL) < 0) + goto done; + + new = swlib_alloc(sizeof(struct switch_attr)); + if (!new) + goto done; + + new->dev = arg->dev; + new->atype = arg->atype; + if (arg->prev) { + arg->prev->next = new; + } else { + arg->prev = *arg->head; + } + *arg->head = new; + arg->head = &new->next; + + if (tb[SWITCH_ATTR_OP_ID]) + new->id = nla_get_u32(tb[SWITCH_ATTR_OP_ID]); + if (tb[SWITCH_ATTR_OP_TYPE]) + new->type = nla_get_u32(tb[SWITCH_ATTR_OP_TYPE]); + if (tb[SWITCH_ATTR_OP_NAME]) + new->name = strdup(nla_get_string(tb[SWITCH_ATTR_OP_NAME])); + if (tb[SWITCH_ATTR_OP_DESCRIPTION]) + new->description = strdup(nla_get_string(tb[SWITCH_ATTR_OP_DESCRIPTION])); + +done: + return NL_SKIP; +} + +int +swlib_scan(struct switch_dev *dev) +{ + struct attrlist_arg arg; + + if (dev->ops || dev->port_ops || dev->vlan_ops) + return 0; + + arg.atype = SWLIB_ATTR_GROUP_GLOBAL; + arg.dev = dev; + arg.id = dev->id; + arg.prev = NULL; + arg.head = &dev->ops; + swlib_call(SWITCH_CMD_LIST_GLOBAL, add_attr, add_id, &arg); + + arg.atype = SWLIB_ATTR_GROUP_PORT; + arg.prev = NULL; + arg.head = &dev->port_ops; + swlib_call(SWITCH_CMD_LIST_PORT, add_attr, add_id, &arg); + + arg.atype = SWLIB_ATTR_GROUP_VLAN; + arg.prev = NULL; + arg.head = &dev->vlan_ops; + swlib_call(SWITCH_CMD_LIST_VLAN, add_attr, add_id, &arg); + + return 0; +} + +struct switch_attr *swlib_lookup_attr(struct switch_dev *dev, + enum swlib_attr_group atype, const char *name) +{ + struct switch_attr *head; + + if (!name || !dev) + return NULL; + + switch(atype) { + case SWLIB_ATTR_GROUP_GLOBAL: + head = dev->ops; + break; + case SWLIB_ATTR_GROUP_PORT: + head = dev->port_ops; + break; + case SWLIB_ATTR_GROUP_VLAN: + head = dev->vlan_ops; + break; + } + while(head) { + if (!strcmp(name, head->name)) + return head; + head = head->next; + } + + return NULL; +} + +static void +swlib_priv_free(void) +{ + if (cache) + nl_cache_free(cache); + if (handle) + nl_socket_free(handle); + handle = NULL; + cache = NULL; +} + +static int +swlib_priv_init(void) +{ + int ret; + + handle = nl_socket_alloc(); + if (!handle) { + DPRINTF("Failed to create handle\n"); + goto err; + } + + if (genl_connect(handle)) { + DPRINTF("Failed to connect to generic netlink\n"); + goto err; + } + + ret = genl_ctrl_alloc_cache(handle, &cache); + if (ret < 0) { + DPRINTF("Failed to allocate netlink cache\n"); + goto err; + } + + family = genl_ctrl_search_by_name(cache, "switch"); + if (!family) { + DPRINTF("Switch API not present\n"); + goto err; + } + return 0; + +err: + swlib_priv_free(); + return -EINVAL; +} + +struct swlib_scan_arg { + const char *name; + struct switch_dev *head; + struct switch_dev *ptr; +}; + +static int +add_port_map(struct switch_dev *dev, struct nlattr *nla) +{ + struct nlattr *p; + int err = 0, idx = 0; + int remaining; + + dev->maps = malloc(sizeof(struct switch_portmap) * dev->ports); + if (!dev->maps) + return -1; + memset(dev->maps, 0, sizeof(struct switch_portmap) * dev->ports); + + nla_for_each_nested(p, nla, remaining) { + struct nlattr *tb[SWITCH_PORTMAP_MAX+1]; + + if (idx >= dev->ports) + continue; + + err = nla_parse_nested(tb, SWITCH_PORTMAP_MAX, p, portmap_policy); + if (err < 0) + continue; + + + if (tb[SWITCH_PORTMAP_SEGMENT] && tb[SWITCH_PORTMAP_VIRT]) { + dev->maps[idx].segment = strdup(nla_get_string(tb[SWITCH_PORTMAP_SEGMENT])); + dev->maps[idx].virt = nla_get_u32(tb[SWITCH_PORTMAP_VIRT]); + } + idx++; + } + +out: + return err; +} + + +static int +add_switch(struct nl_msg *msg, void *arg) +{ + struct swlib_scan_arg *sa = arg; + struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); + struct switch_dev *dev; + const char *name; + const char *alias; + + if (nla_parse(tb, SWITCH_ATTR_MAX, genlmsg_attrdata(gnlh, 0), genlmsg_attrlen(gnlh, 0), NULL) < 0) + goto done; + + if (!tb[SWITCH_ATTR_DEV_NAME]) + goto done; + + name = nla_get_string(tb[SWITCH_ATTR_DEV_NAME]); + alias = nla_get_string(tb[SWITCH_ATTR_ALIAS]); + + if (sa->name && (strcmp(name, sa->name) != 0) && (strcmp(alias, sa->name) != 0)) + goto done; + + dev = swlib_alloc(sizeof(struct switch_dev)); + if (!dev) + goto done; + + strncpy(dev->dev_name, name, IFNAMSIZ - 1); + dev->alias = strdup(alias); + if (tb[SWITCH_ATTR_ID]) + dev->id = nla_get_u32(tb[SWITCH_ATTR_ID]); + if (tb[SWITCH_ATTR_NAME]) + dev->name = strdup(nla_get_string(tb[SWITCH_ATTR_NAME])); + if (tb[SWITCH_ATTR_PORTS]) + dev->ports = nla_get_u32(tb[SWITCH_ATTR_PORTS]); + if (tb[SWITCH_ATTR_VLANS]) + dev->vlans = nla_get_u32(tb[SWITCH_ATTR_VLANS]); + if (tb[SWITCH_ATTR_CPU_PORT]) + dev->cpu_port = nla_get_u32(tb[SWITCH_ATTR_CPU_PORT]); + if (tb[SWITCH_ATTR_PORTMAP]) + add_port_map(dev, tb[SWITCH_ATTR_PORTMAP]); + + if (!sa->head) { + sa->head = dev; + sa->ptr = dev; + } else { + sa->ptr->next = dev; + sa->ptr = dev; + } + + refcount++; +done: + return NL_SKIP; +} + +static int +list_switch(struct nl_msg *msg, void *arg) +{ + struct swlib_scan_arg *sa = arg; + struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg)); + struct switch_dev *dev; + const char *name; + const char *alias; + + if (nla_parse(tb, SWITCH_ATTR_MAX, genlmsg_attrdata(gnlh, 0), genlmsg_attrlen(gnlh, 0), NULL) < 0) + goto done; + + if (!tb[SWITCH_ATTR_DEV_NAME] || !tb[SWITCH_ATTR_NAME]) + goto done; + + printf("Found: %s - %s\n", nla_get_string(tb[SWITCH_ATTR_DEV_NAME]), + nla_get_string(tb[SWITCH_ATTR_ALIAS])); + +done: + return NL_SKIP; +} + +void +swlib_list(void) +{ + if (swlib_priv_init() < 0) + return; + swlib_call(SWITCH_CMD_GET_SWITCH, list_switch, NULL, NULL); + swlib_priv_free(); +} + +void +swlib_print_portmap(struct switch_dev *dev, char *segment) +{ + int i; + + if (segment) { + if (!strcmp(segment, "cpu")) { + printf("%d ", dev->cpu_port); + } else if (!strcmp(segment, "disabled")) { + for (i = 0; i < dev->ports; i++) + if (!dev->maps[i].segment) + printf("%d ", i); + } else for (i = 0; i < dev->ports; i++) { + if (dev->maps[i].segment && !strcmp(dev->maps[i].segment, segment)) + printf("%d ", i); + } + } else { + printf("%s - %s\n", dev->dev_name, dev->name); + for (i = 0; i < dev->ports; i++) + if (i == dev->cpu_port) + printf("port%d:\tcpu\n", i); + else if (dev->maps[i].segment) + printf("port%d:\t%s.%d\n", i, dev->maps[i].segment, dev->maps[i].virt); + else + printf("port%d:\tdisabled\n", i); + } +} + +struct switch_dev * +swlib_connect(const char *name) +{ + struct swlib_scan_arg arg; + int err; + + if (!refcount) { + if (swlib_priv_init() < 0) + return NULL; + }; + + arg.head = NULL; + arg.ptr = NULL; + arg.name = name; + swlib_call(SWITCH_CMD_GET_SWITCH, add_switch, NULL, &arg); + + if (!refcount) + swlib_priv_free(); + + return arg.head; +} + +static void +swlib_free_attributes(struct switch_attr **head) +{ + struct switch_attr *a = *head; + struct switch_attr *next; + + while (a) { + next = a->next; + free(a); + a = next; + } + *head = NULL; +} + +void +swlib_free(struct switch_dev *dev) +{ + swlib_free_attributes(&dev->ops); + swlib_free_attributes(&dev->port_ops); + swlib_free_attributes(&dev->vlan_ops); + free(dev); + + if (--refcount == 0) + swlib_priv_free(); +} + +void +swlib_free_all(struct switch_dev *dev) +{ + struct switch_dev *p; + + while (dev) { + p = dev->next; + swlib_free(dev); + dev = p; + } +} diff --git a/package/network/config/swconfig/src/swlib.h b/package/network/config/swconfig/src/swlib.h new file mode 100644 index 000000000..016f74b4f --- /dev/null +++ b/package/network/config/swconfig/src/swlib.h @@ -0,0 +1,252 @@ +/* + * swlib.h: Switch configuration API (user space part) + * + * Copyright (C) 2008-2009 Felix Fietkau <nbd@openwrt.org> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * version 2.1 as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + +Usage of the library functions: + + The main datastructure for a switch is the struct switch_device + To get started, you first need to use switch_connect() to probe + for switches and allocate an instance of this struct. + + There are two possible usage modes: + dev = switch_connect("eth0"); + - this call will look for a switch registered for the linux device + "eth0" and only allocate a switch_device for this particular switch. + + dev = switch_connect(NULL) + - this will return one switch_device struct for each available + switch. The switch_device structs are chained with by ->next pointer + + Then to query a switch for all available attributes, use: + swlib_scan(dev); + + All allocated datastructures for the switch_device struct can be freed with + swlib_free(dev); + or + swlib_free_all(dev); + + The latter traverses a whole chain of switch_device structs and frees them all + + Switch attributes (struct switch_attr) are divided into three groups: + dev->ops: + - global settings + dev->port_ops: + - per-port settings + dev->vlan_ops: + - per-vlan settings + + switch_lookup_attr() is a small helper function to locate attributes + by name. + + switch_set_attr() and switch_get_attr() can alter or request the values + of attributes. + +Usage of the switch_attr struct: + + ->atype: attribute group, one of: + - SWLIB_ATTR_GROUP_GLOBAL + - SWLIB_ATTR_GROUP_VLAN + - SWLIB_ATTR_GROUP_PORT + + ->id: identifier for the attribute + + ->type: data type, one of: + - SWITCH_TYPE_INT + - SWITCH_TYPE_STRING + - SWITCH_TYPE_PORT + + ->name: short name of the attribute + ->description: longer description + ->next: pointer to the next attribute of the current group + + +Usage of the switch_val struct: + + When setting attributes, following members of the struct switch_val need + to be set up: + + ->len (for attr->type == SWITCH_TYPE_PORT) + ->port_vlan: + - port number (for attr->atype == SWLIB_ATTR_GROUP_PORT), or: + - vlan number (for attr->atype == SWLIB_ATTR_GROUP_VLAN) + ->value.i (for attr->type == SWITCH_TYPE_INT) + ->value.s (for attr->type == SWITCH_TYPE_STRING) + - owned by the caller, not stored in the library internally + ->value.ports (for attr->type == SWITCH_TYPE_PORT) + - must point to an array of at lest val->len * sizeof(struct switch_port) + + When getting string attributes, val->value.s must be freed by the caller + When getting port list attributes, an internal static buffer is used, + which changes from call to call. + + */ + +#ifndef __SWLIB_H +#define __SWLIB_H + +enum swlib_attr_group { + SWLIB_ATTR_GROUP_GLOBAL, + SWLIB_ATTR_GROUP_VLAN, + SWLIB_ATTR_GROUP_PORT, +}; + +enum swlib_port_flags { + SWLIB_PORT_FLAG_TAGGED = (1 << 0), +}; + + +struct switch_dev; +struct switch_attr; +struct switch_port; +struct switch_port_map; +struct switch_val; +struct uci_package; + +struct switch_dev { + int id; + char dev_name[IFNAMSIZ]; + const char *name; + const char *alias; + int ports; + int vlans; + int cpu_port; + struct switch_attr *ops; + struct switch_attr *port_ops; + struct switch_attr *vlan_ops; + struct switch_portmap *maps; + struct switch_dev *next; + void *priv; +}; + +struct switch_val { + struct switch_attr *attr; + int len; + int err; + int port_vlan; + union { + const char *s; + int i; + struct switch_port *ports; + } value; +}; + +struct switch_attr { + struct switch_dev *dev; + int atype; + int id; + int type; + const char *name; + const char *description; + struct switch_attr *next; +}; + +struct switch_port { + unsigned int id; + unsigned int flags; +}; + +struct switch_portmap { + unsigned int virt; + const char *segment; +}; + +/** + * swlib_list: list all switches + */ +void swlib_list(void); + +/** + * swlib_print_portmap: get portmap + * @dev: switch device struct + */ +void swlib_print_portmap(struct switch_dev *dev, char *segment); + +/** + * swlib_connect: connect to the switch through netlink + * @name: name of the ethernet interface, + * + * if name is NULL, it connect and builds a chain of all switches + */ +struct switch_dev *swlib_connect(const char *name); + +/** + * swlib_free: free all dynamically allocated data for the switch connection + * @dev: switch device struct + * + * all members of a switch device chain (generated by swlib_connect(NULL)) + * must be freed individually + */ +void swlib_free(struct switch_dev *dev); + +/** + * swlib_free_all: run swlib_free on all devices in the chain + * @dev: switch device struct + */ +void swlib_free_all(struct switch_dev *dev); + +/** + * swlib_scan: probe the switch driver for available commands/attributes + * @dev: switch device struct + */ +int swlib_scan(struct switch_dev *dev); + +/** + * swlib_lookup_attr: look up a switch attribute + * @dev: switch device struct + * @type: global, port or vlan + * @name: name of the attribute + */ +struct switch_attr *swlib_lookup_attr(struct switch_dev *dev, + enum swlib_attr_group atype, const char *name); + +/** + * swlib_set_attr: set the value for an attribute + * @dev: switch device struct + * @attr: switch attribute struct + * @val: attribute value pointer + * returns 0 on success + */ +int swlib_set_attr(struct switch_dev *dev, struct switch_attr *attr, + struct switch_val *val); + +/** + * swlib_set_attr_string: set the value for an attribute with type conversion + * @dev: switch device struct + * @attr: switch attribute struct + * @port_vlan: port or vlan (if applicable) + * @str: string value + * returns 0 on success + */ +int swlib_set_attr_string(struct switch_dev *dev, struct switch_attr *attr, + int port_vlan, const char *str); + +/** + * swlib_get_attr: get the value for an attribute + * @dev: switch device struct + * @attr: switch attribute struct + * @val: attribute value pointer + * returns 0 on success + * for string attributes, the result string must be freed by the caller + */ +int swlib_get_attr(struct switch_dev *dev, struct switch_attr *attr, + struct switch_val *val); + +/** + * swlib_apply_from_uci: set up the switch from a uci configuration + * @dev: switch device struct + * @p: uci package which contains the desired global config + */ +int swlib_apply_from_uci(struct switch_dev *dev, struct uci_package *p); + +#endif diff --git a/package/network/config/swconfig/src/uci.c b/package/network/config/swconfig/src/uci.c new file mode 100644 index 000000000..893e3d1dd --- /dev/null +++ b/package/network/config/swconfig/src/uci.c @@ -0,0 +1,248 @@ +/* + * uci.c: UCI binding for the switch configuration utility + * + * Copyright (C) 2009 Felix Fietkau <nbd@openwrt.org> + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * version 2 as published by the Free Software Foundatio. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <stdio.h> +#include <string.h> +#include <stdlib.h> +#include <inttypes.h> +#include <errno.h> +#include <stdint.h> +#include <getopt.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <uci.h> + +#include <linux/types.h> +#include <linux/netlink.h> +#include <linux/genetlink.h> +#include <netlink/netlink.h> +#include <netlink/genl/genl.h> +#include <netlink/genl/ctrl.h> +#include <linux/switch.h> +#include "swlib.h" + +#ifndef ARRAY_SIZE +#define ARRAY_SIZE(x) (sizeof(x) / sizeof(x[0])) +#endif + +struct swlib_setting { + struct switch_attr *attr; + const char *name; + int port_vlan; + const char *val; + struct swlib_setting *next; +}; + +struct swlib_setting early_settings[] = { + { .name = "reset", .val = "1" }, + { .name = "enable_vlan", .val = "1" }, +}; + +static struct swlib_setting *settings; +static struct swlib_setting **head; + +static bool swlib_match_name(struct switch_dev *dev, const char *name) +{ + return (strcmp(name, dev->dev_name) == 0 || + strcmp(name, dev->alias) == 0); +} + +static int +swlib_map_settings(struct switch_dev *dev, int type, int port_vlan, struct uci_section *s) +{ + struct swlib_setting *setting; + struct switch_attr *attr; + struct uci_element *e; + struct uci_option *o; + int i; + + uci_foreach_element(&s->options, e) { + o = uci_to_option(e); + + if (o->type != UCI_TYPE_STRING) + continue; + + if (!strcmp(e->name, "device")) + continue; + + /* map early settings */ + if (type == SWLIB_ATTR_GROUP_GLOBAL) { + int i; + + for (i = 0; i < ARRAY_SIZE(early_settings); i++) { + if (strcmp(e->name, early_settings[i].name) != 0) + continue; + + early_settings[i].val = o->v.string; + goto skip; + } + } + + attr = swlib_lookup_attr(dev, type, e->name); + if (!attr) + continue; + + setting = malloc(sizeof(struct swlib_setting)); + memset(setting, 0, sizeof(struct swlib_setting)); + setting->attr = attr; + setting->port_vlan = port_vlan; + setting->val = o->v.string; + *head = setting; + head = &setting->next; +skip: + continue; + } +} + +int swlib_apply_from_uci(struct switch_dev *dev, struct uci_package *p) +{ + struct switch_attr *attr; + struct uci_context *ctx = p->ctx; + struct uci_element *e; + struct uci_section *s; + struct uci_option *o; + struct uci_ptr ptr; + struct switch_val val; + int i; + + settings = NULL; + head = &settings; + + uci_foreach_element(&p->sections, e) { + struct uci_element *n; + + s = uci_to_section(e); + + if (strcmp(s->type, "switch") != 0) + continue; + + uci_foreach_element(&s->options, n) { + struct uci_option *o = uci_to_option(n); + + if (strcmp(n->name, "name") != 0) + continue; + + if (o->type != UCI_TYPE_STRING) + continue; + + if (swlib_match_name(dev, o->v.string)) + goto found; + + break; + } + + if (!swlib_match_name(dev, e->name)) + continue; + + goto found; + } + + /* not found */ + return -1; + +found: + /* look up available early options, which need to be taken care + * of in the correct order */ + for (i = 0; i < ARRAY_SIZE(early_settings); i++) { + early_settings[i].attr = swlib_lookup_attr(dev, + SWLIB_ATTR_GROUP_GLOBAL, early_settings[i].name); + } + swlib_map_settings(dev, SWLIB_ATTR_GROUP_GLOBAL, 0, s); + + /* look for port or vlan sections */ + uci_foreach_element(&p->sections, e) { + struct uci_element *os; + s = uci_to_section(e); + + if (!strcmp(s->type, "switch_port")) { + char *devn, *port, *port_err = NULL; + int port_n; + + uci_foreach_element(&s->options, os) { + o = uci_to_option(os); + if (o->type != UCI_TYPE_STRING) + continue; + + if (!strcmp(os->name, "device")) { + devn = o->v.string; + if (!swlib_match_name(dev, devn)) + devn = NULL; + } else if (!strcmp(os->name, "port")) { + port = o->v.string; + } + } + if (!devn || !port || !port[0]) + continue; + + port_n = strtoul(port, &port_err, 0); + if (port_err && port_err[0]) + continue; + + swlib_map_settings(dev, SWLIB_ATTR_GROUP_PORT, port_n, s); + } else if (!strcmp(s->type, "switch_vlan")) { + char *devn, *vlan, *vlan_err = NULL; + int vlan_n; + + uci_foreach_element(&s->options, os) { + o = uci_to_option(os); + if (o->type != UCI_TYPE_STRING) + continue; + + if (!strcmp(os->name, "device")) { + devn = o->v.string; + if (!swlib_match_name(dev, devn)) + devn = NULL; + } else if (!strcmp(os->name, "vlan")) { + vlan = o->v.string; + } + } + if (!devn || !vlan || !vlan[0]) + continue; + + vlan_n = strtoul(vlan, &vlan_err, 0); + if (vlan_err && vlan_err[0]) + continue; + + swlib_map_settings(dev, SWLIB_ATTR_GROUP_VLAN, vlan_n, s); + } + } + + for (i = 0; i < ARRAY_SIZE(early_settings); i++) { + struct swlib_setting *st = &early_settings[i]; + if (!st->attr || !st->val) + continue; + swlib_set_attr_string(dev, st->attr, st->port_vlan, st->val); + + } + + while (settings) { + struct swlib_setting *st = settings; + + swlib_set_attr_string(dev, st->attr, st->port_vlan, st->val); + st = st->next; + free(settings); + settings = st; + } + + /* Apply the config */ + attr = swlib_lookup_attr(dev, SWLIB_ATTR_GROUP_GLOBAL, "apply"); + if (!attr) + return 0; + + memset(&val, 0, sizeof(val)); + swlib_set_attr(dev, attr, &val); + + return 0; +} |