blob: 0297518a5d620d07782786f59c22c84c03271b8f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
# Copyright (C) 2009-2010 OpenWrt.org
FW_LIBDIR=${FW_LIBDIR:-/lib/firewall}
. $FW_LIBDIR/fw.sh
include /lib/network
fw_start() {
fw_init
FW_DEFAULTS_APPLIED=
fw_is_loaded && {
echo "firewall already loaded" >&2
exit 1
}
uci_set_state firewall core "" firewall_state
fw_clear DROP
fw_callback pre core
echo "Loading defaults"
fw_config_once fw_load_defaults defaults
echo "Loading zones"
config_foreach fw_load_zone zone
echo "Loading forwardings"
config_foreach fw_load_forwarding forwarding
echo "Loading redirects"
config_foreach fw_load_redirect redirect
echo "Loading rules"
config_foreach fw_load_rule rule
echo "Loading includes"
config_foreach fw_load_include include
[ -z "$FW_NOTRACK_DISABLED" ] && {
echo "Optimizing conntrack"
config_foreach fw_load_notrack_zone zone
}
echo "Loading interfaces"
config_foreach fw_configure_interface interface add
fw_callback post core
uci_set_state firewall core zones "$FW_ZONES"
uci_set_state firewall core loaded 1
}
fw_stop() {
fw_init
fw_callback pre stop
local z n i
config_get z core zones
for z in $z; do
config_get n core "${z}_networks"
for n in $n; do
config_get i core "${n}_ifname"
[ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
done
config_get i core "${z}_tcpmss"
[ "$i" == 1 ] && {
fw del i m FORWARD zone_${z}_MSSFIX
fw del i m zone_${z}_MSSFIX
}
done
fw_clear ACCEPT
fw_callback post stop
uci_revert_state firewall
config_clear
local h
for h in $FW_HOOKS; do unset $h; done
unset FW_HOOKS
unset FW_INITIALIZED
}
fw_restart() {
fw_stop
fw_start
}
fw_reload() {
fw_restart
}
fw_is_loaded() {
local bool=$(uci_get_state firewall.core.loaded)
return $((! ${bool:-0}))
}
fw_die() {
echo "Error:" "$@" >&2
fw_log error "$@"
fw_stop
exit 1
}
fw_log() {
local level="$1"
[ -n "$2" ] && shift || level=notice
[ "$level" != error ] || echo "Error: $@" >&2
logger -t firewall -p user.$level "$@"
}
fw_init() {
[ -z "$FW_INITIALIZED" ] || return 0
. $FW_LIBDIR/config.sh
scan_interfaces
fw_config_append firewall
local hooks="core stop defaults zone notrack synflood"
local file lib hk pp
for file in $FW_LIBDIR/core_*.sh; do
. $file
hk=$(basename $file .sh)
hk=${hk#core_}
append hooks $hk
done
for file in $FW_LIBDIR/*.sh; do
lib=$(basename $file .sh)
lib=${lib##[0-9][0-9]_}
case $lib in
core*|fw|config|uci_firewall) continue ;;
esac
. $file
for hk in $hooks; do
for pp in pre post; do
type ${lib}_${pp}_${hk}_cb >/dev/null && {
append FW_CB_${pp}_${hk} ${lib}
append FW_HOOKS FW_CB_${pp}_${hk}
}
done
done
done
fw_callback post init
FW_INITIALIZED=1
return 0
}
|