From 27b76ab0671089c47506615a796a261e993896a7 Mon Sep 17 00:00:00 2001
From: James <>
Date: Sun, 17 Mar 2013 12:16:37 +0000
Subject: fish

---
 .../lib/.svn/text-base/core_interface.sh.svn-base  | 214 +++++++++++++++++++++
 1 file changed, 214 insertions(+)
 create mode 100644 package/network/config/firewall/files/lib/.svn/text-base/core_interface.sh.svn-base

(limited to 'package/network/config/firewall/files/lib/.svn/text-base/core_interface.sh.svn-base')

diff --git a/package/network/config/firewall/files/lib/.svn/text-base/core_interface.sh.svn-base b/package/network/config/firewall/files/lib/.svn/text-base/core_interface.sh.svn-base
new file mode 100644
index 0000000..9138cbf
--- /dev/null
+++ b/package/network/config/firewall/files/lib/.svn/text-base/core_interface.sh.svn-base
@@ -0,0 +1,214 @@
+# Copyright (C) 2009-2013 OpenWrt.org
+
+fw__uci_state_add() {
+	local var="$1"
+	local item="$2"
+
+	local val="$(uci_get_state firewall core $var)"
+	local e1; for e1 in $item; do
+		local e2; for e2 in $val; do
+			[ "$e1" = "$e2" ] && e1=""
+		done
+		val="${val:+$val${e1:+ }}$e1"
+	done
+
+	uci_toggle_state firewall core $var "$val"
+}
+
+fw__uci_state_del() {
+	local var="$1"
+	local item="$2"
+
+	local rest=""
+	local val="$(uci_get_state firewall core $var)"
+	local e1; for e1 in $val; do
+		local e2; for e2 in $item; do
+			[ "$e1" = "$e2" ] && e1=""
+		done
+		rest="${rest:+$rest${e1:+ }}$e1"
+	done
+
+	uci_toggle_state firewall core $var "$rest"
+}
+
+fw_do_interface_rules() {
+    local action=$1
+    local zone=$2
+    local chain=zone_${zone}
+    local ifname=$3
+    local subnet=$4
+    local extra_src="$5"
+    local extra_dest="$6"
+
+    local idev odev inet onet mode
+    fw_get_family_mode mode x $zone i
+
+    fw_get_negation idev '-i' "$ifname"
+    fw_get_negation odev '-o' "$ifname"
+
+    case "$mode/$subnet" in
+        # Zone supports v6 only or dual, need v6
+        G6/*:*|i/*:*)
+            fw_get_negation inet '-s' "$subnet"
+            fw_get_negation onet '-d' "$subnet"
+            mode=6
+        ;;
+
+        # Zone supports v4 only or dual, need v4
+        G4/*.*.*.*|i/*.*.*.*)
+            fw_get_negation inet '-s' "$subnet"
+            fw_get_negation onet '-d' "$subnet"
+            mode=4
+        ;;
+
+        # Need v6 while zone is v4
+        */*:*) fw_log info "zone $zone does not support IPv6 address family, skipping"; return ;;
+
+        # Need v4 while zone is v6
+        */*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;;
+
+        # Strip prefix
+        *) mode="${mode#G}" ;;
+    esac
+
+    lock /var/run/firewall-interface.lock
+
+    fw $action $mode f ${chain}_dest_ACCEPT ACCEPT $ { $odev $onet $extra_dest }
+    fw $action $mode f ${chain}_src_ACCEPT  ACCEPT $ { $idev $inet $extra_src  }
+    fw $action $mode f ${chain}_dest_DROP   DROP   $ { $odev $onet $extra_dest }
+    fw $action $mode f ${chain}_src_DROP    DROP   $ { $idev $inet $extra_src  }
+    fw $action $mode f ${chain}_dest_REJECT reject $ { $odev $onet $extra_dest }
+    fw $action $mode f ${chain}_src_REJECT  reject $ { $idev $inet $extra_src  }
+
+    [ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
+        fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
+            { $odev -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet $extra_dest }
+
+    fw $action $mode f delegate_input   ${chain}_input   $ { $idev $inet $extra_src  }
+    fw $action $mode f delegate_forward ${chain}_forward $ { $idev $inet $extra_src  }
+    fw $action $mode f delegate_output  ${chain}_output  $ { $odev $onet $extra_dest }
+
+    fw $action $mode n PREROUTING ${chain}_prerouting $ { $idev $inet $extra_src  }
+    fw $action $mode r PREROUTING ${chain}_notrack    $ { $idev $inet $extra_src  }
+    fw $action $mode n POSTROUTING ${chain}_nat       $ { $odev $onet $extra_dest }
+
+    # Flush conntrack table
+    echo f >/proc/net/nf_conntrack 2>/dev/null
+
+    lock -u /var/run/firewall-interface.lock
+}
+
+fw_configure_interface() {
+	local iface=$1
+	local action=$2
+	local ifname=$3
+	local aliasnet=$4
+
+	[ "$action" == "add" ] && {
+		local status=$(uci_get_state network "$iface" up 0)
+		[ "$status" == 1 ] || [ -n "$aliasnet" ] || return 0
+	}
+
+	[ -n "$ifname" ] || {
+		ifname=$(uci_get_state network "$iface" ifname)
+		ifname="${ifname%%:*}"
+		[ -z "$ifname" ] && return 0
+	}
+
+	[ "$ifname" == "lo" ] && return 0
+
+	fw_callback pre interface
+
+	local old_zones old_ifname old_subnets
+	config_get old_zones core "${iface}_zone"
+	[ -n "$old_zones" ] && {
+		config_get old_ifname core "${iface}_ifname"
+		config_get old_subnets core "${iface}_subnets"
+
+		local z
+		for z in $old_zones; do
+			local n
+			for n in ${old_subnets:-""}; do
+				fw_log info "removing $iface ($old_ifname${n:+ alias $n}) from zone $z"
+				fw_do_interface_rules del $z $old_ifname $n
+			done
+
+			[ -n "$old_subnets" ] || {
+				fw__uci_state_del "${z}_networks" "$iface"
+				env -i ACTION=remove ZONE="$z" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
+			}
+		done
+
+		local old_aliases
+		config_get old_aliases core "${iface}_aliases"
+
+		local a
+		for a in $old_aliases; do
+			fw_configure_interface "$a" del "$old_ifname"
+		done
+
+		uci_revert_state firewall core "${iface}_zone"
+		uci_revert_state firewall core "${iface}_ifname"
+		uci_revert_state firewall core "${iface}_subnets"
+		uci_revert_state firewall core "${iface}_aliases"
+	}
+
+	[ "$action" == del ] && return
+
+	[ -z "$aliasnet" ] && {
+		local aliases
+		config_get aliases "$iface" aliases
+
+		local a
+		for a in $aliases; do
+			local ipaddr netmask ip6addr
+			config_get ipaddr "$a" ipaddr
+			config_get netmask "$a" netmask
+			config_get ip6addr "$a" ip6addr
+
+			[ -n "$ipaddr" ] && fw_configure_interface "$a" add "" "$ipaddr${netmask:+/$netmask}"
+			[ -n "$ip6addr" ] && fw_configure_interface "$a" add "" "$ip6addr"
+		done
+
+		fw_sysctl_interface $ifname
+		fw_callback post interface
+
+		uci_toggle_state firewall core "${iface}_aliases" "$aliases"
+	} || {
+		local subnets=
+		config_get subnets core "${iface}_subnets"
+		append subnets "$aliasnet"
+
+		config_set core "${iface}_subnets" "$subnets"
+		uci_toggle_state firewall core "${iface}_subnets" "$subnets"
+	}
+
+	local new_zones=
+	load_zone() {
+		fw_config_get_zone "$1"
+		list_contains zone_network "$iface" || return
+
+		fw_log info "adding $iface ($ifname${aliasnet:+ alias $aliasnet}) to zone $zone_name"
+		fw_do_interface_rules add ${zone_name} "$ifname" "$aliasnet"
+		append new_zones $zone_name
+
+		[ -n "$aliasnet" ] || {
+			fw__uci_state_add "${zone_name}_networks" "${zone_network}"
+			env -i ACTION=add ZONE="$zone_name" INTERFACE="$iface" DEVICE="$ifname" /sbin/hotplug-call firewall
+		}
+	}
+	config_foreach load_zone zone
+
+	uci_toggle_state firewall core "${iface}_zone" "$new_zones"
+	uci_toggle_state firewall core "${iface}_ifname" "$ifname"
+}
+
+fw_sysctl_interface() {
+	local ifname=$1
+	{
+		sysctl -w net.ipv4.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS
+		sysctl -w net.ipv6.conf.${ifname}.accept_redirects=$FW_ACCEPT_REDIRECTS
+		sysctl -w net.ipv4.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE
+		sysctl -w net.ipv6.conf.${ifname}.accept_source_route=$FW_ACCEPT_SRC_ROUTE
+	} >/dev/null 2>/dev/null
+}
-- 
cgit v1.2.3