aboutsummaryrefslogtreecommitdiffstats
path: root/package/firewall/files/lib/fw.sh
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2010-09-11 20:04:34 +0000
committerJo-Philipp Wich <jow@openwrt.org>2010-09-11 20:04:34 +0000
commitf3dd8278bbc3cc62c35239a2721144e220b24004 (patch)
tree275acc3ef643b0347281335c06d6df52970f33cc /package/firewall/files/lib/fw.sh
parent9499018b9ac80ef74aeac3bffea006855dc11bfe (diff)
downloadupstream-f3dd8278bbc3cc62c35239a2721144e220b24004.tar.gz
upstream-f3dd8278bbc3cc62c35239a2721144e220b24004.tar.bz2
upstream-f3dd8278bbc3cc62c35239a2721144e220b24004.zip
firewall: - simplify masquerade rule setup - remove various subshell invocations - speedup fw() by not relying on xargs and pipes - rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source
SVN-Revision: 23024
Diffstat (limited to 'package/firewall/files/lib/fw.sh')
-rw-r--r--package/firewall/files/lib/fw.sh64
1 files changed, 35 insertions, 29 deletions
diff --git a/package/firewall/files/lib/fw.sh b/package/firewall/files/lib/fw.sh
index aaf3d14ef0..3549f8aa4c 100644
--- a/package/firewall/files/lib/fw.sh
+++ b/package/firewall/files/lib/fw.sh
@@ -159,56 +159,62 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
fi
fi
+ local cmdline="$app --table ${tab} --${cmd} ${chn} ${pol} ${pos} ${tgt:+--jump "$tgt"}"
while [ $# -gt 1 ]; do
case "$app:$1" in
- ip6tables:--icmp-type) echo -n "--icmpv6-type" ;;
- ip6tables:icmp|ip6tables:ICMP) echo -n "icmpv6" ;;
- iptables:--icmpv6-type) echo -n "--icmp-type" ;;
- iptables:icmpv6) echo -n "icmp" ;;
- *) echo -n "$1" ;;
+ ip6tables:--icmp-type) cmdline="$cmdline --icmpv6-type" ;;
+ ip6tables:icmp|ip6tables:ICMP) cmdline="$cmdline icmpv6" ;;
+ iptables:--icmpv6-type) cmdline="$cmdline --icmp-type" ;;
+ iptables:icmpv6) cmdline="$cmdline icmp" ;;
+ *) cmdline="$cmdline $1" ;;
esac
- echo -ne "\0"
shift
- done | xargs -0 ${FW_TRACE:+-t} \
- $app --table ${tab} --${cmd} ${chn} ${pol} ${pos} ${tgt:+--jump "$tgt"}
+ done
+
+ [ -n "$FW_TRACE" ] && echo $cmdline >&2
+
+ $cmdline
+
fw__rc $?
}
fw_get_port_range() {
- local ports=$1
- local delim=${2:-:}
- if [ "$3" ]; then
- fw_get_port_range "${ports}-${3}" $delim
+ local _var=$1
+ local _ports=$2
+ local _delim=${3:-:}
+ if [ "$4" ]; then
+ fw_get_port_range $_var "${_ports}-${4}" $_delim
return
fi
- local first=${ports%-*}
- local last=${ports#*-}
- if [ "$first" != "$last" ]; then
- echo "$first$delim$last"
+ local _first=${_ports%-*}
+ local _last=${_ports#*-}
+ if [ "$_first" != "$_last" ]; then
+ export -- "$_var=$_first$_delim$_last"
else
- echo "$first"
+ export -- "$_var=$_first"
fi
}
fw_get_family_mode() {
- local hint="$1"
- local zone="$2"
- local mode="$3"
+ local _var="$1"
+ local _hint="$2"
+ local _zone="$3"
+ local _mode="$4"
- local ipv4 ipv6
+ local _ipv4 _ipv6
[ -n "$FW_ZONES4$FW_ZONES6" ] && {
- list_contains FW_ZONES4 $zone && ipv4=1 || ipv4=0
- list_contains FW_ZONES6 $zone && ipv6=1 || ipv6=0
+ list_contains FW_ZONES4 $_zone && _ipv4=1 || _ipv4=0
+ list_contains FW_ZONES6 $_zone && _ipv6=1 || _ipv6=0
} || {
- ipv4=$(uci_get_state firewall core ${zone}_ipv4 0)
- ipv6=$(uci_get_state firewall core ${zone}_ipv6 0)
+ _ipv4=$(uci_get_state firewall core ${_zone}_ipv4 0)
+ _ipv6=$(uci_get_state firewall core ${_zone}_ipv6 0)
}
- case "$hint:$ipv4:$ipv6" in
- *4:1:*|*:1:0) echo G4 ;;
- *6:*:1|*:0:1) echo G6 ;;
- *) echo $mode ;;
+ case "$_hint:$_ipv4:$_ipv6" in
+ *4:1:*|*:1:0) export -n -- "$_var=G4" ;;
+ *6:*:1|*:0:1) export -n -- "$_var=G6" ;;
+ *) export -n -- "$_var=$_mode" ;;
esac
}