uci firewall - make uci firewall default and remove old code - fix up dependencies

SVN-Revision: 12284
author: John Crispin <john@openwrt.org> 2008-08-11 22:27:36 +0000
committer: John Crispin <john@openwrt.org> 2008-08-11 22:27:36 +0000
commit: 5627667654db791fc105117c8d5717caacbaa1b9 (patch)
tree: 45d8346e7513ce5adcc570f6fc31e09586ffb9c9 /package/firewall/files/new
parent: 4b5488ebfa23f854fc087a6ae64962905683be7f (diff)
download: upstream-5627667654db791fc105117c8d5717caacbaa1b9.tar.gz
upstream-5627667654db791fc105117c8d5717caacbaa1b9.tar.bz2
upstream-5627667654db791fc105117c8d5717caacbaa1b9.zip
4 files changed, 0 insertions, 418 deletions
diff --git a/package/firewall/files/new/20-firewall b/package/firewall/files/new/20-firewall
deleted file mode 100644
index 126fb9bad0..0000000000
--- a/package/firewall/files/new/20-firewall
+++ /dev/null
@@ -1,39 +0,0 @@
-. /lib/firewall/uci_firewall.sh
-unset ZONE
-config_get ifname $INTERFACE ifname
-INTERFACE=$ifname
-[ "$INTERFACE" == "lo" ] && exit 0
-load_zones() {
-	local name
-	local network
-	config_get name $1 name
-	config_get network $1 network
-	[ -z "$network" ] && network=$name 
-	for n in $network; do
-		local ifname
-		config_get ifname $n ifname
-		list_contains ifname $INTERFACE && { 
-			list_contains ZONE $name || ZONE="$ZONE $name"
-		}
-	done
-}
-
-config_foreach load_zones zone
-
-[ -z "$ZONE" ] && exit 0
-
-[ ifup = "$ACTION" ] && {
-	for z in $ZONE; do 
-		local loaded
-		config_get loaded core loaded
-		[ -n "$loaded" ] && addif $INTERFACE $z
-	done
-}
-
-[ ifdown = "$ACTION" ] && {
-	for z in $ZONE; do 
-		local up
-		config_get up $z up
-		[ "$up" == "1" ] && delif $INTERFACE $z
-	done
-}
diff --git a/package/firewall/files/new/firewall.config b/package/firewall/files/new/firewall.config
deleted file mode 100755
index 073169013d..0000000000
--- a/package/firewall/files/new/firewall.config
+++ /dev/null
@@ -1,80 +0,0 @@
-config defaults
-	option syn_flood	1
-	option input		DROP 
-	option output		ACCEPT 
-	option forward		DROP 
-
-config zone
-	option name		lan
-	option input	ACCEPT 
-	option output	ACCEPT 
-	option forward	DROP 
-
-config zone
-	option name		wan
-	option input	DROP 
-	option output	ACCEPT 
-	option forward	DROP 
-	option masq		1 
-
-config forwarding 
-	option src      lan
-	option dest     wan
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option dest		wan
-#	option proto	tcp
-#	option target	REJECT 
-
-# block a specific mac on wan
-#config rule
-#	option dest		wan
-#	option src_mac	00:11:22:33:44:66
-#	option target	REJECT 
-
-# block incoming ICMP traffic on a zone
-#config rule
-#	option src		lan
-#	option proto	ICMP
-#	option target	DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-#	option src			wan
-#	option src_dport	80
-#	option dest			lan
-#	option dest_ip		192.168.16.235
-#	option dest_port	80 
-#	option protocol		tcp
-
-# include a file with users custom iptables rules
-#config include
-#	option path /etc/firewall.user
-
-
-### FULL CONFIG SECTIONS
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port	80
-#	option dest		wan
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
-#	option target	REJECT 
-
-#config redirect
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port		1024
-#	option src_dport	80
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
diff --git a/package/firewall/files/new/firewall.init b/package/firewall/files/new/firewall.init
deleted file mode 100755
index 26855f39ad..0000000000
--- a/package/firewall/files/new/firewall.init
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2008 OpenWrt.org
-
-START=45
-
-start() {
-	. /lib/firewall/uci_firewall.sh
-	fw_init
-}
-
-stop() {
-	. /lib/firewall/uci_firewall.sh
-	fw_stop	
-}
diff --git a/package/firewall/files/new/uci_firewall.sh b/package/firewall/files/new/uci_firewall.sh
deleted file mode 100755
index e1683e9cf0..0000000000
--- a/package/firewall/files/new/uci_firewall.sh
+++ /dev/null
@@ -1,285 +0,0 @@
-#!/bin/sh 
-# Copyright (C) 2008 John Crispin <blogic@openwrt.org>
-
-. /etc/functions.sh
-
-IPTABLES="echo iptables"
-IPTABLES=iptables
-
-config_clear
-include /lib/network
-scan_interfaces
-
-CONFIG_APPEND=1
-config_load firewall
-
-config fw_zones
-ZONE_LIST=$CONFIG_SECTION
-
-DEF_INPUT=DROP
-DEF_OUTPUT=DROP
-DEF_FORWARD=DROP
-
-load_policy() {
-	config_get input $1 input
-	config_get output $1 output
-	config_get forward $1 forward
-
-	[ -z "$input" ] && input=$DEF_INPUT
-	[ -z "$output" ] && output=$DEF_OUTPUT
-	[ -z "$forward" ] && forward=$DEF_FORWARD
-}
-
-create_zone() {
-	local exists
-	
-	[ "$1" == "loopback" ] && return
-
-	config_get exists $ZONE_LIST $1
-	[ -n "$exists" ] && return
-	config_set $ZONE_LIST $1 1 
-
-	$IPTABLES -N zone_$1
-	$IPTABLES -N zone_$1_ACCEPT
-	$IPTABLES -N zone_$1_DROP
-	$IPTABLES -N zone_$1_REJECT
-	$IPTABLES -N zone_$1_forward
-	$IPTABLES -A zone_$1_forward -j zone_$1_$5
-	$IPTABLES -A zone_$1 -j zone_$1_$3
-	$IPTABLES -A OUTPUT -j zone_$1_$4
-	$IPTABLES -N zone_$1_nat -t nat
-	$IPTABLES -N zone_$1_prerouting -t nat
-	[ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$2_nat
-}
-
-addif() {
-	logger "adding $1 to firewall zone $2"
-	$IPTABLES -A INPUT -i $1 -j zone_$2
-	$IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT
-	$IPTABLES -I zone_$2_DROP 1 -o $1 -j DROP
-	$IPTABLES -I zone_$2_REJECT 1 -o $1 -j REJECT
-	$IPTABLES -I zone_$2_ACCEPT 1 -i $1 -j ACCEPT
-	$IPTABLES -I zone_$2_DROP 1 -i $1 -j DROP
-	$IPTABLES -I zone_$2_REJECT 1 -i $1 -j REJECT
-	$IPTABLES -I zone_$2_nat 1 -t nat -o $1 -j MASQUERADE 
-	$IPTABLES -I PREROUTING 1 -t nat -i $1 -j zone_$2_prerouting 
-	$IPTABLES -A FORWARD -i $1 -j zone_$2_forward
-}
-
-delif() {
-	logger "removing $1 from firewall zone $2"
-	$IPTABLES -D INPUT -i $1 -j zone_$2
-	$IPTABLES -D zone_$2_ACCEPT -o $1 -j ACCEPT
-	$IPTABLES -D zone_$2_DROP -o $1 -j DROP
-	$IPTABLES -D zone_$2_REJECT -o $1 -j REJECT
-	$IPTABLES -D zone_$2_ACCEPT -i $1 -j ACCEPT
-	$IPTABLES -D zone_$2_DROP -i $1 -j DROP
-	$IPTABLES -D zone_$2_REJECT -i $1 -j REJECT
-	$IPTABLES -D zone_$2_nat -t nat -o $1 -j MASQUERADE 
-	$IPTABLES -D PREROUTING -t nat -i $1 -j zone_$2_prerouting 
-	$IPTABLES -D FORWARD -i $1 -j zone_$2_forward
-}
-
-load_synflood() {
-	echo "Loading synflood protection"
-	$IPTABLES -N SYN_FLOOD
-	$IPTABLES -A SYN_FLOOD -p tcp --syn -m limit --limit ${1}/second --limit-burst $2 -j RETURN
-	$IPTABLES -A SYN_FLOOD -p ! tcp -j RETURN
-	$IPTABLES -A SYN_FLOOD -p tcp ! --syn -j RETURN
-	$IPTABLES -A SYN_FLOOD -j LOG --log-prefix "syn_flood: " 
-	$IPTABLES -A SYN_FLOOD -j DROP
-	$IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD
-}
-
-fw_defaults() {
-	load_policy $1
-	DEF_INPUT=$input
-	DEF_OUTPUT=$output
-	DEF_FORWARD=$forward
-
-	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-	for f in /proc/sys/net/ipv4/conf/*/accept_redirects 
-	do
-		echo 0 > $f
-	done
-	for f in /proc/sys/net/ipv4/conf/*/accept_source_route 
-	do
-		echo 0 > $f
-	done                                                                   
-
-	$IPTABLES -F
-	$IPTABLES -t nat -F
-	$IPTABLES -t mangle -F
-	$IPTABLES -X -t nat
-	$IPTABLES -X
-	
-	$IPTABLES -P INPUT $input
-	$IPTABLES -A INPUT -m state --state INVALID -j DROP
-	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-		
-	$IPTABLES -P OUTPUT $output
-	$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
-	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
-	$IPTABLES -P FORWARD $forward
-	$IPTABLES -A FORWARD -m state --state INVALID -j DROP
-	$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-	
-	$IPTABLES -A INPUT -i lo -j ACCEPT
-	$IPTABLES -A OUTPUT -o lo -j ACCEPT
-
-	config_get syn_flood $1 syn_flood
-	config_get syn_rate $1 syn_rate
-	config_get syn_burst $1 syn_burst
-
-	[ -z "$syn_rate" ] && syn_rate=25
-	[ -z "$syn_burst" ] && syn_burst=50
-	[ "$syn_flood" == "1" ] && load_synflood $syn_rate $syn_burst
-}
-
-fw_zone() {
-	local name
-	local network
-	local masq
-
-	config_get name $1 name
-	config_get network $1 network
-	config_get masq $1 masq
-	load_policy $1
-
-	[ -z "$network" ] && network=$name
-	create_zone "$name" "$network" "$input" "$output" "$forward" "$masq"
-}
-
-fw_rule() {
-	local src 
-	local src_ip
-	local src_mac
-	local src_port
-	local src_mac
-	local dest
-	local dest_ip
-	local dest_port
-	local proto
-	local target
-
-	config_get src $1 src
-	config_get src_ip $1 src_ip
-	config_get src_mac $1 src_mac
-	config_get src_port $1 src_port
-	config_get dest $1 dest
-	config_get dest_ip $1 dest_ip
-	config_get dest_port $1 dest_port
-	config_get proto $1 proto
-	config_get target $1 target
-	config_get ruleset $1 ruleset
-
-	[ -z "$target" ] && target=DROP
-	[ -n "$src" ] && ZONE=zone_$src || ZONE=INPUT
-	[ -n "$dest" ] && TARGET=zone_${dest}_$target || TARGET=$target
-	$IPTABLES -I $ZONE 1 \
-		${proto:+-p $proto} \
-		${src_ip:+-s $src_ip} \
-		${src_port:+--sport $src_port} \
-		${src_mac:+-m mac --mac-source $src_mac} \
-		${dest_ip:+-d $dest_ip} \
-		${dest_port:+--dport $dest_port} \
-		-j $TARGET 
-}
-
-fw_forwarding() {
-	local src
-	local dest
-	local masq
-
-	config_get src $1 src
-	config_get dest $1 dest
-	[ -n "$src" ] && z_src=zone_${src}_forward || z_src=FORWARD
-	[ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT
-	$IPTABLES -I $z_src 1 -j $z_dest
-}
-
-fw_redirect() {
-	local src
-	local src_ip
-	local src_port
-	local src_dport
-	local src_mac
-	local dest_ip
-	local dest_port
-	local protocol
-	
-	config_get src $1 src
-	config_get src_ip $1 src_ip
-	config_get src_port $1 src_port
-	config_get src_dport $1 src_dport
-	config_get src_mac $1 src_mac
-	config_get dest_ip $1 dest_ip
-	config_get dest_port $1 dest_port
-	config_get protocol $1 protocol
-	[ -z "$src" -o -z "$dest_ip" ] && { \
-		echo "redirect needs src and dest_ip"; return ; }
-	$IPTABLES -A zone_${src}_prerouting -t nat \
-		${protocol:+-p $protocol} \
-		${src_ip:+-s $srcdip} \
-		${src_port:+--sport $src_port} \
-		${src_dport:+--dport $src_dport} \
-		${src_mac:+-m mac --mac-source $src_mac} \
-		-j DNAT --to-destination $dest_ip${dest_port:+:$dest_port}
-	$IPTABLES -I zone_${src}_forward 1 \
-		${protocol:+-p $protocol} \
-		-d $dest_ip \
-		${src_ip:+-s $srcdip} \
-		${src_port:+--sport $src_port} \
-		${dest_port:+--dport $dest_port} \
-		${src_mac:+-m mac --mac-source $src_mac} \
-		-j ACCEPT 
-}
-
-fw_include() {
-	local path
-	config_get path $1 path
-	[ -e $path ] && . $path
-}
-
-fw_addif() {
-	local up
-	local ifname
-	config_get up $1 up
-	config_get ifname $1 ifname
-	[ -n "$up" ] || return 0
-	(ACTION="ifup" INTERFACE="$1" . /etc/hotplug.d/iface/20-firewall)
-}
-
-fw_init() {
-	echo "Loading defaults"
-	config_foreach fw_defaults defaults
-	echo "Loading zones"
-	config_foreach fw_zone zone
-	echo "Loading rules"
-	config_foreach fw_rule rule
-	echo "Loading forwarding"
-	config_foreach fw_forwarding forwarding
-	echo "Loading redirects"
-	config_foreach fw_redirect redirect
-	echo "Loading includes"
-	config_foreach fw_include include
-	
-	uci_set_state firewall core "" firewall_state 
-	uci_set_state firewall core loaded 1
-	unset CONFIG_APPEND
-	config_load network
-	config_foreach fw_addif interface
-}
-
-fw_stop() {
-	$IPTABLES -F
-	$IPTABLES -t nat -F
-	$IPTABLES -t mangle -F
-	$IPTABLES -X -t nat
-	$IPTABLES -X
-	$IPTABLES -P INPUT ACCEPT
-	$IPTABLES -P OUTPUT ACCEPT
-	$IPTABLES -P FORWARD ACCEPT
-}
author	John Crispin <john@openwrt.org>	2008-08-11 22:27:36 +0000
committer	John Crispin <john@openwrt.org>	2008-08-11 22:27:36 +0000
commit	5627667654db791fc105117c8d5717caacbaa1b9 (patch)
tree	45d8346e7513ce5adcc570f6fc31e09586ffb9c9 /package/firewall/files/new
parent	4b5488ebfa23f854fc087a6ae64962905683be7f (diff)
download	upstream-5627667654db791fc105117c8d5717caacbaa1b9.tar.gz upstream-5627667654db791fc105117c8d5717caacbaa1b9.tar.bz2 upstream-5627667654db791fc105117c8d5717caacbaa1b9.zip