Changeset 23141


Ignore:
Timestamp:
2010-09-28T12:42:56+02:00 (6 years ago)
Author:
jow
Message:

[package] fireall:

  • support negations for src_ip, dest_ip, src_dip options in rules and redirects
  • add NOTRACK target to rule sections, allows to define fine grained notrack rules
Location:
trunk/package/firewall
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/package/firewall/Makefile

    r23090 r23141  
    1010 
    1111PKG_VERSION:=2 
    12 PKG_RELEASE:=17 
     12PKG_RELEASE:=18 
    1313 
    1414include $(INCLUDE_DIR)/package.mk 
  • trunk/package/firewall/files/lib/core_init.sh

    r23080 r23141  
    246246                local msrc mdst 
    247247                for msrc in ${zone_masq_src:-0.0.0.0/0}; do 
    248                         [ "${msrc#!}" != "$msrc" ] && msrc="! -s ${msrc#!}" || msrc="-s $msrc" 
     248                        fw_get_negation msrc '-s' "$msrc" 
    249249                        for mdst in ${zone_masq_dest:-0.0.0.0/0}; do 
    250                                 [ "${mdst#!}" != "$mdst" ] && mdst="! -d ${mdst#!}" || mdst="-d $mdst" 
     250                                fw_get_negation mdst '-d' "$mdst" 
    251251                                fw add $mode n ${chain}_nat MASQUERADE $ { $msrc $mdst } 
    252252                        done 
  • trunk/package/firewall/files/lib/core_redirect.sh

    r23080 r23141  
    4242                fw_get_port_range natports "$redirect_dest_port" "-" 
    4343 
    44                 srcdaddr="${redirect_src_dip:+$redirect_src_dip/$redirect_src_dip_prefixlen}" 
     44                fw_get_negation srcdaddr '-d' "${redirect_src_dip:+$redirect_src_dip/$redirect_src_dip_prefixlen}" 
    4545                fw_get_port_range srcdports "$redirect_src_dport" ":" 
    4646 
     
    6161                fw_get_port_range natports "$redirect_src_dport" "-" 
    6262 
    63                 srcdaddr="${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}" 
     63                fw_get_negation srcdaddr '-d' "${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}" 
    6464                fw_get_port_range srcdports "$redirect_dest_port" ":" 
    6565 
     
    7575        fw_get_family_mode mode ${redirect_family:-x} ${redirect_src:-$redirect_dest} I 
    7676 
    77         local srcaddr="${redirect_src_ip:+$redirect_src_ip/$redirect_src_ip_prefixlen}" 
     77        local srcaddr 
     78        fw_get_negation srcaddr '-s' "${redirect_src_ip:+$redirect_src_ip/$redirect_src_ip_prefixlen}" 
     79 
    7880        local srcports 
    7981        fw_get_port_range srcports "$redirect_src_port" ":" 
    8082 
    81         local destaddr="${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}" 
     83        local destaddr 
     84        fw_get_negation destaddr '-d' "${redirect_dest_ip:+$redirect_dest_ip/$redirect_dest_ip_prefixlen}" 
     85 
    8286        local destports 
    8387        fw_get_port_range destports "${redirect_dest_port:-$redirect_src_dport}" ":" 
     
    8690        for redirect_proto in $redirect_proto; do 
    8791                fw add $mode n $natchain $redirect_target ^ { $redirect_src_ip $redirect_dest_ip } { \ 
     92                        $srcaddr $srcdaddr \ 
    8893                        ${redirect_proto:+-p $redirect_proto} \ 
    89                         ${srcaddr:+-s $srcaddr} \ 
    9094                        ${srcports:+--sport $srcports} \ 
    91                         ${srcdaddr:+-d $srcdaddr} \ 
    9295                        ${srcdports:+--dport $srcdports} \ 
    9396                        ${redirect_src_mac:+-m mac --mac-source $redirect_src_mac} \ 
     
    97100                [ -n "$destaddr" ] && \ 
    98101                fw add $mode f ${fwdchain:-forward} ACCEPT ^ { $redirect_src_ip $redirect_dest_ip } { \ 
     102                        $srcaddr $destaddr \ 
    99103                        ${redirect_proto:+-p $redirect_proto} \ 
    100                         ${srcaddr:+-s $srcaddr} \ 
    101104                        ${srcports:+--sport $srcports} \ 
    102                         ${destaddr:+-d $destaddr} \ 
    103105                        ${destports:+--dport $destports} \ 
    104106                        ${redirect_src_mac:+-m mac --mac-source $redirect_src_mac} \ 
  • trunk/package/firewall/files/lib/core_rule.sh

    r23024 r23141  
    2525        fw_config_get_rule "$1" 
    2626 
     27        [ "$rule_target" != "NOTRACK" ] || [ -n "$rule_src" ] || { 
     28                fw_log error "NOTRACK rule ${rule_name}: needs src, skipping" 
     29                return 0 
     30        } 
     31 
    2732        fw_callback pre rule 
    2833 
     
    3035        fw_get_port_range rule_dest_port $rule_dest_port 
    3136 
     37        local table=f 
    3238        local chain=input 
    33         [ -n "$rule_src" ] && { 
    34                 [ -z "$rule_dest" ] && { 
    35                         chain=zone_${rule_src} 
    36                 } || { 
    37                         chain=zone_${rule_src}_forward 
    38                 } 
    39         } 
     39        if [ "$rule_target" == "NOTRACK" ]; then 
     40                table=r 
     41                chain="zone_${rule_src}_notrack" 
     42        elif [ -n "$rule_src" ]; then 
     43                chain="zone_${rule_src}${rule_dest:+_forward}" 
     44        fi 
    4045 
    41         local target=$rule_target 
    42         [ -z "$target" ] && { 
    43                 target=REJECT 
    44         } 
    45         [ -n "$dest" ] && { 
    46                 target=zone_${rule_dest}_${target} 
    47         } 
     46        local target="${rule_target:-REJECT}" 
     47        [ -n "$dest" ] && target="zone_${rule_dest}_${target}" 
    4848 
    4949        local mode 
    5050        fw_get_family_mode mode ${rule_family:-x} $rule_src I 
     51 
     52        local src_spec dest_spec 
     53        fw_get_negation src_spec '-s' "${rule_src_ip:+$rule_src_ip/$rule_src_ip_prefixlen}" 
     54        fw_get_negation dest_spec '-d' "${rule_dest_ip:+$rule_dest_ip/$rule_dest_ip_prefixlen}" 
    5155 
    5256        local rule_pos 
     
    5559        [ "$rule_proto" == "tcpudp" ] && rule_proto="tcp udp" 
    5660        for rule_proto in $rule_proto; do 
    57                 fw add $mode f $chain $target $rule_pos { $rule_src_ip $rule_dest_ip } { \ 
     61                fw add $mode $table $chain $target $rule_pos { $rule_src_ip $rule_dest_ip } { \ 
     62                        $src_spec $dest_spec \ 
    5863                        ${rule_proto:+-p $rule_proto} \ 
    59                         ${rule_src_ip:+-s $rule_src_ip/$rule_src_ip_prefixlen} \ 
    6064                        ${rule_src_port:+--sport $rule_src_port} \ 
    6165                        ${rule_src_mac:+-m mac --mac-source $rule_src_mac} \ 
    62                         ${rule_dest_ip:+-d $rule_dest_ip/$rule_dest_ip_prefixlen} \ 
    6366                        ${rule_dest_port:+--dport $rule_dest_port} \ 
    6467                        ${rule_icmp_type:+--icmp-type $rule_icmp_type} \ 
  • trunk/package/firewall/files/lib/fw.sh

    r23024 r23141  
    219219} 
    220220 
     221fw_get_negation() { 
     222        local _var="$1" 
     223        local _flag="$2" 
     224        local _ipaddr="$3" 
     225 
     226        [ "${_ipaddr#!}" != "$_ipaddr" ] && \ 
     227                export -n -- "$_var=! $_flag ${_ipaddr#!}" || \ 
     228                export -n -- "$_var=${_ipaddr:+$_flag $_ipaddr}" 
     229} 
Note: See TracChangeset for help on using the changeset viewer.