applications/luci-fw: Reworked to use the new native UCI-based firewall configuration

applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua

@@ -6,9 +6,12 @@ function index()
 	
 	local nodes = {}
 
-	table.insert(nodes, entry({"admin", "network", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw", "Portweiterleitung"), 70))	
-	table.insert(nodes, entry({"admin", "network", "routing"}, cbi("luci_fw/routing"), i18n("fw_routing", "Routing"), 73))
-	table.insert(nodes, entry({"admin", "network", "firewall"}, cbi("luci_fw/firewall"), i18n("fw_fw", "Firewall"), 76))
+	table.insert(nodes, entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("fw_fw"), 60))
+	table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/general"), i18n("fw_zones"), 10))
+	table.insert(nodes, entry({"admin", "network", "firewall", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw"), 20))	
+	table.insert(nodes, entry({"admin", "network", "firewall", "forwarding"}, cbi("luci_fw/routing"), i18n("fw_forwarding"), 30))
+	table.insert(nodes, entry({"admin", "network", "firewall", "rules"}, cbi("luci_fw/firewall"), i18n("fw_rules"), 40))	
+	table.insert(nodes, entry({"admin", "network", "firewall", "customfwd"}, cbi("luci_fw/customfwd"), i18n("fw_custfwd"), 50))	
 	
 	table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70))
 	

applications/luci-fw/luasrc/i18n/luci-fw.de.lua

@@ -1,45 +1,60 @@
-fw_fw = [[Firewall]]
-fw_portfw = [[Portweiterleitung]]
-fw_routing = [[Routing]]
-fw_fw1 = [[Mit Hilfe der Firewall können Zugriffe auf das Netzwerk
-erlaubt, verboten oder umgeleitet werden.]]
-lucifw_rule_chain = "Kette"
-lucifw_rule_iface = "Eingangsschnittstelle"
-lucifw_rule_oface = "Ausgangsschnittstelle"
-lucifw_rule_source = "Quelladresse"
-lucifw_rule_destination = "Zieladresse"
-lucifw_rule_mac = "MAC-Adresse"
-lucifw_rule_sport = "Quellport"
-lucifw_rule_dport = "Zielport"
-lucifw_rule_tosrc = "Neue Quelladresse [SNAT]"
-lucifw_rule_todest = "Neue Zieladresse [DNAT]" 
-lucifw_rule_jump = "Aktion"
-lucifw_rule_command = "Eigener Befehl"
-fw_accept = "annehmen (ACCEPT)"
-fw_reject = "zurückweisen (REJECT)"
-fw_drop = "verwerfen (DROP)"
-fw_log = "protokollieren (LOG)"
-fw_dnat = "Ziel umschreiben (DNAT) [nur Prerouting]"
-fw_masq = "maskieren (MASQUERADE) [nur Postrouting]"
-fw_snat = "Quelle umschreiben (SNAT) [nur Postrouting]"
+fw_portfw = "Portweiterleitung"
+fw_forwarding = "Weiterleitung"
+fw_fw = "Firewall"
+fw_zone = "Zone"
+fw_zones = "Zonen"
+fw_custfwd = "Eigene Weiterleitungen"
+fw_rules = "Eigene Regeln"
+fw_rules1 = "An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren."
+fw_fw1 = "Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen."
+firewall_rule_src = "Eingangszone"
+firewall_rule_dest = "Ausgangszone"
+firewall_rule_srcip = "Quelladresse"
+firewall_rule_destip = "Zieladresse"
+firewall_rule_srcmac = "Quell-MAC-Adresse"
+firewall_rule_srcport = "Quellport"
+firewall_rule_destport = "Zielport"
+firewall_rule_target = "Aktion"
+fw_accept = "annehmen"
+fw_reject = "zurückweisen"
+fw_drop = "verwerfen"
 
-fw_portfw1 = [[Portweiterleitungen ermöglichen es interne
-Netzwerkdienste von einem anderen externen Netzwerk aus erreichbar zu machen.]]
-lucifw_portfw_iface_desc = "Externe Schnittstelle"
-lucifw_portfw_dport = "Externer Port"
-lucifw_portfw_dport_desc = "Einzelner Port oder Erster Port-Letzter Port"
-lucifw_portfw_to = "Interne Adresse"
-lucifw_portfw_to_desc = "IP, IP:Port oder IP:Erster Port-Letzter Port"
+fw_portfw1 = [[Portweiterleitungen ermöglichen es interne Netzwerkdienste aus einem externen Netzwerk heraus erreichbar zu machen.]]
+firewall_redirect_src_desc = "Externe Zone"
+firewall_redirect_srcdport = "Externer Port"
+firewall_redirect_srcdport_desc = "Port od. Erster:Letzter Port"
+firewall_redirect_destip = "Interne Adresse"
+firewall_redirect_destip_desc = "IP-Adresse"
+firewall_redirect_destport = "Interner Port (optional)"
+firewall_redirect_destport_desc = "Port od. Erster:Letzter Port"
+firewall_redirect_srcip = firewall_rule_srcip
+firewall_redirect_srcmac = firewall_rule_srcmac
+firewall_redirect_srcport = firewall_rule_srcport
 
-fw_routing1 = [[An dieser Stelle wird festlegt, welcher Netzverkehr zwischen einzelnen
-Schnittstellen erlaubt werden soll. Es werden jeweils nur neue Verbindungen
-betrachtet, d.h. Pakete von aufgebauten oder zugehörigen Verbindungen werden automatisch in beide Richtungen
-akzeptiert, auch wenn das Feld "beide Richtungen" nicht explizit gesetzt ist.
-NAT ermöglicht Adressübersetzung.]]
-lucifw_routing_iface = "Eingang"
-lucifw_routing_iface_desc = lucifw_rule_iface
-lucifw_routing_oface = "Ausgang" 
-lucifw_routing_oface_desc = lucifw_rule_oface
-lucifw_routing_fwd_desc = "weiterleiten"
-lucifw_routing_nat_desc = "übersetzen"
-lucifw_routing_bidi_desc = "beide Richtungen"
+fw_forwarding1 = [[An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann.
+Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch
+akzeptiert.]]
+firewall_forwarding_src = "Eingang"
+firewall_forwarding_src_desc = firewall_rule_src
+firewall_forwarding_dest = "Ausgang" 
+firewall_forwarding_dest_desc = firewall_rule_dest
+
+firewall_defaults = "Grundeinstellungen"
+firewall_defaults_desc = "Grundeinstellungen die verwendet werden, wenn keine andere Regel angewandt werden kann."
+firewall_defaults_synflood = "Schutz vor SYN-flood-Attacken"
+firewall_defaults_input = "Eingehender Verkehr"
+firewall_defaults_output = "Ausgehender Verkehr"
+firewall_defaults_forward = "Weitergeleiteter Verkehr"
+
+firewall_zone_desc = [[Zonen teilen das Netzwerk in mehrere Bereiche ein um Netzverkehr sicher zu trennen.
+Ein oder mehrere Netzwerke gehören zu einer Zone.
+Das MASQ-Flag legt fest, dass aller ausgehende Netzverkehr einer Zone NAT-maskiert wird.]]
+firewall_zone_input = "Eingehender Verkehr"
+firewall_zone_input_desc = "Standardaktion"
+firewall_zone_output = "Ausgehender Verkehr"
+firewall_zone_output_desc = "Standardaktion"
+firewall_zone_forward = "Weitergeleiteter Verkehr"
+firewall_zone_forward_desc = "Standardaktion"
+firewall_zone_masq = "MASQ"
+firewall_zone_network = "Netzwerke"
+firewall_zone_network_desc = "verbundene Netzwerke"

applications/luci-fw/luasrc/i18n/luci-fw.en.lua

@@ -1,43 +1,60 @@
 fw_portfw = "Port forwarding"
-fw_routing = "Routing"
+fw_forwarding = "Forwarding"
 fw_fw = "Firewall"
-fw_fw1 = "Here you can grant, access or redirect network traffic."
-lucifw_rule_chain = "Chain"
-lucifw_rule_iface = "Input interface"
-lucifw_rule_oface = "Output interface"
-lucifw_rule_source = "Source address"
-lucifw_rule_destination = "Destination address"
-lucifw_rule_mac = "MAC-Address"
-lucifw_rule_sport = "Source port"
-lucifw_rule_dport = "Destination port"
-lucifw_rule_tosrc = "New source address [SNAT]"
-lucifw_rule_todest = "New target address [DNAT]" 
-lucifw_rule_jump = "Action"
-lucifw_rule_command = "Custom Command"
+fw_zone = "Zone"
+fw_zones = "Zones"
+fw_custfwd = "Custom redirect"
+fw_rules = "Custom Rules"
+fw_rules1 = "Here you can create custom firewall rules to control your network traffic."
+fw_fw1 = "The firewall creates zones over your network interfaces to control network traffic flow."
+firewall_rule_src = "Input Zone"
+firewall_rule_dest = "Output Zone"
+firewall_rule_srcip = "Source address"
+firewall_rule_destip = "Destination address"
+firewall_rule_srcmac = "Source MAC-Address"
+firewall_rule_srcport = "Source port"
+firewall_rule_destport = "Destination port"
+firewall_rule_target = "Action"
 fw_accept = "accept"
 fw_reject = "reject"
 fw_drop = "drop"
-fw_log = "log"
-fw_dnat = "change destination (DNAT) [prerouting only]"
-fw_masq = "masquerade [postrouting only]"
-fw_snat = "change source (SNAT) [postrouting only]"
 
 fw_portfw1 = [[Port forwarding allows to provide network services 
 in the internal network to an external network.]]
-lucifw_portfw_iface_desc = "External interface"
-lucifw_portfw_dport = "External port"
-lucifw_portfw_dport_desc = "single port or first port-last port"
-lucifw_portfw_to = "Internal address"
-lucifw_portfw_to_desc = "IP, IP:port or IP:first port-last port"
+firewall_redirect_src_desc = "External Zone"
+firewall_redirect_srcdport = "External port"
+firewall_redirect_srcdport_desc = "port or range as first:last"
+firewall_redirect_destip = "Internal address"
+firewall_redirect_destip_desc = "IP-Address"
+firewall_redirect_destport = "Internal port (optional)"
+firewall_redirect_destport_desc = "port or range as first:last"
+firewall_redirect_srcip = firewall_rule_srcip
+firewall_redirect_srcmac = firewall_rule_srcmac
+firewall_redirect_srcport = firewall_rule_srcport
 
-fw_routing1 = [[Here you can specify which network traffic is allowed to flow between network interfaces.
+fw_forwarding1 = [[Here you can specify which network traffic is allowed to flow between network zones.
 Only new connections will be matched. Packets belonging to already open connections are automatically allowed
-to pass the firewall in this case you do not need to set the "bidirectional" flag. NAT provides
-address translation.]]
-lucifw_routing_iface = "Input"
-lucifw_routing_iface_desc = lucifw_rule_iface
-lucifw_routing_oface = "Output" 
-lucifw_routing_oface_desc = lucifw_rule_oface
-lucifw_routing_fwd_desc = "forward"
-lucifw_routing_nat_desc = "translate"
-lucifw_routing_bidi_desc = "bidirectional"
+to pass the firewall.]]
+firewall_forwarding_src = "Input"
+firewall_forwarding_src_desc = firewall_rule_src
+firewall_forwarding_dest = "Output" 
+firewall_forwarding_dest_desc = firewall_rule_dest
+
+firewall_defaults = "Defaults"
+firewall_defaults_desc = "These are the default settings that are used if no other rules match."
+firewall_defaults_synflood = "SYN-flood protection"
+firewall_defaults_input = "Incoming Traffic"
+firewall_defaults_output = "Outgoing Traffic"
+firewall_defaults_forward = "Forwarded Traffic"
+
+firewall_zone_desc = [[Zones part the network interfaces into certain isolated areas to separate network traffic.
+One or more networks can belong to a zone. The MASQ-flag enables NAT masquerading for all outgoing traffic on this zone.]]
+firewall_zone_input = "Incoming Traffic"
+firewall_zone_input_desc = "Default Policy"
+firewall_zone_output = "Outgoing Traffic"
+firewall_zone_output_desc = "Default Policy"
+firewall_zone_forward = "Forwarded Traffic"
+firewall_zone_forward_desc = "Default Policy"
+firewall_zone_masq = "MASQ"
+firewall_zone_network = "Networks"
+firewall_zone_network_desc = "contained networks"

applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua

@@ -0,0 +1,62 @@
+--[[
+LuCI - Lua Configuration Interface
+
+Copyright 2008 Steven Barth <steven@midlink.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+]]--
+require("luci.sys")
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
+
+
+s = m:section(TypedSection, "redirect", "")
+s.addremove = true
+s.anonymous = true
+
+name = s:option(Value, "_name", translate("name"))
+name.rmempty = true
+name.size = 10
+
+iface = s:option(ListValue, "src", translate("fw_zone"))
+iface.default = "wan"
+luci.model.uci.foreach("firewall", "zone",
+	function (section)
+		iface:value(section.name)
+	end)
+	
+s:option(Value, "src_ip").optional = true
+s:option(Value, "src_mac").optional = true
+
+sport = s:option(Value, "src_port")
+sport.optional = true
+sport:depends("proto", "tcp")
+sport:depends("proto", "udp")
+
+proto = s:option(ListValue, "proto", translate("protocol"))
+proto.optional = true
+proto:value("")
+proto:value("tcp", "TCP")
+proto:value("udp", "UDP")
+
+dport = s:option(Value, "src_dport")
+dport.size = 5
+dport.optional = true
+dport:depends("proto", "tcp")
+dport:depends("proto", "udp")
+
+to = s:option(Value, "dest_ip")
+for i, dataset in ipairs(luci.sys.net.arptable()) do
+	to:value(dataset["IP address"])
+end
+
+toport = s:option(Value, "dest_port")
+toport.optional = true
+toport.size = 5
+
+return m

applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua

@@ -11,31 +11,23 @@ You may obtain a copy of the License at
 
 $Id$
 ]]--
-m = Map("luci_fw", translate("fw_fw"), translate("fw_fw1"))
+m = Map("firewall", translate("fw_rules"), translate("fw_rules1"))
 
 s = m:section(TypedSection, "rule", "")
 s.addremove = true
 s.anonymous = true
 
-chain = s:option(ListValue, "chain")
-chain:value("forward", "Forward")
-chain:value("input", "Input")
-chain:value("output", "Output")
-chain:value("prerouting", "Prerouting")
-chain:value("postrouting", "Postrouting")
+iface = s:option(ListValue, "src")
+iface:value("")
+iface.rmempty = true
 
-iface = s:option(ListValue, "iface")
-iface.optional = true
-
-oface = s:option(ListValue, "oface")
+oface = s:option(ListValue, "dest")
 oface.optional = true
 
-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",
 	function (section)
-		if section[".name"] ~= "loopback" then
-			iface:value(section[".name"])
-			oface:value(section[".name"])
-		end
+		iface:value(section.name)
+		oface:value(section.name)
 	end)
 
 proto = s:option(ListValue, "proto", translate("protocol"))
@@ -43,43 +35,27 @@ proto.optional = true
 proto:value("")
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
+proto:value("icmp", "ICMP")
 
-s:option(Value, "source").optional = true
-s:option(Value, "destination").optional = true
-s:option(Value, "mac").optional = true
+s:option(Value, "src_ip").optional = true
+s:option(Value, "dest_ip").optional = true
+s:option(Value, "src_mac").optional = true
 
-sport = s:option(Value, "sport")
+sport = s:option(Value, "src_port")
 sport.optional = true
 sport:depends("proto", "tcp")
 sport:depends("proto", "udp")
 
-dport = s:option(Value, "dport")
+dport = s:option(Value, "dest_port")
 dport.optional = true
 dport:depends("proto", "tcp")
 dport:depends("proto", "udp")
 
-tosrc = s:option(Value, "tosrc")
-tosrc.optional = true
-tosrc:depends("jump", "SNAT")
-
-tosrc = s:option(Value, "todest")
-tosrc.optional = true
-tosrc:depends("jump", "DNAT")
-
-jump = s:option(ListValue, "jump")
+jump = s:option(ListValue, "target")
 jump.rmempty = true
-jump:value("", "")
+jump:value("DROP", translate("fw_drop"))
 jump:value("ACCEPT", translate("fw_accept"))
 jump:value("REJECT", translate("fw_reject"))
-jump:value("DROP", translate("fw_drop"))
-jump:value("LOG", translate("fw_log"))
-jump:value("DNAT", translate("fw_dnat"))
-jump:value("MASQUERADE", translate("fw_masq"))
-jump:value("SNAT", translate("fw_snat"))
 
 
-add = s:option(Value, "command")
-add.size = 50
-add.rmempty = true
-
 return m

applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua

@@ -0,0 +1,67 @@
+--[[
+LuCI - Lua Configuration Interface
+
+Copyright 2008 Steven Barth <steven@midlink.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+]]--
+m = Map("firewall", translate("fw_fw"), translate("fw_fw1"))
+
+s = m:section(TypedSection, "defaults")
+s.anonymous = true
+
+s:option(Flag, "syn_flood")
+
+p = {}
+p[1] = s:option(ListValue, "input")
+p[2] = s:option(ListValue, "output")
+p[3] = s:option(ListValue, "forward")
+
+for i, v in ipairs(p) do
+	v:value("DROP", translate("fw_drop"))
+	v:value("ACCEPT", translate("fw_accept"))
+end
+
+
+s = m:section(TypedSection, "zone", translate("fw_zones"))
+s.template = "cbi/tblsection"
+s.anonymous = true
+s.addremove = true
+
+name = s:option(Value, "name", translate("name"))
+name.size = 8
+
+p = {}
+p[1] = s:option(ListValue, "input")
+p[2] = s:option(ListValue, "output")
+p[3] = s:option(ListValue, "forward")
+
+for i, v in ipairs(p) do
+	v:value("DROP", translate("fw_drop"))
+	v:value("ACCEPT", translate("fw_accept"))
+end
+
+s:option(Flag, "masq")
+
+net = s:option(MultiValue, "network")
+net.widget = "select"
+net.rmempty = true
+luci.model.uci.foreach("network", "interface",
+	function (section)
+		if section[".name"] ~= "loopback" then
+			net:value(section[".name"])
+		end
+	end)
+	
+function net.cfgvalue(self, section)
+	local value = MultiValue.cfgvalue(self, section)
+	return value or name:cfgvalue(section)
+end
+
+return m

applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua

@@ -12,26 +12,33 @@ You may obtain a copy of the License at
 $Id$
 ]]--
 require("luci.sys")
-m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1"))
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
 
 
-s = m:section(TypedSection, "portfw", "")
-s:depends("iface", "wan")
-s.defaults.iface = "wan"
+s = m:section(TypedSection, "redirect", "")
+s:depends("src", "wan")
+s.defaults.src = "wan"
 
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
 
-name = s:option(Value, "_name", translate("name") .. translate("cbi_optional"))
+name = s:option(Value, "_name", translate("name"), translate("cbi_optional"))
+name.size = 10
 
-proto = s:option(ListValue, "proto", translate("protocol"))
+proto = s:option(ListValue, "protocol", translate("protocol"))
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
-proto:value("tcpudp", "TCP + UDP")
 
-dport = s:option(Value, "dport")
+dport = s:option(Value, "src_dport")
+dport.size = 5
 
-to = s:option(Value, "to")
+to = s:option(Value, "dest_ip")
+for i, dataset in ipairs(luci.sys.net.arptable()) do
+	to:value(dataset["IP address"])
+end
+
+toport = s:option(Value, "dest_port")
+toport.size = 5
 
 return m

applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua

@@ -12,29 +12,37 @@ You may obtain a copy of the License at
 $Id$
 ]]--
 require("luci.sys")
-m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1"))
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
 
-s = m:section(TypedSection, "portfw", "")
+
+s = m:section(TypedSection, "redirect", "")
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
 
-iface = s:option(ListValue, "iface", translate("interface"))
+name = s:option(Value, "_name", translate("name"), translate("cbi_optional"))
+name.size = 10
+
+iface = s:option(ListValue, "src", translate("fw_zone"))
 iface.default = "wan"
-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",
 	function (section)
-		if section[".name"] ~= "loopback" then
-			iface:value(section[".name"])
-		end
+		iface:value(section.name)
 	end)
 
 proto = s:option(ListValue, "proto", translate("protocol"))
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
-proto:value("tcpudp", "TCP + UDP")
 
-dport = s:option(Value, "dport")
+dport = s:option(Value, "src_dport")
+dport.size = 5
 
-to = s:option(Value, "to")
+to = s:option(Value, "dest_ip")
+for i, dataset in ipairs(luci.sys.net.arptable()) do
+	to:value(dataset["IP address"])
+end
+
+toport = s:option(Value, "dest_port")
+toport.size = 5
 
 return m

applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua

@@ -11,26 +11,20 @@ You may obtain a copy of the License at
 
 $Id$
 ]]--
-m = Map("luci_fw", translate("fw_routing"), translate("fw_routing1"))
+m = Map("firewall", translate("fw_forwarding"), translate("fw_forwarding1"))
 
-s = m:section(TypedSection, "routing", "")
+s = m:section(TypedSection, "forwarding", "")
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
 
-iface = s:option(ListValue, "iface")
-oface = s:option(ListValue, "oface")
+iface = s:option(ListValue, "src")
+oface = s:option(ListValue, "dest")
 
-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",
 	function (section)
-		if section[".name"] ~= "loopback" then
-			iface:value(section[".name"])
-			oface:value(section[".name"])
-		end
+			iface:value(section.name)
+			oface:value(section.name)
 	end)
 
-s:option(Flag, "fwd", "FWD").rmempty = true
-s:option(Flag, "nat", "NAT").rmempty = true
-s:option(Flag, "bidi", "<->").rmempty = true
-
 return m

applications/luci-fw/root/etc/config/luci_fw

@@ -1,2 +0,0 @@
-
- 

applications/luci-fw/root/etc/init.d/luci_fw

@@ -1,176 +0,0 @@
-#!/bin/sh /etc/rc.common
-START=46
-
-apply_portfw() {
-	local cfg="$1"
-	config_get proto "$cfg" proto
-	config_get dport "$cfg" dport
-	config_get iface "$cfg" iface
-	config_get to    "$cfg" to
-	
-	config_get ifname "$iface" ifname
-	
-	[ -n "$proto" ] || return 0
-	[ -n "$dport" ] || return 0
-	[ -n "$ifname" ] || return 0
-	[ -n "$to" ] || return 0
-
-	dport=$(echo $dport | sed -e 's/-/:/')
-
-	ports=$(echo $to | cut -sd: -f2)
-	if [ -n "$ports" ]; then
-		ports="--dport $(echo $ports | sed -e 's/-/:/')"
-	else
-		ports="--dport $dport"
-	fi
-
-	ip=$(echo $to | cut -d: -f1)
-	
-	if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then
-		iptables -t nat -A luci_fw_prerouting -i "$ifname" -p tcp --dport "$dport" -j DNAT --to "$to"
-		iptables -A luci_fw_forward -i "$ifname" -p tcp -d "$ip" $ports -j ACCEPT
-	fi
-
-	if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then
-		iptables -t nat -A luci_fw_prerouting -i "$ifname" -p udp --dport "$dport" -j DNAT --to "$to"
-		iptables -A luci_fw_forward -i "$ifname" -p udp -d "$ip" $ports -j ACCEPT
-	fi
-}
-
-apply_routing() {
-	local cfg="$1"
-	config_get iface "$cfg" iface
-	config_get oface "$cfg" oface
-	config_get_bool fwd "$cfg" fwd
-	config_get_bool nat "$cfg" nat
-	config_get_bool bidi "$cfg" bidi
-	
-	config_get ifname "$iface" ifname
-	config_get ofname "$oface" ifname
-	
-	[ -n "$ifname" ] || return 0
-	[ -n "$ofname" ] || return 0
-	
-	[ "$fwd" -gt 0 ] && {
-		iptables -A luci_fw_forward -i "$ifname" -o "$ofname" -j ACCEPT
-		[ "$bidi" -gt 0 ] && iptables -A luci_fw_forward -i "$ofname" -o "$ifname" -j ACCEPT
-	}
-	
-	[ "$nat" -gt 0 ] && {
-		config_get ifip "$iface" ipaddr
-		config_get ifmask "$iface" netmask
-		eval "$(ipcalc.sh $ifip $ifmask)"
-		
-		iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ofname" -j MASQUERADE
-		
-		[ "$bidi" -gt 0 ] && {
-			config_get ofip "$oface" ipaddr
-			config_get ofmask "$oface" netmask
-			eval "$(ipcalc.sh $ofip $ofmask)"
-			
-			iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ifname" -j MASQUERADE		
-		}
-	}
-}
-
-apply_rule() {
-	local cfg="$1"
-	local cmd=""
-
-	config_get chain "$cfg" chain
-	[ -n "$chain" ] || return 0
-	[ "$chain" == "forward" ] && cmd="$cmd -A luci_fw_forward"
-	[ "$chain" == "input" ] && cmd="$cmd -A luci_fw_input"
-	[ "$chain" == "output" ] && cmd="$cmd -A luci_fw_output"
-	[ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_fw_prerouting"
-	[ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting"
-	
-	config_get iface "$cfg" iface
-	config_get ifname "$iface" ifname
-	[ -n "$ifname" ] && cmd="$cmd -i $ifname"	
-
-	config_get oface "$cfg" oface
-	config_get ofname "$oface" ifname
-	[ -n "$ofname" ] && cmd="$cmd -o $ofname"	
-
-	config_get proto "$cfg" proto
-	[ -n "$proto" ] && cmd="$cmd -p $proto"	
-
-	config_get source "$cfg" source
-	[ -n "$source" ] && cmd="$cmd -s $source"	
-
-	config_get destination "$cfg" destination
-	[ -n "$destination" ] && cmd="$cmd -d $destination"	
-
-	config_get sport "$cfg" sport
-	[ -n "$sport" ] && cmd="$cmd --sport $sport"	
-
-	config_get dport "$cfg" dport
-	[ -n "$dport" ] && cmd="$cmd --dport $dport"	
-	
-	config_get todest "$cfg" todest
-	[ -n "$todest" ] && cmd="$cmd --to-destination $todest"	
-
-	config_get tosrc "$cfg" tosrc
-	[ -n "$tosrc" ] && cmd="$cmd --to-source $tosrc"	
-	
-	config_get mac "$cfg" mac
-	[ -n "$mac" ] && cmd="$cmd -m mac --mac-source $mac"
-
-	config_get jump "$cfg" jump
-	[ -n "$jump" ] && cmd="$cmd -j $jump"	
-
-	config_get command "$cfg" command
-	[ -n "$command" ] && cmd="$cmd $command"	
-
-	iptables $cmd
-}
-
-start() {
-	### Create subchains
-	iptables -N luci_fw_input
-	iptables -N luci_fw_output
-	iptables -N luci_fw_forward
-	iptables -t nat -N luci_fw_prerouting
-	iptables -t nat -N luci_fw_postrouting
-	
-	### Hook in the chains
-	iptables -A input_rule -j luci_fw_input
-	iptables -A output_rule -j luci_fw_output
-	iptables -A forwarding_rule -j luci_fw_forward
-	iptables -t nat -A prerouting_rule -j luci_fw_prerouting
-	iptables -t nat -A postrouting_rule -j luci_fw_postrouting
-	
-	### Scan network interfaces
-	include /lib/network
-	scan_interfaces
-	
-	### Read chains from config
-	config_load luci_fw
-	config_foreach apply_rule rule
-	config_foreach apply_portfw portfw
-	config_foreach apply_routing routing
-}
-
-stop() {
-	### Hook out the chains
-	iptables -D input_rule -j luci_fw_input
-	iptables -D output_rule -j luci_fw_output
-	iptables -D forwarding_rule -j luci_fw_forward
-	iptables -t nat -D prerouting_rule -j luci_fw_prerouting
-	iptables -t nat -D postrouting_rule -j luci_fw_postrouting	
-	
-	### Clear subchains
-	iptables -F luci_fw_input
-	iptables -F luci_fw_output
-	iptables -F luci_fw_forward
-	iptables -t nat -F luci_fw_prerouting
-	iptables -t nat -F luci_fw_postrouting
-	
-	### Delete subchains
-	iptables -X luci_fw_input
-	iptables -X luci_fw_output
-	iptables -X luci_fw_forward
-	iptables -t nat -X luci_fw_prerouting
-	iptables -t nat -X luci_fw_postrouting
-}

contrib/package/luci/Makefile

@@ -354,7 +354,7 @@ endef
 
 define Package/luci-app-firewall
   $(call Package/luci/webtemplate)
-  DEPENDS+=+luci-admin-core
+  DEPENDS+=+luci-admin-core +firewall
   TITLE:=Firewall and Portforwarding application
 endef
 

libs/web/root/etc/config/luci

@@ -19,15 +19,15 @@ config extern flash_keep
 	option firewall	"/etc/firewall.user"
 
 config event uci_oncommit
-	option network		"/sbin/luci-reload network firewall luci_fw dnsmasq"
-	option wireless		"/sbin/luci-reload network firewall luci_fw dnsmasq"
+	option network		"/sbin/luci-reload network firewall dnsmasq"
+	option wireless		"/sbin/luci-reload network firewall dnsmasq"
 	option olsr			"/sbin/luci-reload olsrd"
 	option dhcp			"/sbin/luci-reload dnsmasq"
 	option dropbear		"/sbin/luci-reload dropbear"
 	option httpd		"/sbin/luci-reload httpd"
 	option fstab		"/sbin/luci-reload fstab"
 	option qos			"/sbin/luci-reload qos"
-	option luci_fw		"/sbin/luci-reload luci_fw"
+	option firewall		"/sbin/luci-reload firewall"
 	option luci_ethers	"/sbin/luci-reload luci_ethers dnsmasq"
 	option luci_splash	"/sbin/luci-reload luci_splash"
 	option upnpd		"/etc/init.d/miniupnpd enabled && /sbin/luci-reload miniupnpd || /etc/init.d/miniupnpd stop"