applications/luci-fw: Reworked to use the new native UCI-based firewall configuration

2008-08-04 23:36:33 +00:00 · 2008-08-04 23:36:33 +00:00 · 9a63ad7c10
commit 9a63ad7c10
parent 78fb71f881
13 changed files with 304 additions and 333 deletions
--- a/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua
+++ b/applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua
@ -6,9 +6,12 @@ function index()
 	local nodes = {}
-	table.insert(nodes, entry({"admin", "network", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw", "Portweiterleitung"), 70))	
+	table.insert(nodes, entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("fw_fw"), 60))
-	table.insert(nodes, entry({"admin", "network", "routing"}, cbi("luci_fw/routing"), i18n("fw_routing", "Routing"), 73))
+	table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/general"), i18n("fw_zones"), 10))
-	table.insert(nodes, entry({"admin", "network", "firewall"}, cbi("luci_fw/firewall"), i18n("fw_fw", "Firewall"), 76))
+	table.insert(nodes, entry({"admin", "network", "firewall", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw"), 20))	
 	table.insert(nodes, entry({"admin", "network", "firewall", "forwarding"}, cbi("luci_fw/routing"), i18n("fw_forwarding"), 30))
 	table.insert(nodes, entry({"admin", "network", "firewall", "rules"}, cbi("luci_fw/firewall"), i18n("fw_rules"), 40))	
 	table.insert(nodes, entry({"admin", "network", "firewall", "customfwd"}, cbi("luci_fw/customfwd"), i18n("fw_custfwd"), 50))	
 	table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70))
--- a/applications/luci-fw/luasrc/i18n/luci-fw.de.lua
+++ b/applications/luci-fw/luasrc/i18n/luci-fw.de.lua
@ -1,45 +1,60 @@
-fw_fw = [[Firewall]]
+fw_portfw = "Portweiterleitung"
-fw_portfw = [[Portweiterleitung]]
+fw_forwarding = "Weiterleitung"
-fw_routing = [[Routing]]
+fw_fw = "Firewall"
-fw_fw1 = [[Mit Hilfe der Firewall können Zugriffe auf das Netzwerk
+fw_zone = "Zone"
-erlaubt, verboten oder umgeleitet werden.]]
+fw_zones = "Zonen"
-lucifw_rule_chain = "Kette"
+fw_custfwd = "Eigene Weiterleitungen"
-lucifw_rule_iface = "Eingangsschnittstelle"
+fw_rules = "Eigene Regeln"
-lucifw_rule_oface = "Ausgangsschnittstelle"
+fw_rules1 = "An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren."
-lucifw_rule_source = "Quelladresse"
+fw_fw1 = "Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen."
-lucifw_rule_destination = "Zieladresse"
+firewall_rule_src = "Eingangszone"
-lucifw_rule_mac = "MAC-Adresse"
+firewall_rule_dest = "Ausgangszone"
-lucifw_rule_sport = "Quellport"
+firewall_rule_srcip = "Quelladresse"
-lucifw_rule_dport = "Zielport"
+firewall_rule_destip = "Zieladresse"
-lucifw_rule_tosrc = "Neue Quelladresse [SNAT]"
+firewall_rule_srcmac = "Quell-MAC-Adresse"
-lucifw_rule_todest = "Neue Zieladresse [DNAT]" 
+firewall_rule_srcport = "Quellport"
-lucifw_rule_jump = "Aktion"
+firewall_rule_destport = "Zielport"
-lucifw_rule_command = "Eigener Befehl"
+firewall_rule_target = "Aktion"
-fw_accept = "annehmen (ACCEPT)"
+fw_accept = "annehmen"
-fw_reject = "zurückweisen (REJECT)"
+fw_reject = "zurückweisen"
-fw_drop = "verwerfen (DROP)"
+fw_drop = "verwerfen"
 fw_log = "protokollieren (LOG)"
 fw_dnat = "Ziel umschreiben (DNAT) [nur Prerouting]"
 fw_masq = "maskieren (MASQUERADE) [nur Postrouting]"
 fw_snat = "Quelle umschreiben (SNAT) [nur Postrouting]"
-fw_portfw1 = [[Portweiterleitungen ermöglichen es interne
+fw_portfw1 = [[Portweiterleitungen ermöglichen es interne Netzwerkdienste aus einem externen Netzwerk heraus erreichbar zu machen.]]
-Netzwerkdienste von einem anderen externen Netzwerk aus erreichbar zu machen.]]
+firewall_redirect_src_desc = "Externe Zone"
-lucifw_portfw_iface_desc = "Externe Schnittstelle"
+firewall_redirect_srcdport = "Externer Port"
-lucifw_portfw_dport = "Externer Port"
+firewall_redirect_srcdport_desc = "Port od. Erster:Letzter Port"
-lucifw_portfw_dport_desc = "Einzelner Port oder Erster Port-Letzter Port"
+firewall_redirect_destip = "Interne Adresse"
-lucifw_portfw_to = "Interne Adresse"
+firewall_redirect_destip_desc = "IP-Adresse"
-lucifw_portfw_to_desc = "IP, IP:Port oder IP:Erster Port-Letzter Port"
+firewall_redirect_destport = "Interner Port (optional)"
 firewall_redirect_destport_desc = "Port od. Erster:Letzter Port"
 firewall_redirect_srcip = firewall_rule_srcip
 firewall_redirect_srcmac = firewall_rule_srcmac
 firewall_redirect_srcport = firewall_rule_srcport
-fw_routing1 = [[An dieser Stelle wird festlegt, welcher Netzverkehr zwischen einzelnen
+fw_forwarding1 = [[An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann.
-Schnittstellen erlaubt werden soll. Es werden jeweils nur neue Verbindungen
+Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch
-betrachtet, d.h. Pakete von aufgebauten oder zugehörigen Verbindungen werden automatisch in beide Richtungen
+akzeptiert.]]
-akzeptiert, auch wenn das Feld "beide Richtungen" nicht explizit gesetzt ist.
+firewall_forwarding_src = "Eingang"
-NAT ermöglicht Adressübersetzung.]]
+firewall_forwarding_src_desc = firewall_rule_src
-lucifw_routing_iface = "Eingang"
+firewall_forwarding_dest = "Ausgang" 
-lucifw_routing_iface_desc = lucifw_rule_iface
+firewall_forwarding_dest_desc = firewall_rule_dest
-lucifw_routing_oface = "Ausgang" 
+
-lucifw_routing_oface_desc = lucifw_rule_oface
+firewall_defaults = "Grundeinstellungen"
-lucifw_routing_fwd_desc = "weiterleiten"
+firewall_defaults_desc = "Grundeinstellungen die verwendet werden, wenn keine andere Regel angewandt werden kann."
-lucifw_routing_nat_desc = "übersetzen"
+firewall_defaults_synflood = "Schutz vor SYN-flood-Attacken"
-lucifw_routing_bidi_desc = "beide Richtungen"
+firewall_defaults_input = "Eingehender Verkehr"
 firewall_defaults_output = "Ausgehender Verkehr"
 firewall_defaults_forward = "Weitergeleiteter Verkehr"
 firewall_zone_desc = [[Zonen teilen das Netzwerk in mehrere Bereiche ein um Netzverkehr sicher zu trennen.
 Ein oder mehrere Netzwerke gehören zu einer Zone.
 Das MASQ-Flag legt fest, dass aller ausgehende Netzverkehr einer Zone NAT-maskiert wird.]]
 firewall_zone_input = "Eingehender Verkehr"
 firewall_zone_input_desc = "Standardaktion"
 firewall_zone_output = "Ausgehender Verkehr"
 firewall_zone_output_desc = "Standardaktion"
 firewall_zone_forward = "Weitergeleiteter Verkehr"
 firewall_zone_forward_desc = "Standardaktion"
 firewall_zone_masq = "MASQ"
 firewall_zone_network = "Netzwerke"
 firewall_zone_network_desc = "verbundene Netzwerke"
--- a/applications/luci-fw/luasrc/i18n/luci-fw.en.lua
+++ b/applications/luci-fw/luasrc/i18n/luci-fw.en.lua
@ -1,43 +1,60 @@
 fw_portfw = "Port forwarding"
-fw_routing = "Routing"
+fw_forwarding = "Forwarding"
 fw_fw = "Firewall"
-fw_fw1 = "Here you can grant, access or redirect network traffic."
+fw_zone = "Zone"
-lucifw_rule_chain = "Chain"
+fw_zones = "Zones"
-lucifw_rule_iface = "Input interface"
+fw_custfwd = "Custom redirect"
-lucifw_rule_oface = "Output interface"
+fw_rules = "Custom Rules"
-lucifw_rule_source = "Source address"
+fw_rules1 = "Here you can create custom firewall rules to control your network traffic."
-lucifw_rule_destination = "Destination address"
+fw_fw1 = "The firewall creates zones over your network interfaces to control network traffic flow."
-lucifw_rule_mac = "MAC-Address"
+firewall_rule_src = "Input Zone"
-lucifw_rule_sport = "Source port"
+firewall_rule_dest = "Output Zone"
-lucifw_rule_dport = "Destination port"
+firewall_rule_srcip = "Source address"
-lucifw_rule_tosrc = "New source address [SNAT]"
+firewall_rule_destip = "Destination address"
-lucifw_rule_todest = "New target address [DNAT]" 
+firewall_rule_srcmac = "Source MAC-Address"
-lucifw_rule_jump = "Action"
+firewall_rule_srcport = "Source port"
-lucifw_rule_command = "Custom Command"
+firewall_rule_destport = "Destination port"
 firewall_rule_target = "Action"
 fw_accept = "accept"
 fw_reject = "reject"
 fw_drop = "drop"
 fw_log = "log"
 fw_dnat = "change destination (DNAT) [prerouting only]"
 fw_masq = "masquerade [postrouting only]"
 fw_snat = "change source (SNAT) [postrouting only]"
 fw_portfw1 = [[Port forwarding allows to provide network services 
 in the internal network to an external network.]]
-lucifw_portfw_iface_desc = "External interface"
+firewall_redirect_src_desc = "External Zone"
-lucifw_portfw_dport = "External port"
+firewall_redirect_srcdport = "External port"
-lucifw_portfw_dport_desc = "single port or first port-last port"
+firewall_redirect_srcdport_desc = "port or range as first:last"
-lucifw_portfw_to = "Internal address"
+firewall_redirect_destip = "Internal address"
-lucifw_portfw_to_desc = "IP, IP:port or IP:first port-last port"
+firewall_redirect_destip_desc = "IP-Address"
 firewall_redirect_destport = "Internal port (optional)"
 firewall_redirect_destport_desc = "port or range as first:last"
 firewall_redirect_srcip = firewall_rule_srcip
 firewall_redirect_srcmac = firewall_rule_srcmac
 firewall_redirect_srcport = firewall_rule_srcport
-fw_routing1 = [[Here you can specify which network traffic is allowed to flow between network interfaces.
+fw_forwarding1 = [[Here you can specify which network traffic is allowed to flow between network zones.
 Only new connections will be matched. Packets belonging to already open connections are automatically allowed
-to pass the firewall in this case you do not need to set the "bidirectional" flag. NAT provides
+to pass the firewall.]]
-address translation.]]
+firewall_forwarding_src = "Input"
-lucifw_routing_iface = "Input"
+firewall_forwarding_src_desc = firewall_rule_src
-lucifw_routing_iface_desc = lucifw_rule_iface
+firewall_forwarding_dest = "Output" 
-lucifw_routing_oface = "Output" 
+firewall_forwarding_dest_desc = firewall_rule_dest
-lucifw_routing_oface_desc = lucifw_rule_oface
+
-lucifw_routing_fwd_desc = "forward"
+firewall_defaults = "Defaults"
-lucifw_routing_nat_desc = "translate"
+firewall_defaults_desc = "These are the default settings that are used if no other rules match."
-lucifw_routing_bidi_desc = "bidirectional"
+firewall_defaults_synflood = "SYN-flood protection"
 firewall_defaults_input = "Incoming Traffic"
 firewall_defaults_output = "Outgoing Traffic"
 firewall_defaults_forward = "Forwarded Traffic"
 firewall_zone_desc = [[Zones part the network interfaces into certain isolated areas to separate network traffic.
 One or more networks can belong to a zone. The MASQ-flag enables NAT masquerading for all outgoing traffic on this zone.]]
 firewall_zone_input = "Incoming Traffic"
 firewall_zone_input_desc = "Default Policy"
 firewall_zone_output = "Outgoing Traffic"
 firewall_zone_output_desc = "Default Policy"
 firewall_zone_forward = "Forwarded Traffic"
 firewall_zone_forward_desc = "Default Policy"
 firewall_zone_masq = "MASQ"
 firewall_zone_network = "Networks"
 firewall_zone_network_desc = "contained networks"
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/customfwd.lua
@ -0,0 +1,62 @@
 --[[
 LuCI - Lua Configuration Interface
 Copyright 2008 Steven Barth <steven@midlink.org>
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 	http://www.apache.org/licenses/LICENSE-2.0
 $Id$
 ]]--
 require("luci.sys")
 m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
 s = m:section(TypedSection, "redirect", "")
 s.addremove = true
 s.anonymous = true
 name = s:option(Value, "_name", translate("name"))
 name.rmempty = true
 name.size = 10
 iface = s:option(ListValue, "src", translate("fw_zone"))
 iface.default = "wan"
 luci.model.uci.foreach("firewall", "zone",
 	function (section)
 		iface:value(section.name)
 	end)
 s:option(Value, "src_ip").optional = true
 s:option(Value, "src_mac").optional = true
 sport = s:option(Value, "src_port")
 sport.optional = true
 sport:depends("proto", "tcp")
 sport:depends("proto", "udp")
 proto = s:option(ListValue, "proto", translate("protocol"))
 proto.optional = true
 proto:value("")
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
 dport = s:option(Value, "src_dport")
 dport.size = 5
 dport.optional = true
 dport:depends("proto", "tcp")
 dport:depends("proto", "udp")
 to = s:option(Value, "dest_ip")
 for i, dataset in ipairs(luci.sys.net.arptable()) do
 	to:value(dataset["IP address"])
 end
 toport = s:option(Value, "dest_port")
 toport.optional = true
 toport.size = 5
 return m
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/firewall.lua
@ -11,31 +11,23 @@ You may obtain a copy of the License at
 $Id$
 ]]--
-m = Map("luci_fw", translate("fw_fw"), translate("fw_fw1"))
+m = Map("firewall", translate("fw_rules"), translate("fw_rules1"))
 s = m:section(TypedSection, "rule", "")
 s.addremove = true
 s.anonymous = true
-chain = s:option(ListValue, "chain")
+iface = s:option(ListValue, "src")
-chain:value("forward", "Forward")
+iface:value("")
-chain:value("input", "Input")
+iface.rmempty = true
 chain:value("output", "Output")
 chain:value("prerouting", "Prerouting")
 chain:value("postrouting", "Postrouting")
-iface = s:option(ListValue, "iface")
+oface = s:option(ListValue, "dest")
 iface.optional = true
 oface = s:option(ListValue, "oface")
 oface.optional = true
-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",
 	function (section)
-		if section[".name"] ~= "loopback" then
+		iface:value(section.name)
-			iface:value(section[".name"])
+		oface:value(section.name)
 			oface:value(section[".name"])
 		end
 	end)
 proto = s:option(ListValue, "proto", translate("protocol"))
@ -43,43 +35,27 @@ proto.optional = true
 proto:value("")
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
 proto:value("icmp", "ICMP")
-s:option(Value, "source").optional = true
+s:option(Value, "src_ip").optional = true
-s:option(Value, "destination").optional = true
+s:option(Value, "dest_ip").optional = true
-s:option(Value, "mac").optional = true
+s:option(Value, "src_mac").optional = true
-sport = s:option(Value, "sport")
+sport = s:option(Value, "src_port")
 sport.optional = true
 sport:depends("proto", "tcp")
 sport:depends("proto", "udp")
-dport = s:option(Value, "dport")
+dport = s:option(Value, "dest_port")
 dport.optional = true
 dport:depends("proto", "tcp")
 dport:depends("proto", "udp")
-tosrc = s:option(Value, "tosrc")
+jump = s:option(ListValue, "target")
 tosrc.optional = true
 tosrc:depends("jump", "SNAT")
 tosrc = s:option(Value, "todest")
 tosrc.optional = true
 tosrc:depends("jump", "DNAT")
 jump = s:option(ListValue, "jump")
 jump.rmempty = true
-jump:value("", "")
+jump:value("DROP", translate("fw_drop"))
 jump:value("ACCEPT", translate("fw_accept"))
 jump:value("REJECT", translate("fw_reject"))
 jump:value("DROP", translate("fw_drop"))
 jump:value("LOG", translate("fw_log"))
 jump:value("DNAT", translate("fw_dnat"))
 jump:value("MASQUERADE", translate("fw_masq"))
 jump:value("SNAT", translate("fw_snat"))
 add = s:option(Value, "command")
 add.size = 50
 add.rmempty = true
 return m
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/general.lua
@ -0,0 +1,67 @@
 --[[
 LuCI - Lua Configuration Interface
 Copyright 2008 Steven Barth <steven@midlink.org>
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 	http://www.apache.org/licenses/LICENSE-2.0
 $Id$
 ]]--
 m = Map("firewall", translate("fw_fw"), translate("fw_fw1"))
 s = m:section(TypedSection, "defaults")
 s.anonymous = true
 s:option(Flag, "syn_flood")
 p = {}
 p[1] = s:option(ListValue, "input")
 p[2] = s:option(ListValue, "output")
 p[3] = s:option(ListValue, "forward")
 for i, v in ipairs(p) do
 	v:value("DROP", translate("fw_drop"))
 	v:value("ACCEPT", translate("fw_accept"))
 end
 s = m:section(TypedSection, "zone", translate("fw_zones"))
 s.template = "cbi/tblsection"
 s.anonymous = true
 s.addremove = true
 name = s:option(Value, "name", translate("name"))
 name.size = 8
 p = {}
 p[1] = s:option(ListValue, "input")
 p[2] = s:option(ListValue, "output")
 p[3] = s:option(ListValue, "forward")
 for i, v in ipairs(p) do
 	v:value("DROP", translate("fw_drop"))
 	v:value("ACCEPT", translate("fw_accept"))
 end
 s:option(Flag, "masq")
 net = s:option(MultiValue, "network")
 net.widget = "select"
 net.rmempty = true
 luci.model.uci.foreach("network", "interface",
 	function (section)
 		if section[".name"] ~= "loopback" then
 			net:value(section[".name"])
 		end
 	end)
 function net.cfgvalue(self, section)
 	local value = MultiValue.cfgvalue(self, section)
 	return value or name:cfgvalue(section)
 end
 return m
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/miniportfw.lua
@ -12,26 +12,33 @@ You may obtain a copy of the License at
 $Id$
 ]]--
 require("luci.sys")
-m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1"))
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
-s = m:section(TypedSection, "portfw", "")
+s = m:section(TypedSection, "redirect", "")
-s:depends("iface", "wan")
+s:depends("src", "wan")
-s.defaults.iface = "wan"
+s.defaults.src = "wan"
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
-name = s:option(Value, "_name", translate("name") .. translate("cbi_optional"))
+name = s:option(Value, "_name", translate("name"), translate("cbi_optional"))
 name.size = 10
-proto = s:option(ListValue, "proto", translate("protocol"))
+proto = s:option(ListValue, "protocol", translate("protocol"))
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
 proto:value("tcpudp", "TCP + UDP")
-dport = s:option(Value, "dport")
+dport = s:option(Value, "src_dport")
 dport.size = 5
-to = s:option(Value, "to")
+to = s:option(Value, "dest_ip")
 for i, dataset in ipairs(luci.sys.net.arptable()) do
 	to:value(dataset["IP address"])
 end
 toport = s:option(Value, "dest_port")
 toport.size = 5
 return m
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/portfw.lua
@ -12,29 +12,37 @@ You may obtain a copy of the License at
 $Id$
 ]]--
 require("luci.sys")
-m = Map("luci_fw", translate("fw_portfw"), translate("fw_portfw1"))
+m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
-s = m:section(TypedSection, "portfw", "")
+
 s = m:section(TypedSection, "redirect", "")
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
-iface = s:option(ListValue, "iface", translate("interface"))
+name = s:option(Value, "_name", translate("name"), translate("cbi_optional"))
 name.size = 10
 iface = s:option(ListValue, "src", translate("fw_zone"))
 iface.default = "wan"
-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",
 	function (section)
-		if section[".name"] ~= "loopback" then
+		iface:value(section.name)
 			iface:value(section[".name"])
 		end
 	end)
 proto = s:option(ListValue, "proto", translate("protocol"))
 proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
 proto:value("tcpudp", "TCP + UDP")
-dport = s:option(Value, "dport")
+dport = s:option(Value, "src_dport")
 dport.size = 5
-to = s:option(Value, "to")
+to = s:option(Value, "dest_ip")
 for i, dataset in ipairs(luci.sys.net.arptable()) do
 	to:value(dataset["IP address"])
 end
 toport = s:option(Value, "dest_port")
 toport.size = 5
 return m
--- a/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua
+++ b/applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua
@ -11,26 +11,20 @@ You may obtain a copy of the License at
 $Id$
 ]]--
-m = Map("luci_fw", translate("fw_routing"), translate("fw_routing1"))
+m = Map("firewall", translate("fw_forwarding"), translate("fw_forwarding1"))
-s = m:section(TypedSection, "routing", "")
+s = m:section(TypedSection, "forwarding", "")
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
-iface = s:option(ListValue, "iface")
+iface = s:option(ListValue, "src")
-oface = s:option(ListValue, "oface")
+oface = s:option(ListValue, "dest")
-luci.model.uci.foreach("network", "interface",
+luci.model.uci.foreach("firewall", "zone",
 	function (section)
-		if section[".name"] ~= "loopback" then
+			iface:value(section.name)
-			iface:value(section[".name"])
+			oface:value(section.name)
 			oface:value(section[".name"])
 		end
 	end)
 s:option(Flag, "fwd", "FWD").rmempty = true
 s:option(Flag, "nat", "NAT").rmempty = true
 s:option(Flag, "bidi", "<->").rmempty = true
 return m
--- a/applications/luci-fw/root/etc/config/luci_fw
+++ b/applications/luci-fw/root/etc/config/luci_fw
@ -1,2 +0,0 @@
--- a/applications/luci-fw/root/etc/init.d/luci_fw
+++ b/applications/luci-fw/root/etc/init.d/luci_fw
@ -1,176 +0,0 @@
 #!/bin/sh /etc/rc.common
 START=46
 apply_portfw() {
 	local cfg="$1"
 	config_get proto "$cfg" proto
 	config_get dport "$cfg" dport
 	config_get iface "$cfg" iface
 	config_get to    "$cfg" to
 	config_get ifname "$iface" ifname
 	[ -n "$proto" ] || return 0
 	[ -n "$dport" ] || return 0
 	[ -n "$ifname" ] || return 0
 	[ -n "$to" ] || return 0
 	dport=$(echo $dport | sed -e 's/-/:/')
 	ports=$(echo $to | cut -sd: -f2)
 	if [ -n "$ports" ]; then
 		ports="--dport $(echo $ports | sed -e 's/-/:/')"
 	else
 		ports="--dport $dport"
 	fi
 	ip=$(echo $to | cut -d: -f1)
 	if ([ "$proto" == "tcpudp" ] || [ "$proto" == "tcp" ]); then
 		iptables -t nat -A luci_fw_prerouting -i "$ifname" -p tcp --dport "$dport" -j DNAT --to "$to"
 		iptables -A luci_fw_forward -i "$ifname" -p tcp -d "$ip" $ports -j ACCEPT
 	fi
 	if ([ "$proto" == "tcpudp" ] || [ "$proto" == "udp" ]); then
 		iptables -t nat -A luci_fw_prerouting -i "$ifname" -p udp --dport "$dport" -j DNAT --to "$to"
 		iptables -A luci_fw_forward -i "$ifname" -p udp -d "$ip" $ports -j ACCEPT
 	fi
 }
 apply_routing() {
 	local cfg="$1"
 	config_get iface "$cfg" iface
 	config_get oface "$cfg" oface
 	config_get_bool fwd "$cfg" fwd
 	config_get_bool nat "$cfg" nat
 	config_get_bool bidi "$cfg" bidi
 	config_get ifname "$iface" ifname
 	config_get ofname "$oface" ifname
 	[ -n "$ifname" ] || return 0
 	[ -n "$ofname" ] || return 0
 	[ "$fwd" -gt 0 ] && {
 		iptables -A luci_fw_forward -i "$ifname" -o "$ofname" -j ACCEPT
 		[ "$bidi" -gt 0 ] && iptables -A luci_fw_forward -i "$ofname" -o "$ifname" -j ACCEPT
 	}
 	[ "$nat" -gt 0 ] && {
 		config_get ifip "$iface" ipaddr
 		config_get ifmask "$iface" netmask
 		eval "$(ipcalc.sh $ifip $ifmask)"
 		iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ofname" -j MASQUERADE
 		[ "$bidi" -gt 0 ] && {
 			config_get ofip "$oface" ipaddr
 			config_get ofmask "$oface" netmask
 			eval "$(ipcalc.sh $ofip $ofmask)"
 			iptables -t nat -A luci_fw_postrouting -s "$NETWORK/$PREFIX" -o "$ifname" -j MASQUERADE		
 		}
 	}
 }
 apply_rule() {
 	local cfg="$1"
 	local cmd=""
 	config_get chain "$cfg" chain
 	[ -n "$chain" ] || return 0
 	[ "$chain" == "forward" ] && cmd="$cmd -A luci_fw_forward"
 	[ "$chain" == "input" ] && cmd="$cmd -A luci_fw_input"
 	[ "$chain" == "output" ] && cmd="$cmd -A luci_fw_output"
 	[ "$chain" == "prerouting" ] && cmd="$cmd -t nat -A luci_fw_prerouting"
 	[ "$chain" == "postrouting" ] && cmd="$cmd -t nat -A luci_fw_postrouting"
 	config_get iface "$cfg" iface
 	config_get ifname "$iface" ifname
 	[ -n "$ifname" ] && cmd="$cmd -i $ifname"	
 	config_get oface "$cfg" oface
 	config_get ofname "$oface" ifname
 	[ -n "$ofname" ] && cmd="$cmd -o $ofname"	
 	config_get proto "$cfg" proto
 	[ -n "$proto" ] && cmd="$cmd -p $proto"	
 	config_get source "$cfg" source
 	[ -n "$source" ] && cmd="$cmd -s $source"	
 	config_get destination "$cfg" destination
 	[ -n "$destination" ] && cmd="$cmd -d $destination"	
 	config_get sport "$cfg" sport
 	[ -n "$sport" ] && cmd="$cmd --sport $sport"	
 	config_get dport "$cfg" dport
 	[ -n "$dport" ] && cmd="$cmd --dport $dport"	
 	config_get todest "$cfg" todest
 	[ -n "$todest" ] && cmd="$cmd --to-destination $todest"	
 	config_get tosrc "$cfg" tosrc
 	[ -n "$tosrc" ] && cmd="$cmd --to-source $tosrc"	
 	config_get mac "$cfg" mac
 	[ -n "$mac" ] && cmd="$cmd -m mac --mac-source $mac"
 	config_get jump "$cfg" jump
 	[ -n "$jump" ] && cmd="$cmd -j $jump"	
 	config_get command "$cfg" command
 	[ -n "$command" ] && cmd="$cmd $command"	
 	iptables $cmd
 }
 start() {
 	### Create subchains
 	iptables -N luci_fw_input
 	iptables -N luci_fw_output
 	iptables -N luci_fw_forward
 	iptables -t nat -N luci_fw_prerouting
 	iptables -t nat -N luci_fw_postrouting
 	### Hook in the chains
 	iptables -A input_rule -j luci_fw_input
 	iptables -A output_rule -j luci_fw_output
 	iptables -A forwarding_rule -j luci_fw_forward
 	iptables -t nat -A prerouting_rule -j luci_fw_prerouting
 	iptables -t nat -A postrouting_rule -j luci_fw_postrouting
 	### Scan network interfaces
 	include /lib/network
 	scan_interfaces
 	### Read chains from config
 	config_load luci_fw
 	config_foreach apply_rule rule
 	config_foreach apply_portfw portfw
 	config_foreach apply_routing routing
 }
 stop() {
 	### Hook out the chains
 	iptables -D input_rule -j luci_fw_input
 	iptables -D output_rule -j luci_fw_output
 	iptables -D forwarding_rule -j luci_fw_forward
 	iptables -t nat -D prerouting_rule -j luci_fw_prerouting
 	iptables -t nat -D postrouting_rule -j luci_fw_postrouting	
 	### Clear subchains
 	iptables -F luci_fw_input
 	iptables -F luci_fw_output
 	iptables -F luci_fw_forward
 	iptables -t nat -F luci_fw_prerouting
 	iptables -t nat -F luci_fw_postrouting
 	### Delete subchains
 	iptables -X luci_fw_input
 	iptables -X luci_fw_output
 	iptables -X luci_fw_forward
 	iptables -t nat -X luci_fw_prerouting
 	iptables -t nat -X luci_fw_postrouting
 }
--- a/contrib/package/luci/Makefile
+++ b/contrib/package/luci/Makefile
@ -354,7 +354,7 @@ endef
 define Package/luci-app-firewall
  $(call Package/luci/webtemplate)
-  DEPENDS+=+luci-admin-core
+  DEPENDS+=+luci-admin-core +firewall
  TITLE:=Firewall and Portforwarding application
 endef
--- a/libs/web/root/etc/config/luci
+++ b/libs/web/root/etc/config/luci
@ -19,15 +19,15 @@ config extern flash_keep
 	option firewall	"/etc/firewall.user"
 config event uci_oncommit
-	option network		"/sbin/luci-reload network firewall luci_fw dnsmasq"
+	option network		"/sbin/luci-reload network firewall dnsmasq"
-	option wireless		"/sbin/luci-reload network firewall luci_fw dnsmasq"
+	option wireless		"/sbin/luci-reload network firewall dnsmasq"
 	option olsr			"/sbin/luci-reload olsrd"
 	option dhcp			"/sbin/luci-reload dnsmasq"
 	option dropbear		"/sbin/luci-reload dropbear"
 	option httpd		"/sbin/luci-reload httpd"
 	option fstab		"/sbin/luci-reload fstab"
 	option qos			"/sbin/luci-reload qos"
-	option luci_fw		"/sbin/luci-reload luci_fw"
+	option firewall		"/sbin/luci-reload firewall"
 	option luci_ethers	"/sbin/luci-reload luci_ethers dnsmasq"
 	option luci_splash	"/sbin/luci-reload luci_splash"
 	option upnpd		"/etc/init.d/miniupnpd enabled && /sbin/luci-reload miniupnpd || /etc/init.d/miniupnpd stop"