Redesigned firewall configuration

applications/luci-fw/luasrc/controller/luci_fw/luci_fw.lua

@@ -7,11 +7,14 @@ function index()
 	local nodes = {}
 
 	table.insert(nodes, entry({"admin", "network", "firewall"}, alias("admin", "network", "firewall", "zones"), i18n("fw_fw"), 60))
-	table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/general"), i18n("fw_zones"), 10))
-	table.insert(nodes, entry({"admin", "network", "firewall", "portfw"}, cbi("luci_fw/portfw"), i18n("fw_portfw"), 20))	
-	table.insert(nodes, entry({"admin", "network", "firewall", "forwarding"}, cbi("luci_fw/routing"), i18n("fw_forwarding"), 30))
-	table.insert(nodes, entry({"admin", "network", "firewall", "rules"}, cbi("luci_fw/firewall"), i18n("fw_rules"), 40))	
-	table.insert(nodes, entry({"admin", "network", "firewall", "customfwd"}, cbi("luci_fw/customfwd"), i18n("fw_custfwd"), 50))	
+	table.insert(nodes, entry({"admin", "network", "firewall", "zones"}, cbi("luci_fw/zones"), i18n("fw_zones"), 10))
+	table.insert(nodes, entry({"admin", "network", "firewall", "redirection"}, cbi("luci_fw/redirect"), i18n("fw_redirect"), 30))	
+	table.insert(nodes, entry({"admin", "network", "firewall", "traffic"}, cbi("luci_fw/traffic"), i18n("fw_traffic"), 20))
+		
+	table.insert(nodes, entry({"admin", "network", "firewall", "rule"}, cbi("luci_fw/trule")))
+	nodes[#nodes].leaf = true		
+	table.insert(nodes, entry({"admin", "network", "firewall", "redirect"}, cbi("luci_fw/rrule")))
+	nodes[#nodes].leaf = true	
 	
 	table.insert(nodes, entry({"mini", "network", "portfw"}, cbi("luci_fw/miniportfw"), i18n("fw_portfw", "Portweiterleitung"), 70))
 	

applications/luci-fw/luasrc/i18n/luci-fw.de.lua

@@ -1,12 +1,17 @@
 fw_portfw = 'Portweiterleitung'
-fw_forwarding = 'Zone-zu-Zone Weiterleitung'
+fw_redirect = 'Umleitungen'
+fw_redirect_desc = 'Umleitungen erlauben es das Ziel von weitergeleiteten Paketen zu verändern.'
+fw_forwarding = 'Zone-zu-Zone Verkehr'
 fw_fw = 'Firewall'
 fw_zone = 'Zone'
 fw_zones = 'Zonen'
 fw_custfwd = 'Erweiterte Weiterleitung'
-fw_rules = 'Regeln für eingehenden Verkehr'
-fw_rules1 = 'An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren.'
+firewall_rule = 'Erweiterte Regeln'
+firewall_rule_desc = 'Mit erweiterten Regeln kann die Firewall an die eigenen Bedürfnisse angepasst werden. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.'
 fw_fw1 = 'Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen.'
+fw_src = 'Quelle'
+fw_dest = 'Ziel'
+fw_traffic = 'Verkehrskontrolle'
 firewall_rule_src = 'Eingangszone'
 firewall_rule_dest = 'Ausgangszone'
 firewall_rule_srcip = 'Quelladresse'
@@ -26,6 +31,8 @@ firewall_redirect_destip = 'Interne Adresse'
 firewall_redirect_destip_desc = 'IP-Adresse'
 firewall_redirect_destport = 'Interner Port (optional)'
 firewall_redirect_destport_desc = 'Port od. Erster-Letzter Port'
+firewall_redirect_srcip = 'Quelladresse'
+firewall_redirect_srcmac = 'Quell-MAC-Adresse'
 fw_forwarding1 = 'An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.'
 firewall_forwarding_src = 'Eingang'
 firewall_forwarding_dest = 'Ausgang'

applications/luci-fw/luasrc/i18n/luci-fw.de.xml

@@ -3,14 +3,19 @@
 <i18n:msgs xmlns:i18n="http://luci.freifunk-halle.net/2008/i18n#" xmlns="http://www.w3.org/1999/xhtml">
 
 <i18n:msg xml:id="fw_portfw">Portweiterleitung</i18n:msg>
-<i18n:msg xml:id="fw_forwarding">Zone-zu-Zone Weiterleitung</i18n:msg>
+<i18n:msg xml:id="fw_redirect">Umleitungen</i18n:msg>
+<i18n:msg xml:id="fw_redirect_desc">Umleitungen erlauben es das Ziel von weitergeleiteten Paketen zu verändern.</i18n:msg>
+<i18n:msg xml:id="fw_forwarding">Zone-zu-Zone Verkehr</i18n:msg>
 <i18n:msg xml:id="fw_fw">Firewall</i18n:msg>
 <i18n:msg xml:id="fw_zone">Zone</i18n:msg>
 <i18n:msg xml:id="fw_zones">Zonen</i18n:msg>
 <i18n:msg xml:id="fw_custfwd">Erweiterte Weiterleitung</i18n:msg>
-<i18n:msg xml:id="fw_rules">Regeln für eingehenden Verkehr</i18n:msg>
-<i18n:msg xml:id="fw_rules1">An dieser Stelle können benutzerdefinierte Firewallregeln eingestellt werden um den Netzverkehr zu kontrollieren.</i18n:msg>
+<i18n:msg xml:id="firewall_rule">Erweiterte Regeln</i18n:msg>
+<i18n:msg xml:id="firewall_rule_desc">Mit erweiterten Regeln kann die Firewall an die eigenen Bedürfnisse angepasst werden. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.</i18n:msg>
 <i18n:msg xml:id="fw_fw1">Die Firewall erstellt Netzwerkzonen über bestimmte Netzwerkschnittstellen um den Netzverkehr zu trennen.</i18n:msg>
+<i18n:msg xml:id="fw_src">Quelle</i18n:msg>
+<i18n:msg xml:id="fw_dest">Ziel</i18n:msg>
+<i18n:msg xml:id="fw_traffic">Verkehrskontrolle</i18n:msg>
 <i18n:msg xml:id="firewall_rule_src">Eingangszone</i18n:msg>
 <i18n:msg xml:id="firewall_rule_dest">Ausgangszone</i18n:msg>
 <i18n:msg xml:id="firewall_rule_srcip">Quelladresse</i18n:msg>
@@ -31,6 +36,9 @@
 <i18n:msg xml:id="firewall_redirect_destip_desc">IP-Adresse</i18n:msg>
 <i18n:msg xml:id="firewall_redirect_destport">Interner Port (optional)</i18n:msg>
 <i18n:msg xml:id="firewall_redirect_destport_desc">Port od. Erster-Letzter Port</i18n:msg>
+<i18n:msg xml:id="firewall_redirect_srcip">Quelladresse</i18n:msg>
+<i18n:msg xml:id="firewall_redirect_srcmac">Quell-MAC-Adresse</i18n:msg>
+
 
 <i18n:msg xml:id="fw_forwarding1">An dieser Stelle kann festgelegt zwischen welchen Zonen Netzverkehr hin und her fließen kann. Es werden nur neue Verbindungen betrachtet. Pakete, die zu bereits bestehenden Verbindungen gehören werden automatisch akzeptiert.</i18n:msg>
 <i18n:msg xml:id="firewall_forwarding_src">Eingang</i18n:msg>

applications/luci-fw/luasrc/i18n/luci-fw.en.lua

@@ -1,12 +1,14 @@
 fw_portfw = 'Port forwarding'
-fw_forwarding = 'Zone-to-Zone forwarding'
+fw_redirect = 'Traffic Redirection'
+fw_redirect_desc = 'Traffic redirection allows you to change the destination address of forwarded packets.'
+fw_forwarding = 'Zone-to-Zone traffic'
 fw_fw = 'Firewall'
 fw_zone = 'Zone'
 fw_zones = 'Zones'
 fw_custfwd = 'Custom forwarding'
-fw_rules = 'Incoming traffic rules'
-fw_rules1 = 'Here you can create custom firewall rules to control your network traffic.'
 fw_fw1 = 'The firewall creates zones over your network interfaces to control network traffic flow.'
+firewall_rule = 'Advanced Rules'
+firewall_rule_desc = 'Advanced rules let you customize the firewall to your needs. Only new connections will be matched. Packets belonging to already open connections are automatically allowed to pass the firewall.'
 firewall_rule_src = 'Input Zone'
 firewall_rule_dest = 'Output Zone'
 firewall_rule_srcip = 'Source address'
@@ -18,10 +20,15 @@ firewall_rule_target = 'Action'
 fw_accept = 'accept'
 fw_reject = 'reject'
 fw_drop = 'drop'
+fw_src = 'Source'
+fw_dest = 'Destination'
+fw_traffic = 'Traffic Control'
 fw_portfw1 = 'Port forwarding allows to provide network services in the internal network to an external network.'
 firewall_redirect_src_desc = 'External Zone'
 firewall_redirect_srcdport = 'External port'
 firewall_redirect_srcdport_desc = 'port or range as first-last'
+firewall_redirect_srcip = 'Source address'
+firewall_redirect_srcmac = 'Source MAC'
 firewall_redirect_destip = 'Internal address'
 firewall_redirect_destip_desc = 'IP-Address'
 firewall_redirect_destport = 'Internal port (optional)'

applications/luci-fw/luasrc/i18n/luci-fw.en.xml

@@ -3,14 +3,16 @@
 <i18n:msgs xmlns:i18n="http://luci.freifunk-halle.net/2008/i18n#" xmlns="http://www.w3.org/1999/xhtml">
 
 <i18n:msg xml:id="fw_portfw">Port forwarding</i18n:msg>
-<i18n:msg xml:id="fw_forwarding">Zone-to-Zone forwarding</i18n:msg>
+<i18n:msg xml:id="fw_redirect">Traffic Redirection</i18n:msg>
+<i18n:msg xml:id="fw_redirect_desc">Traffic redirection allows you to change the destination address of forwarded packets.</i18n:msg>
+<i18n:msg xml:id="fw_forwarding">Zone-to-Zone traffic</i18n:msg>
 <i18n:msg xml:id="fw_fw">Firewall</i18n:msg>
 <i18n:msg xml:id="fw_zone">Zone</i18n:msg>
 <i18n:msg xml:id="fw_zones">Zones</i18n:msg>
 <i18n:msg xml:id="fw_custfwd">Custom forwarding</i18n:msg>
-<i18n:msg xml:id="fw_rules">Incoming traffic rules</i18n:msg>
-<i18n:msg xml:id="fw_rules1">Here you can create custom firewall rules to control your network traffic.</i18n:msg>
 <i18n:msg xml:id="fw_fw1">The firewall creates zones over your network interfaces to control network traffic flow.</i18n:msg>
+<i18n:msg xml:id="firewall_rule">Advanced Rules</i18n:msg>
+<i18n:msg xml:id="firewall_rule_desc">Advanced rules let you customize the firewall to your needs. Only new connections will be matched. Packets belonging to already open connections are automatically allowed to pass the firewall.</i18n:msg>
 <i18n:msg xml:id="firewall_rule_src">Input Zone</i18n:msg>
 <i18n:msg xml:id="firewall_rule_dest">Output Zone</i18n:msg>
 <i18n:msg xml:id="firewall_rule_srcip">Source address</i18n:msg>
@@ -22,11 +24,16 @@
 <i18n:msg xml:id="fw_accept">accept</i18n:msg>
 <i18n:msg xml:id="fw_reject">reject</i18n:msg>
 <i18n:msg xml:id="fw_drop">drop</i18n:msg>
+<i18n:msg xml:id="fw_src">Source</i18n:msg>
+<i18n:msg xml:id="fw_dest">Destination</i18n:msg>
+<i18n:msg xml:id="fw_traffic">Traffic Control</i18n:msg>
 
 <i18n:msg xml:id="fw_portfw1">Port forwarding allows to provide network services in the internal network to an external network.</i18n:msg>
 <i18n:msg xml:id="firewall_redirect_src_desc">External Zone</i18n:msg>
 <i18n:msg xml:id="firewall_redirect_srcdport">External port</i18n:msg>
 <i18n:msg xml:id="firewall_redirect_srcdport_desc">port or range as first-last</i18n:msg>
+<i18n:msg xml:id="firewall_redirect_srcip">Source address</i18n:msg>
+<i18n:msg xml:id="firewall_redirect_srcmac">Source MAC</i18n:msg>
 <i18n:msg xml:id="firewall_redirect_destip">Internal address</i18n:msg>
 <i18n:msg xml:id="firewall_redirect_destip_desc">IP-Address</i18n:msg>
 <i18n:msg xml:id="firewall_redirect_destport">Internal port (optional)</i18n:msg>

applications/luci-fw/luasrc/model/cbi/luci_fw/redirect.lua

@@ -12,13 +12,14 @@ You may obtain a copy of the License at
 $Id$
 ]]--
 require("luci.sys")
-m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
+m = Map("firewall", translate("fw_redirect"), translate("fw_redirect_desc"))
 
 
 s = m:section(TypedSection, "redirect", "")
 s.template  = "cbi/tblsection"
 s.addremove = true
 s.anonymous = true
+s.extedit   = luci.dispatcher.build_url("admin", "network", "firewall", "redirect", "%s")
 
 name = s:option(Value, "_name", translate("name"), translate("cbi_optional"))
 name.size = 10

applications/luci-fw/luasrc/model/cbi/luci_fw/routing.lua

@@ -1,30 +0,0 @@
---[[
-LuCI - Lua Configuration Interface
-
-Copyright 2008 Steven Barth <steven@midlink.org>
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-$Id$
-]]--
-m = Map("firewall", translate("fw_forwarding"), translate("fw_forwarding1"))
-
-s = m:section(TypedSection, "forwarding", "")
-s.template  = "cbi/tblsection"
-s.addremove = true
-s.anonymous = true
-
-iface = s:option(ListValue, "src")
-oface = s:option(ListValue, "dest")
-
-luci.model.uci.cursor():foreach("firewall", "zone",
-	function (section)
-			iface:value(section.name)
-			oface:value(section.name)
-	end)
-
-return m

applications/luci-fw/luasrc/model/cbi/luci_fw/rrule.lua

@@ -12,11 +12,12 @@ You may obtain a copy of the License at
 $Id$
 ]]--
 require("luci.sys")
-m = Map("firewall", translate("fw_portfw"), translate("fw_portfw1"))
+arg[1] = arg[1] or ""
+
+m = Map("firewall", translate("fw_redirect"), translate("fw_redirect_desc"))
 
 
-s = m:section(TypedSection, "redirect", "")
-s.addremove = true
+s = m:section(NamedSection, arg[1], "redirect", "")
 s.anonymous = true
 
 name = s:option(Value, "_name", translate("name"))
@@ -30,10 +31,10 @@ luci.model.uci.cursor():foreach("firewall", "zone",
 		iface:value(section.name)
 	end)
 	
-s:option(Value, "src_ip").optional = true
-s:option(Value, "src_mac").optional = true
+s:option(Value, "src_ip", translate("firewall_redirect_srcip")).optional = true
+s:option(Value, "src_mac", translate("firewall_redirect_srcmac")).optional = true
 
-sport = s:option(Value, "src_port")
+sport = s:option(Value, "src_port", translate("firewall_redirect_srcport"))
 sport.optional = true
 sport:depends("proto", "tcp")
 sport:depends("proto", "udp")
@@ -46,19 +47,19 @@ proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
 proto:value("tcpudp", "TCP+UDP")
 
-dport = s:option(Value, "src_dport")
+dport = s:option(Value, "src_dport", translate("firewall_redirect_srcdport"))
 dport.size = 5
 dport.optional = true
 dport:depends("proto", "tcp")
 dport:depends("proto", "udp")
 dport:depends("proto", "tcpudp")
 
-to = s:option(Value, "dest_ip")
+to = s:option(Value, "dest_ip", translate("firewall_redirect_destip"))
 for i, dataset in ipairs(luci.sys.net.arptable()) do
 	to:value(dataset["IP address"])
 end
 
-toport = s:option(Value, "dest_port")
+toport = s:option(Value, "dest_port", translate("firewall_redirect_destport"))
 toport.optional = true
 toport.size = 5
 

applications/luci-fw/luasrc/model/cbi/luci_fw/traffic.lua

@@ -0,0 +1,80 @@
+--[[
+LuCI - Lua Configuration Interface
+
+Copyright 2008 Steven Barth <steven@midlink.org>
+Copyright 2008 Jo-Philipp Wich <xm@leipzig.freifunk.net>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+$Id$
+]]--
+
+m = Map("firewall", translate("fw_traffic"))
+s = m:section(TypedSection, "forwarding", translate("fw_forwarding"), translate("fw_forwarding1"))
+s.template  = "cbi/tblsection"
+s.addremove = true
+s.anonymous = true
+
+iface = s:option(ListValue, "src", translate("fw_src"))
+oface = s:option(ListValue, "dest", translate("fw_dest"))
+
+luci.model.uci.cursor():foreach("firewall", "zone",
+	function (section)
+			iface:value(section.name)
+			oface:value(section.name)
+	end)
+
+
+
+s = m:section(TypedSection, "rule")
+s.addremove = true
+s.anonymous = true
+s.template = "cbi/tblsection"
+s.extedit   = luci.dispatcher.build_url("admin", "network", "firewall", "rule", "%s")
+
+local created = nil
+
+function s.create(self, section)
+	created = TypedSection.create(self, section)
+end
+
+function s.parse(self, ...)
+	TypedSection.parse(self, ...)
+	if created then
+		m.uci:save("firewall")
+		luci.http.redirect(luci.dispatcher.build_url(
+			"admin", "network", "firewall", "rule", created
+		))
+	end
+end
+
+s:option(DummyValue, "_name", translate("name"))
+s:option(DummyValue, "proto", translate("protocol"))
+
+src = s:option(DummyValue, "src", translate("fw_src"))
+function src.cfgvalue(self, s)
+	return "%s:%s:%s" % {
+		self.map:get(s, "src") or "*",
+		self.map:get(s, "src_ip") or "0.0.0.0/0",
+		self.map:get(s, "src_port") or "*"
+	} 
+end
+
+dest = s:option(DummyValue, "dest", translate("fw_dest"))
+function dest.cfgvalue(self, s)
+	return "%s:%s:%s" % {
+		self.map:get(s, "dest") or "*",
+		self.map:get(s, "dest_ip") or "0.0.0.0/0",
+		self.map:get(s, "dest_port") or "*"
+	} 
+end
+
+
+s:option(DummyValue, "target")
+
+
+return m

applications/luci-fw/luasrc/model/cbi/luci_fw/trule.lua

@@ -11,16 +11,19 @@ You may obtain a copy of the License at
 
 $Id$
 ]]--
-m = Map("firewall", translate("fw_rules"), translate("fw_rules1"))
+arg[1] = arg[1] or ""
+m = Map("firewall", translate("firewall_rule"), translate("firewall_rule_desc"))
 
-s = m:section(TypedSection, "rule", "")
-s.addremove = true
+s = m:section(NamedSection, arg[1], "rule", "")
 s.anonymous = true
 
-iface = s:option(ListValue, "src")
+name = s:option(Value, "_name", translate("name")..translate("cbi_optional"))
+name.rmempty = true
+
+iface = s:option(ListValue, "src", translate("firewall_rule_src"))
 iface.rmempty = true
 
-oface = s:option(ListValue, "dest")
+oface = s:option(ListValue, "dest", translate("firewall_rule_dest"))
 oface:value("")
 oface.optional = true
 
@@ -38,23 +41,23 @@ proto:value("tcp", "TCP")
 proto:value("udp", "UDP")
 proto:value("icmp", "ICMP")
 
-s:option(Value, "src_ip").optional = true
-s:option(Value, "dest_ip").optional = true
-s:option(Value, "src_mac").optional = true
+s:option(Value, "src_ip", translate("firewall_rule_srcip")).optional = true
+s:option(Value, "dest_ip", translate("firewall_rule_destip")).optional = true
+s:option(Value, "src_mac", translate("firewall_rule_srcmac")).optional = true
 
-sport = s:option(Value, "src_port")
+sport = s:option(Value, "src_port", translate("firewall_rule_srcport"))
 sport.optional = true
 sport:depends("proto", "tcp")
 sport:depends("proto", "udp")
 sport:depends("proto", "tcpudp")
 
-dport = s:option(Value, "dest_port")
+dport = s:option(Value, "dest_port", translate("firewall_rule_destport"))
 dport.optional = true
 dport:depends("proto", "tcp")
 dport:depends("proto", "udp")
 dport:depends("proto", "tcpudp")
 
-jump = s:option(ListValue, "target")
+jump = s:option(ListValue, "target", translate("firewall_rule_target"))
 jump.rmempty = true
 jump.default = "ACCEPT"
 jump:value("DROP", translate("fw_drop"))