icwmp,twamp: Fix zone name in firewall rules

2025-12-10 07:44:50 +01:00 · 2025-06-09 16:53:48 +05:30 · 2025-06-09 16:53:48 +05:30 · 57ae4eb344
commit 57ae4eb344
parent dc79aa56f9
3 changed files with 140 additions and 19 deletions
--- a/icwmp/files/etc/icwmpd/firewall.cwmp
+++ b/icwmp/files/etc/icwmpd/firewall.cwmp
@ -1,14 +1,43 @@
 #!/bin/sh

+. /lib/functions.sh
+
+ZONE_NAME_FILE="/tmp/cwmp_fw_zone"
+
 #created by the icwmp package
 log() {
 	echo "${@}"|logger -t firewall.cwmp -p info
 }

+collect_zone_name() {
+	local name network
+
+	config_get name "${1}" name ""
+	if [ -z "${name}" ]; then
+		return
+	fi
+
+	config_get network "${1}" network ""
+	for i in ${network}; do
+		var="${i}_zone"
+		echo "${var}=${name}" >> "${ZONE_NAME_FILE}"
+	done
+}
+
+load_zone_names() {
+	config_load firewall
+	config_foreach collect_zone_name zone
+}
+
 get_firewall_zone() {
-	zone="$(uci show firewall|grep network|grep -w "${1}"|cut -d. -f 2)"
-	zone="${zone:-wan}" # defaults to wan zone
-	echo "$zone"
+	if [ ! -f "${ZONE_NAME_FILE}" ]; then
+		echo ""
+		return
+	fi
+
+	var="${1}_zone="
+	name="$(cat ${ZONE_NAME_FILE} | grep ${var} | cut -d'=' -f 2)"
+	echo "${name}"
 }

 cleanup_upstream_rules() {
@ -169,4 +198,6 @@ configure_connection_req_rules() {
 	fi
 }

+load_zone_names
 configure_connection_req_rules "$@"
+rm -f "${ZONE_NAME_FILE}"
--- a/twamp/files/etc/firewall.twamp
+++ b/twamp/files/etc/firewall.twamp
@ -1,6 +1,9 @@
 #!/bin/sh

 . /lib/functions.sh
+
+ZONE_NAME_FILE="/tmp/twamp_fw_zone"
+
 #created by the icwmp package
 log() {
 	echo "${@}"|logger -t firewall.twamp -p info
@ -10,6 +13,37 @@ if [ ! -f "/etc/config/twamp" ]; then
 	exit 0;
 fi

+collect_zone_name() {
+	local name network
+
+	config_get name "${1}" name ""
+	if [ -z "${name}" ]; then
+		return
+	fi
+
+	config_get network "${1}" network ""
+	for i in ${network}; do
+		var="${i}_zone"
+		echo "${var}=${name}" >> "${ZONE_NAME_FILE}"
+	done
+}
+
+load_zone_names() {
+	config_load firewall
+	config_foreach collect_zone_name zone
+}
+
+get_firewall_zone() {
+	if [ ! -f "${ZONE_NAME_FILE}" ]; then
+		echo ""
+		return
+	fi
+
+	var="${1}_zone="
+	name="$(cat ${ZONE_NAME_FILE} | grep ${var} | cut -d'=' -f 2)"
+	echo "${name}"
+}
+
 configure_firewall() {
 	local enable port interface

@ -20,29 +54,44 @@ configure_firewall() {
 		return 0;
 	fi

-	iptables -w 1 -nL zone_"${interface}"_input 2>/dev/null 1>&2
+	zone_name="$(get_firewall_zone ${interface})"
+	if [ -z "${zone_name}" ]; then
+		log "Rule can not be added without zone name for interface ${interface}"
+		return
+	fi
+
+	iptables -w 1 -nL zone_"${zone_name}"_input 2>/dev/null 1>&2
 	if [ "$?" -eq 0 ]; then
-		iptables -w 1 -I zone_"${interface}"_input -p udp --dport "${port}" -j ACCEPT -m comment --comment "TWAMP reflector port"
+		iptables -w 1 -I zone_"${zone_name}"_input -p udp --dport "${port}" -j ACCEPT -m comment --comment "TWAMP reflector port"
 	fi
 }

 delete_rule() {
-        while iptables -w 1 -nL zone_"${1}"_input --line-numbers 2>/dev/null | grep "TWAMP reflector port"; do
-		rule_num="$(iptables -w 1 -nL zone_"${1}"_input --line-numbers | grep "TWAMP reflector port" | head -1|awk '{print $1}')"
+        zone_name="$(get_firewall_zone ${1})"
+        if [ -z "${zone_name}" ]; then
+                return
+        fi
+
+        while iptables -w 1 -nL zone_"${zone_name}"_input --line-numbers 2>/dev/null | grep "TWAMP reflector port"; do
+		rule_num="$(iptables -w 1 -nL zone_"${zone_name}"_input --line-numbers | grep "TWAMP reflector port" | head -1|awk '{print $1}')"
 		if [ -n "${rule_num}" ]; then
-			iptables -w 1 -D zone_"${1}"_input "${rule_num}";
+			iptables -w 1 -D zone_"${zone_name}"_input "${rule_num}";
 		fi
 	done
 }

 # Loop through all interfaces and delete the twamp reflector rule from interface's input chain
+load_zone_names
+
 config_load network
 config_foreach delete_rule interface

 config_load twamp
 config_get twamp_enable twamp enable "0"
 if [ "${twamp_enable}" -eq "0" ]; then
+	rm -f "${ZONE_NAME_FILE}"
 	exit 0;
 fi

 config_foreach configure_firewall twamp_reflector
+rm -f "${ZONE_NAME_FILE}"
--- a/userinterface/files/etc/firewall.userinterface
+++ b/userinterface/files/etc/firewall.userinterface
@ -3,6 +3,7 @@
 . /lib/functions.sh

 IDENTIFIER="UI-REMOTE-ACCESS-WAN"
+ZONE_NAME_FILE="/tmp/ui_fw_zone"

 log() {
 	echo "${@}"|logger -t firewall.userinterface -p info
@ -18,6 +19,37 @@ exec_cmd() {
 	fi
 }

+collect_zone_name() {
+	local name network
+
+	config_get name "${1}" name ""
+	if [ -z "${name}" ]; then
+		return
+	fi
+
+	config_get network "${1}" network ""
+	for i in ${network}; do
+		var="${i}_zone"
+		echo "${var}=${name}" >> "${ZONE_NAME_FILE}"
+	done
+}
+
+load_zone_names() {
+	config_load firewall
+	config_foreach collect_zone_name zone
+}
+
+get_firewall_zone() {
+	if [ ! -f "${ZONE_NAME_FILE}" ]; then
+		echo ""
+		return
+	fi
+
+	var="${1}_zone="
+	name="$(cat ${ZONE_NAME_FILE} | grep ${var} | cut -d'=' -f 2)"
+	echo "${name}"
+}
+
 delete_ui_firewall_rules() {
 	input_chains=$(iptables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
 	output_chains=$(iptables -w 1 -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)
@ -81,26 +113,31 @@ configure_ui_firewall_rule() {
 			return 0
 		fi

-		zone="zone_${interface}_input"
-		iptables -w 1 -t filter -nL ${zone} 2>/dev/null 1>&2
-		if [ "$?" -eq 0 ]; then
-			iptables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
+		zone_name="$(get_firewall_zone ${interface})"
+		if [ -z "${zone_name}" ]; then
+			return 0
 		fi

-		ip6tables -w 1 -t filter -nL ${zone} 2>/dev/null 1>&2
+		chain="zone_${zone_name}_input"
+		iptables -w 1 -t filter -nL ${chain} 2>/dev/null 1>&2
 		if [ "$?" -eq 0 ]; then
-			ip6tables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
+			iptables -w 1 -I "${chain}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
 		fi

-		zone="zone_${interface}_output"
-		iptables -w 1 -t filter -nL "${zone}" 2>/dev/null 1>&2
+		ip6tables -w 1 -t filter -nL ${chain} 2>/dev/null 1>&2
 		if [ "$?" -eq 0 ]; then
-			iptables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
+			ip6tables -w 1 -I "${chain}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
 		fi

-		ip6tables -w 1 -t filter -nL "${zone}" 2>/dev/null 1>&2
+		chain="zone_${zone_name}_output"
+		iptables -w 1 -t filter -nL "${chain}" 2>/dev/null 1>&2
 		if [ "$?" -eq 0 ]; then
-			ip6tables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
+			iptables -w 1 -I "${chain}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
+		fi
+
+		ip6tables -w 1 -t filter -nL "${chain}" 2>/dev/null 1>&2
+		if [ "$?" -eq 0 ]; then
+			ip6tables -w 1 -I "${chain}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
 		fi
 	fi
 }
@ -108,6 +145,8 @@ configure_ui_firewall_rule() {
 # Delete existing remote access rules
 delete_ui_firewall_rules

+load_zone_names
+
 config_load userinterface
 config_get_bool serv_enable global enable 1

@ -115,3 +154,5 @@ if [ "${serv_enable}" -eq "1" ]; then
 	# Configure the User Interface rule
 	config_foreach configure_ui_firewall_rule http_access
 fi
+
+rm -f "${ZONE_NAME_FILE}"