mirror of
https://dev.iopsys.eu/feed/iopsys.git
synced 2025-12-10 07:44:50 +01:00
bbfdmd: added support of Device.Firewall.Service.
This commit is contained in:
Suvendhu Hansa
Vivek Kumar Dutta
parent
28fdf33411
commit
b7ea6fdfcf
3 changed files with 182 additions and 4 deletions
|
|
@ -5,11 +5,11 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=bbfdm
|
||||
PKG_VERSION:=1.3.36
|
||||
PKG_VERSION:=1.3.37
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bbfdm.git
|
||||
PKG_SOURCE_VERSION:=8c6aa34a1b7ce7ea8eae7531518e979e416f314e
|
||||
PKG_SOURCE_VERSION:=0be5a1634c03f14bbbc2fc5085adaa188e95efba
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
|
||||
PKG_MIRROR_HASH:=skip
|
||||
|
||||
|
|
@ -174,9 +174,14 @@ define Package/libbbfdm/default/install
|
|||
$(INSTALL_DIR) $(1)/lib
|
||||
$(INSTALL_DIR) $(1)/etc/bbfdm
|
||||
$(INSTALL_DIR) $(1)/etc/bbfdm/dmmap
|
||||
$(INSTALL_DIR) $(1)/etc/uci-defaults
|
||||
$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
|
||||
$(CP) $(PKG_BUILD_DIR)/libbbfdm/libbbfdm.so $(1)/lib/
|
||||
$(INSTALL_DATA) ./files/lib/upgrade/keep.d/bbf $(1)/lib/upgrade/keep.d/bbf
|
||||
$(INSTALL_BIN) ./files/etc/uci-defaults/95-portmap-firewall $(1)/etc/uci-defaults/95-portmap-firewall
|
||||
$(INSTALL_BIN) ./files/etc/uci-defaults/97-firewall-service $(1)/etc/uci-defaults/97-firewall-service
|
||||
$(INSTALL_BIN) ./files/etc/firewall.portmap $(1)/etc/firewall.portmap
|
||||
$(INSTALL_BIN) ./files/etc/firewall.service $(1)/etc/firewall.service
|
||||
ifeq ($(CONFIG_BBF_TR143),y)
|
||||
$(INSTALL_DIR) $(1)/usr/share/bbfdm
|
||||
$(INSTALL_DIR) $(1)/usr/libexec/rpcd
|
||||
|
|
@ -221,9 +226,7 @@ define Package/userinterface/install
|
|||
$(INSTALL_BIN) ./files/etc/init.d/userinterface $(1)/etc/init.d/userinterface
|
||||
$(INSTALL_BIN) ./files/etc/uci-defaults/93-userinterface-firewall $(1)/etc/uci-defaults/93-userinterface-firewall
|
||||
$(INSTALL_BIN) ./files/etc/uci-defaults/94-userinterface-json $(1)/etc/uci-defaults/94-userinterface-json
|
||||
$(INSTALL_BIN) ./files/etc/uci-defaults/95-portmap-firewall $(1)/etc/uci-defaults/95-portmap-firewall
|
||||
$(INSTALL_BIN) ./files/etc/firewall.userinterface $(1)/etc/firewall.userinterface
|
||||
$(INSTALL_BIN) ./files/etc/firewall.portmap $(1)/etc/firewall.portmap
|
||||
endef
|
||||
|
||||
Package/libbbfdm/prerm = $(Package/libbbfdm/default/prerm)
|
||||
|
|
|
|||
163
bbfdm/files/etc/firewall.service
Executable file
163
bbfdm/files/etc/firewall.service
Executable file
|
|
@ -0,0 +1,163 @@
|
|||
#!/bin/sh
|
||||
|
||||
. /lib/functions.sh
|
||||
|
||||
log() {
|
||||
echo "${@}"|logger -t firewall.service -p info
|
||||
}
|
||||
|
||||
exec_cmd() {
|
||||
if ! eval "$*"; then
|
||||
log "Failed to run [$*]"
|
||||
echo "-1"
|
||||
return 0
|
||||
fi
|
||||
|
||||
echo "0"
|
||||
return 0
|
||||
}
|
||||
|
||||
add_iptable_rule() {
|
||||
chain_name=$1
|
||||
protocol=$2
|
||||
dest_port=$3
|
||||
icmp_type=$4
|
||||
family=$5
|
||||
src_prefix=$6
|
||||
action=$7
|
||||
res=-1
|
||||
|
||||
cmd="-I ${chain_name}"
|
||||
|
||||
if [ -n "${protocol}" ]; then
|
||||
cmd="${cmd} -p $protocol"
|
||||
|
||||
if [ "${protocol}" -eq 41 ] || [ "${protocol}" -eq 43 ] || [ "${protocol}" -eq 44 ] ||
|
||||
[ "${protocol}" -eq 58 ] || [ "${protocol}" -eq 59 ] || [ "${protocol}" -eq 60 ]; then
|
||||
# Explicit v6 protocols
|
||||
if [ "${family}" = "ipv4" ]; then
|
||||
echo $res
|
||||
return 0
|
||||
else
|
||||
family="ipv6"
|
||||
fi
|
||||
elif [ "${protocol}" -eq 1 ]; then
|
||||
# Explicit v4 protocols
|
||||
if [ "${family}" = "ipv6" ]; then
|
||||
echo $res
|
||||
return 0
|
||||
else
|
||||
family="ipv4"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Limitation:: iptables do not accept dport without specific protocol
|
||||
count=$(echo "${dest_port}" | sed -n "/-1/p" | wc -l)
|
||||
|
||||
if [ "${count}" -eq 0 ]; then
|
||||
# dest_port not contains -1 so need to have this match criteria
|
||||
count=$(echo "${dest_port}" | wc -w)
|
||||
if [ "${count}" -gt 1 ]; then
|
||||
# multiple ports present
|
||||
port=$(echo "${dest_port}" | sed "s/ /,/g")
|
||||
cmd="${cmd} -m multiport --dports ${port}"
|
||||
else
|
||||
cmd="${cmd} --dport ${dest_port}"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "${family}" = "ipv4" ] || [ "${family}" = "-1" ]; then
|
||||
if [ "${protocol}" -eq 1 ] && [ "${icmp_type}" -ge 0 ]; then
|
||||
cmd="${cmd} --icmp-type ${icmp_type}"
|
||||
fi
|
||||
|
||||
if [ -z "${src_prefix}" ]; then
|
||||
res=$(exec_cmd "iptables ${cmd} -m comment --comment IPtables_service_rule -j ${action}")
|
||||
else
|
||||
#Add ipv4 sources if any
|
||||
src_list=""
|
||||
for src in $src_prefix; do
|
||||
ret=$(echo $src | grep ":" | wc -l)
|
||||
if [ "${ret}" -eq 0 ]; then
|
||||
src_list="$src,$src_list"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -n "$src_list" ]; then
|
||||
src_list=$(echo "${src_list}" | sed "s/,$//")
|
||||
res=$(exec_cmd "iptables -s $src_list ${cmd} -m comment --comment IPtables_service_rule -j ${action}")
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "${family}" = "ipv6" ] || [ "${family}" = "-1" ]; then
|
||||
if [ "${protocol}" -eq 58 ] && [ "${icmp_type}" -ge 0 ]; then
|
||||
cmd="${cmd} --icmpv6-type ${icmp_type}"
|
||||
fi
|
||||
|
||||
if [ -z "${src_prefix}" ]; then
|
||||
res=$(exec_cmd "ip6tables ${cmd} -m comment --comment IP6tables_service_rule -j ${action}")
|
||||
else
|
||||
#Add ipv6 sources if any
|
||||
src_list=""
|
||||
for src in $src_prefix; do
|
||||
ret=$(echo $src | grep ":" | wc -l)
|
||||
if [ "${ret}" -eq 1 ]; then
|
||||
src_list="$src,$src_list"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -n "$src_list" ]; then
|
||||
src_list=$(echo "${src_list}" | sed "s/,$//")
|
||||
res=$(exec_cmd "ip6tables -s $src_list ${cmd} -m comment --comment IP6tables_service_rule -j ${action}")
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
echo $res
|
||||
}
|
||||
|
||||
add_service() {
|
||||
local enable proto family dest_port interface target icmp_type
|
||||
|
||||
config_get enable "$1" enable "0"
|
||||
config_get icmp_type "$1" icmp_type "-1"
|
||||
config_get target "$1" target "Accept"
|
||||
config_get interface "$1" interface ""
|
||||
config_get family "$1" family "-1"
|
||||
config_get dest_port "$1" dest_port "-1"
|
||||
config_get proto "$1" proto "-1"
|
||||
config_get src_prefix "$1" src_prefix ""
|
||||
|
||||
if [ "${enable}" -eq 0 ] || [ -z "${interface}" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
action=$(echo "${target}" | tr a-z A-Z)
|
||||
chain_name="zone_${interface}_input"
|
||||
res=0
|
||||
|
||||
count=$(echo "${proto}" | sed -n "/-1/p" | wc -l)
|
||||
|
||||
if [ "${count}" -eq 0 ]; then
|
||||
# proto not contains -1 so need to have this match criteria
|
||||
for protocol in $proto; do
|
||||
res=$(add_iptable_rule "$chain_name" "$protocol" "$dest_port" "$icmp_type" "$family" "$src_prefix" "$action")
|
||||
done
|
||||
else
|
||||
# proto contains -1 so no need to have this match criteria
|
||||
res=$(add_iptable_rule "$chain_name" "" "$dest_port" "$icmp_type" "$family" "$src_prefix" "$action")
|
||||
fi
|
||||
|
||||
if [ "${res}" -ne 0 ]; then
|
||||
uci -q set firewall."${1}".status="Error"
|
||||
else
|
||||
uci -q set firewall."${1}".status=""
|
||||
fi
|
||||
|
||||
uci commit firewall
|
||||
}
|
||||
|
||||
config_load firewall
|
||||
config_foreach add_service "service"
|
||||
12
bbfdm/files/etc/uci-defaults/97-firewall-service
Normal file
12
bbfdm/files/etc/uci-defaults/97-firewall-service
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
uci -q batch <<-EOT
|
||||
delete firewall.service_hook
|
||||
set firewall.service_hook=include
|
||||
set firewall.service_hook.path=/etc/firewall.service
|
||||
set firewall.service_hook.reload=1
|
||||
commit firewall
|
||||
EOT
|
||||
|
||||
exit 0
|
||||
|
||||
Loading…
Add table
Reference in a new issue