mirror of
https://dev.iopsys.eu/feed/iopsys.git
synced 2025-12-10 07:44:50 +01:00
bbf: added UserInterface.HTTPAccess.
This commit is contained in:
suvendhu
vdutta
parent
cd507fc16d
commit
c1d6a3f19e
6 changed files with 112 additions and 185 deletions
|
|
@ -5,11 +5,11 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=libbbfdm
|
||||
PKG_VERSION:=6.8.52
|
||||
PKG_VERSION:=6.9.0
|
||||
|
||||
PKG_SOURCE_PROTO:=git
|
||||
PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/bbf.git
|
||||
PKG_SOURCE_VERSION:=5dc37bfe0d80ada9c6e2d1ccb077276b0d69cb60
|
||||
PKG_SOURCE_VERSION:=bcda1bd606412b713fcea2660c0b47af703d6c9c
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
|
||||
PKG_MIRROR_HASH:=skip
|
||||
|
||||
|
|
@ -175,12 +175,12 @@ define Package/libbbfdm/default/prerm
|
|||
endef
|
||||
|
||||
define Package/userinterface/install
|
||||
$(INSTALL_DIR) $(1)/etc/bbfdm/json
|
||||
$(INSTALL_DIR) $(1)/etc/config
|
||||
$(INSTALL_DIR) $(1)/etc/uci-defaults
|
||||
$(INSTALL_DIR) $(1)/etc/init.d
|
||||
$(INSTALL_DATA) ./files/etc/bbfdm/json/UserInterface.json $(1)/etc/bbfdm/json/
|
||||
$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
|
||||
$(INSTALL_DATA) ./files/etc/config/userinterface $(1)/etc/config/userinterface
|
||||
$(INSTALL_DATA) ./files/lib/upgrade/keep.d/userinterface $(1)/lib/upgrade/keep.d/userinterface
|
||||
$(INSTALL_BIN) ./files/etc/init.d/userinterface $(1)/etc/init.d/userinterface
|
||||
$(INSTALL_BIN) ./files/etc/uci-defaults/93-userinterface-firewall $(1)/etc/uci-defaults/93-userinterface-firewall
|
||||
$(INSTALL_BIN) ./files/etc/firewall.userinterface $(1)/etc/firewall.userinterface
|
||||
|
|
|
|||
|
|
@ -1,117 +0,0 @@
|
|||
{
|
||||
"Device.UserInterface.": {
|
||||
"type": "object",
|
||||
"version": "2.0",
|
||||
"protocols": [
|
||||
"cwmp",
|
||||
"usp"
|
||||
],
|
||||
"access": false,
|
||||
"array": false,
|
||||
"Device.UserInterface.RemoteAccess.": {
|
||||
"type": "object",
|
||||
"version": "2.0",
|
||||
"protocols": [
|
||||
"cwmp",
|
||||
"usp"
|
||||
],
|
||||
"access": false,
|
||||
"array": false,
|
||||
"Enable": {
|
||||
"type": "boolean",
|
||||
"read": true,
|
||||
"write": true,
|
||||
"version": "2.0",
|
||||
"protocols": [
|
||||
"cwmp",
|
||||
"usp"
|
||||
],
|
||||
"mapping": [
|
||||
{
|
||||
"type": "uci",
|
||||
"uci": {
|
||||
"file": "userinterface",
|
||||
"section": {
|
||||
"name": "remote_access"
|
||||
},
|
||||
"option": {
|
||||
"name": "enable"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"Port": {
|
||||
"type": "unsignedInt",
|
||||
"read": true,
|
||||
"write": true,
|
||||
"version": "2.0",
|
||||
"protocols": [
|
||||
"cwmp",
|
||||
"usp"
|
||||
],
|
||||
"range": [
|
||||
{
|
||||
"max": 65535
|
||||
}
|
||||
],
|
||||
"mapping": [
|
||||
{
|
||||
"type": "uci",
|
||||
"uci": {
|
||||
"file": "userinterface",
|
||||
"section": {
|
||||
"name": "remote_access"
|
||||
},
|
||||
"option": {
|
||||
"name": "port"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"SupportedProtocols": {
|
||||
"type": "string",
|
||||
"read": true,
|
||||
"write": false,
|
||||
"version": "2.0",
|
||||
"protocols": [
|
||||
"cwmp",
|
||||
"usp"
|
||||
],
|
||||
"list": {
|
||||
"datatype": "string",
|
||||
"enumerations": [
|
||||
"HTTP",
|
||||
"HTTPS"
|
||||
]
|
||||
},
|
||||
"default": "HTTP"
|
||||
},
|
||||
"Protocol": {
|
||||
"type": "string",
|
||||
"read": true,
|
||||
"write": true,
|
||||
"version": "2.0",
|
||||
"protocols": [
|
||||
"cwmp",
|
||||
"usp"
|
||||
],
|
||||
"mapping": [
|
||||
{
|
||||
"type": "uci",
|
||||
"uci": {
|
||||
"file": "userinterface",
|
||||
"section": {
|
||||
"name": "remote_access"
|
||||
},
|
||||
"option": {
|
||||
"name": "protocol"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
config userinterface 'remote_access'
|
||||
config userinterface 'global'
|
||||
option enable '0'
|
||||
option interface 'wan'
|
||||
option port '80'
|
||||
option protocol 'HTTP'
|
||||
|
||||
|
|
|
|||
|
|
@ -1,17 +1,14 @@
|
|||
#!/bin/sh
|
||||
|
||||
|
||||
#!/bin/sh
|
||||
|
||||
. /lib/functions.sh
|
||||
|
||||
IDENTIFIER="REMOTE-ACCESS-WAN"
|
||||
IDENTIFIER="UI-REMOTE-ACCESS-WAN"
|
||||
|
||||
log() {
|
||||
echo "${@}"|logger -t firewall.userinterface -p info
|
||||
}
|
||||
|
||||
if [ ! -f "/etc/config/userinterface" ]; then
|
||||
if [ ! -f "/etc/config/userinterface" ] || [ ! -f "/etc/config/nginx" ]; then
|
||||
exit 0;
|
||||
fi
|
||||
|
||||
|
|
@ -21,65 +18,108 @@ exec_cmd() {
|
|||
fi
|
||||
}
|
||||
|
||||
configure_firewall_rule() {
|
||||
local enable port protocol gui_port
|
||||
local zone interface
|
||||
delete_ui_firewall_rules() {
|
||||
input_chains=$(iptables -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
|
||||
output_chains=$(iptables -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)
|
||||
|
||||
config_load userinterface
|
||||
config_get_bool enable remote_access enable 1
|
||||
config_get port remote_access port
|
||||
config_get interface remote_access interface
|
||||
for chain in ${input_chains}; do
|
||||
CMD="iptables -w 1 -t filter -nL ${chain} --line-numbers"
|
||||
while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
|
||||
rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
|
||||
if [ -n "${rule_num}" ]; then
|
||||
exec_cmd iptables -w 1 -t filter -D "${chain}" "${rule_num}";
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ "${enable}" -eq "0" ] || [ -z "${port}" ] || [ -z "${interface}" ]; then
|
||||
return 0;
|
||||
fi
|
||||
for chain in ${output_chains}; do
|
||||
CMD="iptables -w 1 -t filter -nL ${chain} --line-numbers"
|
||||
while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
|
||||
rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
|
||||
if [ -n "${rule_num}" ]; then
|
||||
exec_cmd iptables -w 1 -t filter -D "${chain}" "${rule_num}";
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
zone="zone_${interface}_input"
|
||||
iptables -w 1 -t filter -nL "${zone}" 2>/dev/null 1>&2
|
||||
if [ "$?" -eq 0 ]; then
|
||||
iptables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
|
||||
fi
|
||||
input6_chains=$(ip6tables -S | grep -E "^-N zone[a-zA-Z0-9_]+input$" | cut -d' ' -f 2)
|
||||
output6_chains=$(ip6tables -S | grep -E "^-N zone[a-zA-Z0-9_]+output$" | cut -d' ' -f 2)
|
||||
|
||||
zone="zone_${interface}_output"
|
||||
iptables -w 1 -t filter -nL "${zone}" 2>/dev/null 1>&2
|
||||
if [ "$?" -eq 0 ]; then
|
||||
iptables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
|
||||
fi
|
||||
for chain in ${input6_chains}; do
|
||||
CMD="ip6tables -w 1 -t filter -nL ${chain} --line-numbers"
|
||||
while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
|
||||
rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
|
||||
if [ -n "${rule_num}" ]; then
|
||||
exec_cmd ip6tables -w 1 -t filter -D "${chain}" "${rule_num}";
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
for chain in ${output6_chains}; do
|
||||
CMD="ip6tables -w 1 -t filter -nL ${chain} --line-numbers"
|
||||
while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
|
||||
rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
|
||||
if [ -n "${rule_num}" ]; then
|
||||
exec_cmd ip6tables -w 1 -t filter -D "${chain}" "${rule_num}";
|
||||
fi
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
delete_firewall_rule() {
|
||||
local zone interface
|
||||
local CMD
|
||||
configure_ui_firewall_rule() {
|
||||
local sec="${1}"
|
||||
local enabled access interface
|
||||
local port=""
|
||||
|
||||
config_load userinterface
|
||||
config_get interface remote_access interface
|
||||
config_get_bool enabled "${sec}" uci_enable '1'
|
||||
config_get access "${sec}" uci_access ""
|
||||
config_get interface "${sec}" uci_interface ""
|
||||
|
||||
# Clean remote interface rules
|
||||
if [ -z "${interface}" ]; then
|
||||
return 0
|
||||
if [ "${enabled}" -eq "1" ] && [ "${access}" == "remote" ] && [ -n "${interface}" ]; then
|
||||
port_list=$(uci -q show nginx."${1}".listen|cut -d'=' -f 2|sed "s/'/ /g"|sed "s/\[\:\:\]\://g")
|
||||
for item in ${port_list}; do
|
||||
if [ -z "${item##[0-9]*}" ]; then
|
||||
port="${item}"
|
||||
break
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -z "${port}" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
zone="zone_${interface}_input"
|
||||
iptables -w 1 -t filter -nL ${zone} 2>/dev/null 1>&2
|
||||
if [ "$?" -eq 0 ]; then
|
||||
iptables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
|
||||
fi
|
||||
|
||||
ip6tables -w 1 -t filter -nL ${zone} 2>/dev/null 1>&2
|
||||
if [ "$?" -eq 0 ]; then
|
||||
ip6tables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate NEW,ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
|
||||
fi
|
||||
|
||||
zone="zone_${interface}_output"
|
||||
iptables -w 1 -t filter -nL "${zone}" 2>/dev/null 1>&2
|
||||
if [ "$?" -eq 0 ]; then
|
||||
iptables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
|
||||
fi
|
||||
|
||||
ip6tables -w 1 -t filter -nL "${zone}" 2>/dev/null 1>&2
|
||||
if [ "$?" -eq 0 ]; then
|
||||
ip6tables -w 1 -I "${zone}" -p tcp -m multiport --dports "${port}" -m conntrack --ctstate ESTABLISHED -m comment --comment "${IDENTIFIER}" -j ACCEPT
|
||||
fi
|
||||
fi
|
||||
|
||||
zone="zone_${interface}_input"
|
||||
CMD="iptables -w 1 -t filter -nL ${zone} --line-numbers"
|
||||
while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
|
||||
rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
|
||||
if [ -n "${rule_num}" ]; then
|
||||
exec_cmd iptables -w 1 -t filter -D "${zone}" "${rule_num}";
|
||||
fi
|
||||
done
|
||||
|
||||
zone="zone_${interface}_output"
|
||||
CMD="iptables -w 1 -t filter -nL ${zone} --line-numbers"
|
||||
while ${CMD} 2>/dev/null | grep "${IDENTIFIER}"; do
|
||||
rule_num="$(${CMD} | grep "${IDENTIFIER}" | head -1|awk '{print $1}')"
|
||||
if [ -n "${rule_num}" ]; then
|
||||
exec_cmd iptables -w 1 -t filter -D "${zone}" "${rule_num}";
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
# Delete existing remote access rules
|
||||
delete_firewall_rule
|
||||
delete_ui_firewall_rules
|
||||
|
||||
# Configure the User Interface rule
|
||||
configure_firewall_rule
|
||||
config_load userinterface
|
||||
config_get_bool serv_enable global enable 1
|
||||
|
||||
if [ "${serv_enable}" -eq "1" ]; then
|
||||
config_load nginx
|
||||
# Configure the User Interface rule
|
||||
config_foreach configure_ui_firewall_rule server
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -8,20 +8,26 @@ USE_PROCD=1
|
|||
start_service() {
|
||||
local enable
|
||||
|
||||
procd_open_instance usp
|
||||
|
||||
config_load userinterface
|
||||
config_get_bool enable global enable 1
|
||||
|
||||
# Inject firewall rules
|
||||
if [ "${enable}" -eq "1" ]; then
|
||||
/etc/firewall.userinterface
|
||||
if [ ! -f "/etc/config/nginx" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [ "${enable}" -eq "1" ]; then
|
||||
ubus call service state '{"name":"nginx", "spawn":true}'
|
||||
else
|
||||
ubus call service state '{"name":"nginx", "spawn":false}'
|
||||
fi
|
||||
|
||||
# Inject firewall rules
|
||||
procd_open_instance usp
|
||||
/etc/firewall.userinterface
|
||||
procd_close_instance
|
||||
}
|
||||
|
||||
service_triggers()
|
||||
{
|
||||
procd_add_reload_trigger "userinterface"
|
||||
procd_add_reload_trigger "userinterface" "nginx"
|
||||
}
|
||||
|
|
|
|||
1
bbf/files/lib/upgrade/keep.d/userinterface
Normal file
1
bbf/files/lib/upgrade/keep.d/userinterface
Normal file
|
|
@ -0,0 +1 @@
|
|||
/etc/nginx/allow_host_*
|
||||
Loading…
Add table
Reference in a new issue