firewallmngr: add package Makefile

* add Makefile that adds Device.Firewall. and Device.NAT. tr181 data model objects as a micro service * add CONFIG_FIREWALLMNGR_PORT_TRIGGER option, which, when enabled includes support for Device.NAT.PortTrigger. object and selects appropriate kmod dependencies, and is enabled by default * copy port-trigger scripts to firewallmngr, as it might be archived in future
2025-12-09 23:34:51 +01:00 · 2024-05-10 10:12:45 +05:30 · 2024-05-10 10:12:45 +05:30 · ee619a99a6
commit ee619a99a6
parent 31c4944988
5 changed files with 259 additions and 0 deletions
--- a/firewallmngr/Config.in
+++ b/firewallmngr/Config.in
@ -0,0 +1,12 @@
+if PACKAGE_firewallmngr
+
+menu "Configuration"
+
+config FIREWALLMNGR_PORT_TRIGGER
+	bool "Include Device.NAT.PortTrigger"
+	default y
+	help
+	   Set this option to include support for PortTrigger object.
+
+endmenu
+endif
--- a/firewallmngr/Makefile
+++ b/firewallmngr/Makefile
@ -0,0 +1,68 @@
+#
+# Copyright (C) 2024 IOPSYS Software Solutions AB
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=firewallmngr
+PKG_VERSION:=1.0.0
+
+LOCAL_DEV:=0
+ifneq ($(LOCAL_DEV),1)
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://dev.iopsys.eu/network/firewallmngr.git
+PKG_SOURCE_VERSION:=4dd17babb7870d10d938aab38d99c592fb36ed6a
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+PKG_MIRROR_HASH:=skip
+endif
+
+PKG_LICENSE:=BSD-3-Clause
+PKG_LICENSE_FILES:=LICENSE
+
+include $(INCLUDE_DIR)/package.mk
+include ../bbfdm/bbfdm.mk
+
+MAKE_PATH:=src
+
+define Package/firewallmngr
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=Package to add Device.Firewall and Device.NAT. data model support.
+  DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +firewall
+  DEPENDS+=+FIREWALLMNGR_PORT_TRIGGER:kmod-ipt-trigger +FIREWALLMNGR_PORT_TRIGGER:kmod-ip6t-trigger
+  DEPENDS+=+FIREWALLMNGR_PORT_TRIGGER:iptables-mod-nfqueue
+endef
+
+define Package/firewallmngr/description
+  Package to add Device.Firewall. and Device.NAT. data model support.
+endef
+
+define Package/$(PKG_NAME)/config
+        source "$(SOURCE)/Config.in"
+endef
+
+ifeq ($(LOCAL_DEV),1)
+define Build/Prepare
+	$(CP) -rf ~/git/firewallmngr/* $(PKG_BUILD_DIR)/
+endef
+endif
+
+ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
+	TARGET_CFLAGS += -DINCLUDE_PORT_TRIGGER
+endif
+
+define Package/firewallmngr/install
+	$(INSTALL_DIR) $(1)/etc/config
+ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DIR) $(1)/lib/port-trigger
+
+	$(INSTALL_BIN) ./files/port-trigger/etc/init.d/port-trigger $(1)/etc/init.d/
+	$(INSTALL_DATA) ./files/port-trigger/etc/config/port-trigger $(1)/etc/config/
+	$(INSTALL_DATA) ./files/port-trigger/lib/port-trigger/port_trigger.sh $(1)/lib/port-trigger/
+endif
+	$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libfirewallmngr.so $(1) $(PKG_NAME)
+endef
+
+$(eval $(call BuildPackage,firewallmngr))
--- a/firewallmngr/files/port-trigger/etc/config/port-trigger
+++ b/firewallmngr/files/port-trigger/etc/config/port-trigger
@ -0,0 +1 @@
+#port trigger uci file
--- a/firewallmngr/files/port-trigger/etc/init.d/port-trigger
+++ b/firewallmngr/files/port-trigger/etc/init.d/port-trigger
@ -0,0 +1,21 @@
+#!/bin/sh /etc/rc.common
+
+START=65
+STOP=20
+USE_PROCD=1
+
+. /lib/port-trigger/port_trigger.sh
+
+start_service() {
+	port_trigger_handling
+}
+
+service_triggers()
+{
+	procd_add_reload_trigger firewall
+	procd_add_reload_trigger port-trigger
+}
+
+reload_service() {
+	start
+}
--- a/firewallmngr/files/port-trigger/lib/port-trigger/port_trigger.sh
+++ b/firewallmngr/files/port-trigger/lib/port-trigger/port_trigger.sh
@ -0,0 +1,157 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+process_port_trigger() {
+	local rule_id="$1"
+	local is_enabled=""
+	local duration=""
+	local trigger_dport=""
+	local trigger_dport_end=""
+	local protocol=""
+	local interface=""
+	local open_dport=""
+	local open_dport_end=""
+	local open_protocol=""
+	local ptg_id=""
+	local IP_RULE=""
+	local IP6_RULE=""
+	local IP_RULE_FWD=""
+
+	get_port_trigger() {
+		local ptg_name
+		config_get ptg_name "$1" "name"
+		if [ "$ptg_name" == "$2" ]; then
+			ptg_id="$1"
+			return
+		fi
+	}
+
+	ptg_id=""
+	config_get name "$rule_id" "port_trigger"
+	config_foreach get_port_trigger  "port_trigger" "$name"
+	[ -z "$ptg_id" ] && return
+
+	is_enabled=$(uci -q get port-trigger."$ptg_id".enable)
+
+	if [ -z "$is_enabled" ] || [ "$is_enabled" = "0" ]; then
+		return
+	fi
+
+	protocol=$(uci -q get port-trigger."$ptg_id".protocol)
+	[ -z "$protocol" ] && return
+
+	if [ "$protocol" = "UDP" ] || [ "$protocol" = "udp" ]; then
+		IP_RULE="$IP_RULE -p udp"
+		IP6_RULE="$IP6_RULE -p udp"
+		IP_RULE_FWD="$IP_RULE_FWD -p udp"
+	elif [ "$protocol" = "TCP" ] || [ "$protocol" = "tcp" ]; then
+		IP_RULE="$IP_RULE -p tcp"
+		IP6_RULE="$IP6_RULE -p tcp"
+		IP_RULE_FWD="$IP_RULE_FWD -p tcp"
+	else
+		return
+	fi
+
+	trigger_dport=$(uci -q get port-trigger."$ptg_id".port)
+	[ -z "$trigger_dport" ] && return
+	IP_RULE="$IP_RULE --dport $trigger_dport"
+	IP6_RULE="$IP6_RULE --dport $trigger_dport"
+
+	trigger_dport_end=$(uci -q get port-trigger."$ptg_id".end_port_range)
+	if [ -n "$trigger_dport_end" ]; then
+		IP_RULE="$IP_RULE:$trigger_dport"
+		IP6_RULE="$IP6_RULE:$trigger_dport"
+	fi
+
+	config_get open_protocol "$rule_id" "protocol"
+	if [ "$open_protocol" = "UDP" ] || [ "$open_protocol" = "udp" ]; then
+		IP_RULE="$IP_RULE -j TRIGGER --trigger-type out --trigger-proto udp"
+		IP6_RULE="$IP6_RULE -j TRIGGER --trigger-type out --trigger-proto udp"
+	elif [ "$open_protocol" = "TCP" ] || [ "$open_protocol" = "tcp" ]; then
+		IP_RULE="$IP_RULE -j TRIGGER --trigger-type out --trigger-proto tcp"
+		IP6_RULE="$IP6_RULE -j TRIGGER --trigger-type out --trigger-proto tcp"
+	else
+		return
+	fi
+
+	config_get open_dport "$rule_id" "port"
+	[ -z "$open_dport" ] && return
+	IP_RULE="$IP_RULE --trigger-match $open_dport"
+	IP6_RULE="$IP6_RULE --trigger-match $open_dport"
+	IP_RULE_FWD="$IP_RULE_FWD --dport $open_dport"
+
+	config_get open_dport_end "$rule_id" "end_port_range"
+	if [ -z "$open_dport_end" ]; then
+		IP_RULE="$IP_RULE --trigger-relate $open_dport"
+		IP6_RULE="$IP6_RULE --trigger-relate $open_dport"
+	else
+		IP_RULE="$IP_RULE-$open_dport_end --trigger-relate $open_dport-$open_dport_end"
+		IP6_RULE="$IP6_RULE-$open_dport_end --trigger-relate $open_dport-$open_dport_end"
+		IP_RULE_FWD="$IP_RULE_FWD:$open_dport_end"
+	fi
+
+	duration=$(uci -q get port-trigger."$ptg_id".auto_disable_duration)
+        if [ -n "$duration" ]; then
+                IP_RULE="$IP_RULE --trigger-timeout $duration"
+                IP6_RULE="$IP6_RULE --trigger-timeout $duration"
+        fi
+
+	interface=$(uci -q get port-trigger."$ptg_id".src)
+	[ -z "$interface" ] && return
+	device=$(uci -q get network.$interface.device)
+       	IP_RULE_1="iptables -w -t nat -A prerouting_porttrigger -i $device $IP_RULE"
+       	echo "$IP_RULE_1">>/tmp/port_trigger_iptables
+
+       	IP_RULE_1="ip6tables -w -t nat -A prerouting_porttrigger -i $device $IP6_RULE"
+       	echo "$IP_RULE_1">>/tmp/port_trigger_ip6tables
+
+        if [ -n "$duration" ]; then
+		echo "iptables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in --trigger-timeout $duration">>/tmp/port_trigger_iptables
+		echo "ip6tables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in --trigger-timeout $duration">>/tmp/port_trigger_ip6tables
+
+		echo "iptables -w -t nat -A prerouting_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type dnat --trigger-timeout $duration">>/tmp/port_trigger_iptables
+	else
+		echo "iptables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in">>/tmp/port_trigger_iptables
+		echo "ip6tables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in">>/tmp/port_trigger_ip6tables
+
+		echo "iptables -w -t nat -A prerouting_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type dnat">>/tmp/port_trigger_iptables
+	fi
+}
+
+port_trigger_handling() {
+	rm /tmp/port_trigger_iptables 2> /dev/null
+	rm /tmp/port_trigger_ip6tables 2> /dev/null
+	touch /tmp/port_trigger_iptables
+	touch /tmp/port_trigger_ip6tables
+
+	echo "iptables -w -t nat -F prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
+	echo "iptables -w -t filter -F forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
+	echo "iptables -w -t nat -F prerouting_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
+	echo "ip6tables -w -t nat -F prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
+	echo "ip6tables -w -t filter -F forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
+
+	echo "iptables -w -t nat -N prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
+	ret=$?
+	[ $ret -eq 0 ] && echo "iptables -w -t nat -I PREROUTING -j prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
+	echo "iptables -w -t filter -N forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
+	ret=$?
+	[ $ret -eq 0 ] && echo "iptables -w -t filter -I forwarding_wan_rule -j forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
+	echo "iptables -w -t nat -N prerouting_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
+	ret=$?
+	[ $ret -eq 0 ] && echo "iptables -w -t nat -I prerouting_wan_rule -j prerouting_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
+
+	echo "ip6tables -w -t nat -N prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
+	ret=$?
+	[ $ret -eq 0 ] && echo "ip6tables -w -t nat -I PREROUTING -j prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
+	echo "ip6tables -w -t filter -N forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
+	ret=$?
+	[ $ret -eq 0 ] && echo "ip6tables -w -t filter -I forwarding_wan_rule -j forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
+
+	# Load /etc/config/port-trigger UCI file
+	config_load port-trigger
+	config_foreach process_port_trigger rule
+
+	sh /tmp/port_trigger_iptables
+	sh /tmp/port_trigger_ip6tables
+}