From ee619a99a6b84d0e4ac021eaedb694bebf367993 Mon Sep 17 00:00:00 2001 From: Mohd Husaam Mehdi Date: Fri, 10 May 2024 10:12:45 +0530 Subject: [PATCH] firewallmngr: add package Makefile * add Makefile that adds Device.Firewall. and Device.NAT. tr181 data model objects as a micro service * add CONFIG_FIREWALLMNGR_PORT_TRIGGER option, which, when enabled includes support for Device.NAT.PortTrigger. object and selects appropriate kmod dependencies, and is enabled by default * copy port-trigger scripts to firewallmngr, as it might be archived in future --- firewallmngr/Config.in | 12 ++ firewallmngr/Makefile | 68 ++++++++ .../port-trigger/etc/config/port-trigger | 1 + .../port-trigger/etc/init.d/port-trigger | 21 +++ .../lib/port-trigger/port_trigger.sh | 157 ++++++++++++++++++ 5 files changed, 259 insertions(+) create mode 100644 firewallmngr/Config.in create mode 100644 firewallmngr/Makefile create mode 100644 firewallmngr/files/port-trigger/etc/config/port-trigger create mode 100644 firewallmngr/files/port-trigger/etc/init.d/port-trigger create mode 100755 firewallmngr/files/port-trigger/lib/port-trigger/port_trigger.sh diff --git a/firewallmngr/Config.in b/firewallmngr/Config.in new file mode 100644 index 000000000..f0493a58c --- /dev/null +++ b/firewallmngr/Config.in @@ -0,0 +1,12 @@ +if PACKAGE_firewallmngr + +menu "Configuration" + +config FIREWALLMNGR_PORT_TRIGGER + bool "Include Device.NAT.PortTrigger" + default y + help + Set this option to include support for PortTrigger object. + +endmenu +endif diff --git a/firewallmngr/Makefile b/firewallmngr/Makefile new file mode 100644 index 000000000..6c41adc05 --- /dev/null +++ b/firewallmngr/Makefile @@ -0,0 +1,68 @@ +# +# Copyright (C) 2024 IOPSYS Software Solutions AB +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=firewallmngr +PKG_VERSION:=1.0.0 + +LOCAL_DEV:=0 +ifneq ($(LOCAL_DEV),1) +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://dev.iopsys.eu/network/firewallmngr.git +PKG_SOURCE_VERSION:=4dd17babb7870d10d938aab38d99c592fb36ed6a +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz +PKG_MIRROR_HASH:=skip +endif + +PKG_LICENSE:=BSD-3-Clause +PKG_LICENSE_FILES:=LICENSE + +include $(INCLUDE_DIR)/package.mk +include ../bbfdm/bbfdm.mk + +MAKE_PATH:=src + +define Package/firewallmngr + SECTION:=net + CATEGORY:=Network + TITLE:=Package to add Device.Firewall and Device.NAT. data model support. + DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +firewall + DEPENDS+=+FIREWALLMNGR_PORT_TRIGGER:kmod-ipt-trigger +FIREWALLMNGR_PORT_TRIGGER:kmod-ip6t-trigger + DEPENDS+=+FIREWALLMNGR_PORT_TRIGGER:iptables-mod-nfqueue +endef + +define Package/firewallmngr/description + Package to add Device.Firewall. and Device.NAT. data model support. +endef + +define Package/$(PKG_NAME)/config + source "$(SOURCE)/Config.in" +endef + +ifeq ($(LOCAL_DEV),1) +define Build/Prepare + $(CP) -rf ~/git/firewallmngr/* $(PKG_BUILD_DIR)/ +endef +endif + +ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y) + TARGET_CFLAGS += -DINCLUDE_PORT_TRIGGER +endif + +define Package/firewallmngr/install + $(INSTALL_DIR) $(1)/etc/config +ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y) + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_DIR) $(1)/lib/port-trigger + + $(INSTALL_BIN) ./files/port-trigger/etc/init.d/port-trigger $(1)/etc/init.d/ + $(INSTALL_DATA) ./files/port-trigger/etc/config/port-trigger $(1)/etc/config/ + $(INSTALL_DATA) ./files/port-trigger/lib/port-trigger/port_trigger.sh $(1)/lib/port-trigger/ +endif + $(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libfirewallmngr.so $(1) $(PKG_NAME) +endef + +$(eval $(call BuildPackage,firewallmngr)) diff --git a/firewallmngr/files/port-trigger/etc/config/port-trigger b/firewallmngr/files/port-trigger/etc/config/port-trigger new file mode 100644 index 000000000..fcb1b88b8 --- /dev/null +++ b/firewallmngr/files/port-trigger/etc/config/port-trigger @@ -0,0 +1 @@ +#port trigger uci file diff --git a/firewallmngr/files/port-trigger/etc/init.d/port-trigger b/firewallmngr/files/port-trigger/etc/init.d/port-trigger new file mode 100644 index 000000000..efb699737 --- /dev/null +++ b/firewallmngr/files/port-trigger/etc/init.d/port-trigger @@ -0,0 +1,21 @@ +#!/bin/sh /etc/rc.common + +START=65 +STOP=20 +USE_PROCD=1 + +. /lib/port-trigger/port_trigger.sh + +start_service() { + port_trigger_handling +} + +service_triggers() +{ + procd_add_reload_trigger firewall + procd_add_reload_trigger port-trigger +} + +reload_service() { + start +} diff --git a/firewallmngr/files/port-trigger/lib/port-trigger/port_trigger.sh b/firewallmngr/files/port-trigger/lib/port-trigger/port_trigger.sh new file mode 100755 index 000000000..0f4c77873 --- /dev/null +++ b/firewallmngr/files/port-trigger/lib/port-trigger/port_trigger.sh @@ -0,0 +1,157 @@ +#!/bin/sh + +. /lib/functions.sh + +process_port_trigger() { + local rule_id="$1" + local is_enabled="" + local duration="" + local trigger_dport="" + local trigger_dport_end="" + local protocol="" + local interface="" + local open_dport="" + local open_dport_end="" + local open_protocol="" + local ptg_id="" + local IP_RULE="" + local IP6_RULE="" + local IP_RULE_FWD="" + + get_port_trigger() { + local ptg_name + config_get ptg_name "$1" "name" + if [ "$ptg_name" == "$2" ]; then + ptg_id="$1" + return + fi + } + + ptg_id="" + config_get name "$rule_id" "port_trigger" + config_foreach get_port_trigger "port_trigger" "$name" + [ -z "$ptg_id" ] && return + + is_enabled=$(uci -q get port-trigger."$ptg_id".enable) + + if [ -z "$is_enabled" ] || [ "$is_enabled" = "0" ]; then + return + fi + + protocol=$(uci -q get port-trigger."$ptg_id".protocol) + [ -z "$protocol" ] && return + + if [ "$protocol" = "UDP" ] || [ "$protocol" = "udp" ]; then + IP_RULE="$IP_RULE -p udp" + IP6_RULE="$IP6_RULE -p udp" + IP_RULE_FWD="$IP_RULE_FWD -p udp" + elif [ "$protocol" = "TCP" ] || [ "$protocol" = "tcp" ]; then + IP_RULE="$IP_RULE -p tcp" + IP6_RULE="$IP6_RULE -p tcp" + IP_RULE_FWD="$IP_RULE_FWD -p tcp" + else + return + fi + + trigger_dport=$(uci -q get port-trigger."$ptg_id".port) + [ -z "$trigger_dport" ] && return + IP_RULE="$IP_RULE --dport $trigger_dport" + IP6_RULE="$IP6_RULE --dport $trigger_dport" + + trigger_dport_end=$(uci -q get port-trigger."$ptg_id".end_port_range) + if [ -n "$trigger_dport_end" ]; then + IP_RULE="$IP_RULE:$trigger_dport" + IP6_RULE="$IP6_RULE:$trigger_dport" + fi + + config_get open_protocol "$rule_id" "protocol" + if [ "$open_protocol" = "UDP" ] || [ "$open_protocol" = "udp" ]; then + IP_RULE="$IP_RULE -j TRIGGER --trigger-type out --trigger-proto udp" + IP6_RULE="$IP6_RULE -j TRIGGER --trigger-type out --trigger-proto udp" + elif [ "$open_protocol" = "TCP" ] || [ "$open_protocol" = "tcp" ]; then + IP_RULE="$IP_RULE -j TRIGGER --trigger-type out --trigger-proto tcp" + IP6_RULE="$IP6_RULE -j TRIGGER --trigger-type out --trigger-proto tcp" + else + return + fi + + config_get open_dport "$rule_id" "port" + [ -z "$open_dport" ] && return + IP_RULE="$IP_RULE --trigger-match $open_dport" + IP6_RULE="$IP6_RULE --trigger-match $open_dport" + IP_RULE_FWD="$IP_RULE_FWD --dport $open_dport" + + config_get open_dport_end "$rule_id" "end_port_range" + if [ -z "$open_dport_end" ]; then + IP_RULE="$IP_RULE --trigger-relate $open_dport" + IP6_RULE="$IP6_RULE --trigger-relate $open_dport" + else + IP_RULE="$IP_RULE-$open_dport_end --trigger-relate $open_dport-$open_dport_end" + IP6_RULE="$IP6_RULE-$open_dport_end --trigger-relate $open_dport-$open_dport_end" + IP_RULE_FWD="$IP_RULE_FWD:$open_dport_end" + fi + + duration=$(uci -q get port-trigger."$ptg_id".auto_disable_duration) + if [ -n "$duration" ]; then + IP_RULE="$IP_RULE --trigger-timeout $duration" + IP6_RULE="$IP6_RULE --trigger-timeout $duration" + fi + + interface=$(uci -q get port-trigger."$ptg_id".src) + [ -z "$interface" ] && return + device=$(uci -q get network.$interface.device) + IP_RULE_1="iptables -w -t nat -A prerouting_porttrigger -i $device $IP_RULE" + echo "$IP_RULE_1">>/tmp/port_trigger_iptables + + IP_RULE_1="ip6tables -w -t nat -A prerouting_porttrigger -i $device $IP6_RULE" + echo "$IP_RULE_1">>/tmp/port_trigger_ip6tables + + if [ -n "$duration" ]; then + echo "iptables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in --trigger-timeout $duration">>/tmp/port_trigger_iptables + echo "ip6tables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in --trigger-timeout $duration">>/tmp/port_trigger_ip6tables + + echo "iptables -w -t nat -A prerouting_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type dnat --trigger-timeout $duration">>/tmp/port_trigger_iptables + else + echo "iptables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in">>/tmp/port_trigger_iptables + echo "ip6tables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in">>/tmp/port_trigger_ip6tables + + echo "iptables -w -t nat -A prerouting_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type dnat">>/tmp/port_trigger_iptables + fi +} + +port_trigger_handling() { + rm /tmp/port_trigger_iptables 2> /dev/null + rm /tmp/port_trigger_ip6tables 2> /dev/null + touch /tmp/port_trigger_iptables + touch /tmp/port_trigger_ip6tables + + echo "iptables -w -t nat -F prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables + echo "iptables -w -t filter -F forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables + echo "iptables -w -t nat -F prerouting_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables + echo "ip6tables -w -t nat -F prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables + echo "ip6tables -w -t filter -F forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables + + echo "iptables -w -t nat -N prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables + ret=$? + [ $ret -eq 0 ] && echo "iptables -w -t nat -I PREROUTING -j prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables + echo "iptables -w -t filter -N forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables + ret=$? + [ $ret -eq 0 ] && echo "iptables -w -t filter -I forwarding_wan_rule -j forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables + echo "iptables -w -t nat -N prerouting_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables + ret=$? + [ $ret -eq 0 ] && echo "iptables -w -t nat -I prerouting_wan_rule -j prerouting_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables + + echo "ip6tables -w -t nat -N prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables + ret=$? + [ $ret -eq 0 ] && echo "ip6tables -w -t nat -I PREROUTING -j prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables + echo "ip6tables -w -t filter -N forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables + ret=$? + [ $ret -eq 0 ] && echo "ip6tables -w -t filter -I forwarding_wan_rule -j forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables + + # Load /etc/config/port-trigger UCI file + config_load port-trigger + config_foreach process_port_trigger rule + + sh /tmp/port_trigger_iptables + sh /tmp/port_trigger_ip6tables +}