mirror/iopsys-feed
1
0
Fork 0
mirror of https://dev.iopsys.eu/feed/iopsys.git synced 2025-12-10 07:44:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

firewallmngr: add package Makefile

Browse source 
* add Makefile that adds Device.Firewall. and Device.NAT. tr181
  data model objects as a micro service
* add CONFIG_FIREWALLMNGR_PORT_TRIGGER option, which, when enabled
  includes support for Device.NAT.PortTrigger. object and selects
  appropriate kmod dependencies, and is enabled by default
* copy port-trigger scripts to firewallmngr, as it might be
  archived in future
This commit is contained in:
Mohd Husaam Mehdi 2024-05-10 10:12:45 +05:30 committed by Rahul Thakur
parent 31c4944988
commit ee619a99a6
5 changed files with 259 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
firewallmngr/Config.in Normal file
View file

@ -0,0 +1,12 @@
if PACKAGE_firewallmngr
menu "Configuration"
config FIREWALLMNGR_PORT_TRIGGER
bool "Include Device.NAT.PortTrigger"
default y
help
Set this option to include support for PortTrigger object.
endmenu
endif

68
firewallmngr/Makefile Normal file
View file

@ -0,0 +1,68 @@
#
# Copyright (C) 2024 IOPSYS Software Solutions AB
#
include $(TOPDIR)/rules.mk
PKG_NAME:=firewallmngr
PKG_VERSION:=1.0.0
LOCAL_DEV:=0
ifneq ($(LOCAL_DEV),1)
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://dev.iopsys.eu/network/firewallmngr.git
PKG_SOURCE_VERSION:=4dd17babb7870d10d938aab38d99c592fb36ed6a
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
PKG_MIRROR_HASH:=skip
endif
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE
include $(INCLUDE_DIR)/package.mk
include ../bbfdm/bbfdm.mk
MAKE_PATH:=src
define Package/firewallmngr
SECTION:=net
CATEGORY:=Network
TITLE:=Package to add Device.Firewall and Device.NAT. data model support.
DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +firewall
DEPENDS+=+FIREWALLMNGR_PORT_TRIGGER:kmod-ipt-trigger +FIREWALLMNGR_PORT_TRIGGER:kmod-ip6t-trigger
DEPENDS+=+FIREWALLMNGR_PORT_TRIGGER:iptables-mod-nfqueue
endef
define Package/firewallmngr/description
Package to add Device.Firewall. and Device.NAT. data model support.
endef
define Package/$(PKG_NAME)/config
source "$(SOURCE)/Config.in"
endef
ifeq ($(LOCAL_DEV),1)
define Build/Prepare
$(CP) -rf ~/git/firewallmngr/* $(PKG_BUILD_DIR)/
endef
endif
ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
TARGET_CFLAGS += -DINCLUDE_PORT_TRIGGER
endif
define Package/firewallmngr/install
$(INSTALL_DIR) $(1)/etc/config
ifeq ($(CONFIG_FIREWALLMNGR_PORT_TRIGGER),y)
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_DIR) $(1)/lib/port-trigger
$(INSTALL_BIN) ./files/port-trigger/etc/init.d/port-trigger $(1)/etc/init.d/
$(INSTALL_DATA) ./files/port-trigger/etc/config/port-trigger $(1)/etc/config/
$(INSTALL_DATA) ./files/port-trigger/lib/port-trigger/port_trigger.sh $(1)/lib/port-trigger/
endif
$(BBFDM_INSTALL_MS_DM) $(PKG_BUILD_DIR)/src/libfirewallmngr.so $(1) $(PKG_NAME)
endef
$(eval $(call BuildPackage,firewallmngr))

1
firewallmngr/files/port-trigger/etc/config/port-trigger Normal file
View file

@ -0,0 +1 @@
#port trigger uci file

21
firewallmngr/files/port-trigger/etc/init.d/port-trigger Normal file
View file

@ -0,0 +1,21 @@
#!/bin/sh /etc/rc.common
START=65
STOP=20
USE_PROCD=1
. /lib/port-trigger/port_trigger.sh
start_service() {
port_trigger_handling
}
service_triggers()
{
procd_add_reload_trigger firewall
procd_add_reload_trigger port-trigger
}
reload_service() {
start
}

157
firewallmngr/files/port-trigger/lib/port-trigger/port_trigger.sh Executable file
View file

@ -0,0 +1,157 @@
#!/bin/sh
. /lib/functions.sh
process_port_trigger() {
local rule_id="$1"
local is_enabled=""
local duration=""
local trigger_dport=""
local trigger_dport_end=""
local protocol=""
local interface=""
local open_dport=""
local open_dport_end=""
local open_protocol=""
local ptg_id=""
local IP_RULE=""
local IP6_RULE=""
local IP_RULE_FWD=""
get_port_trigger() {
local ptg_name
config_get ptg_name "$1" "name"
if [ "$ptg_name" == "$2" ]; then
ptg_id="$1"
return
fi
}
ptg_id=""
config_get name "$rule_id" "port_trigger"
config_foreach get_port_trigger "port_trigger" "$name"
[ -z "$ptg_id" ] && return
is_enabled=$(uci -q get port-trigger."$ptg_id".enable)
if [ -z "$is_enabled" ] || [ "$is_enabled" = "0" ]; then
return
fi
protocol=$(uci -q get port-trigger."$ptg_id".protocol)
[ -z "$protocol" ] && return
if [ "$protocol" = "UDP" ] || [ "$protocol" = "udp" ]; then
IP_RULE="$IP_RULE -p udp"
IP6_RULE="$IP6_RULE -p udp"
IP_RULE_FWD="$IP_RULE_FWD -p udp"
elif [ "$protocol" = "TCP" ] || [ "$protocol" = "tcp" ]; then
IP_RULE="$IP_RULE -p tcp"
IP6_RULE="$IP6_RULE -p tcp"
IP_RULE_FWD="$IP_RULE_FWD -p tcp"
else
return
fi
trigger_dport=$(uci -q get port-trigger."$ptg_id".port)
[ -z "$trigger_dport" ] && return
IP_RULE="$IP_RULE --dport $trigger_dport"
IP6_RULE="$IP6_RULE --dport $trigger_dport"
trigger_dport_end=$(uci -q get port-trigger."$ptg_id".end_port_range)
if [ -n "$trigger_dport_end" ]; then
IP_RULE="$IP_RULE:$trigger_dport"
IP6_RULE="$IP6_RULE:$trigger_dport"
fi
config_get open_protocol "$rule_id" "protocol"
if [ "$open_protocol" = "UDP" ] || [ "$open_protocol" = "udp" ]; then
IP_RULE="$IP_RULE -j TRIGGER --trigger-type out --trigger-proto udp"
IP6_RULE="$IP6_RULE -j TRIGGER --trigger-type out --trigger-proto udp"
elif [ "$open_protocol" = "TCP" ] || [ "$open_protocol" = "tcp" ]; then
IP_RULE="$IP_RULE -j TRIGGER --trigger-type out --trigger-proto tcp"
IP6_RULE="$IP6_RULE -j TRIGGER --trigger-type out --trigger-proto tcp"
else
return
fi
config_get open_dport "$rule_id" "port"
[ -z "$open_dport" ] && return
IP_RULE="$IP_RULE --trigger-match $open_dport"
IP6_RULE="$IP6_RULE --trigger-match $open_dport"
IP_RULE_FWD="$IP_RULE_FWD --dport $open_dport"
config_get open_dport_end "$rule_id" "end_port_range"
if [ -z "$open_dport_end" ]; then
IP_RULE="$IP_RULE --trigger-relate $open_dport"
IP6_RULE="$IP6_RULE --trigger-relate $open_dport"
else
IP_RULE="$IP_RULE-$open_dport_end --trigger-relate $open_dport-$open_dport_end"
IP6_RULE="$IP6_RULE-$open_dport_end --trigger-relate $open_dport-$open_dport_end"
IP_RULE_FWD="$IP_RULE_FWD:$open_dport_end"
fi
duration=$(uci -q get port-trigger."$ptg_id".auto_disable_duration)
if [ -n "$duration" ]; then
IP_RULE="$IP_RULE --trigger-timeout $duration"
IP6_RULE="$IP6_RULE --trigger-timeout $duration"
fi
interface=$(uci -q get port-trigger."$ptg_id".src)
[ -z "$interface" ] && return
device=$(uci -q get network.$interface.device)
IP_RULE_1="iptables -w -t nat -A prerouting_porttrigger -i $device $IP_RULE"
echo "$IP_RULE_1">>/tmp/port_trigger_iptables
IP_RULE_1="ip6tables -w -t nat -A prerouting_porttrigger -i $device $IP6_RULE"
echo "$IP_RULE_1">>/tmp/port_trigger_ip6tables
if [ -n "$duration" ]; then
echo "iptables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in --trigger-timeout $duration">>/tmp/port_trigger_iptables
echo "ip6tables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in --trigger-timeout $duration">>/tmp/port_trigger_ip6tables
echo "iptables -w -t nat -A prerouting_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type dnat --trigger-timeout $duration">>/tmp/port_trigger_iptables
else
echo "iptables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in">>/tmp/port_trigger_iptables
echo "ip6tables -w -t filter -A forwarding_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type in">>/tmp/port_trigger_ip6tables
echo "iptables -w -t nat -A prerouting_wan_porttrigger $IP_RULE_FWD -j TRIGGER --trigger-type dnat">>/tmp/port_trigger_iptables
fi
}
port_trigger_handling() {
rm /tmp/port_trigger_iptables 2> /dev/null
rm /tmp/port_trigger_ip6tables 2> /dev/null
touch /tmp/port_trigger_iptables
touch /tmp/port_trigger_ip6tables
echo "iptables -w -t nat -F prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
echo "iptables -w -t filter -F forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
echo "iptables -w -t nat -F prerouting_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
echo "ip6tables -w -t nat -F prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
echo "ip6tables -w -t filter -F forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
echo "iptables -w -t nat -N prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
ret=$?
[ $ret -eq 0 ] && echo "iptables -w -t nat -I PREROUTING -j prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
echo "iptables -w -t filter -N forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
ret=$?
[ $ret -eq 0 ] && echo "iptables -w -t filter -I forwarding_wan_rule -j forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
echo "iptables -w -t nat -N prerouting_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
ret=$?
[ $ret -eq 0 ] && echo "iptables -w -t nat -I prerouting_wan_rule -j prerouting_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_iptables
echo "ip6tables -w -t nat -N prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
ret=$?
[ $ret -eq 0 ] && echo "ip6tables -w -t nat -I PREROUTING -j prerouting_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
echo "ip6tables -w -t filter -N forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
ret=$?
[ $ret -eq 0 ] && echo "ip6tables -w -t filter -I forwarding_wan_rule -j forwarding_wan_porttrigger 2> /dev/null">>/tmp/port_trigger_ip6tables
# Load /etc/config/port-trigger UCI file
config_load port-trigger
config_foreach process_port_trigger rule
sh /tmp/port_trigger_iptables
sh /tmp/port_trigger_ip6tables
}