You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
153 lines
2.6 KiB
153 lines
2.6 KiB
# Copyright (C) 2009-2010 OpenWrt.org
|
|
|
|
FW_LIBDIR=${FW_LIBDIR:-/lib/firewall}
|
|
|
|
. $FW_LIBDIR/fw.sh
|
|
include /lib/network
|
|
|
|
fw_start() {
|
|
fw_init
|
|
|
|
FW_DEFAULTS_APPLIED=
|
|
|
|
fw_is_loaded && {
|
|
echo "firewall already loaded" >&2
|
|
exit 1
|
|
}
|
|
|
|
uci_set_state firewall core "" firewall_state
|
|
|
|
fw_clear DROP
|
|
|
|
fw_callback pre core
|
|
|
|
echo "Loading defaults"
|
|
fw_config_once fw_load_defaults defaults
|
|
|
|
echo "Loading zones"
|
|
config_foreach fw_load_zone zone
|
|
|
|
echo "Loading forwardings"
|
|
config_foreach fw_load_forwarding forwarding
|
|
|
|
echo "Loading redirects"
|
|
config_foreach fw_load_redirect redirect
|
|
|
|
echo "Loading rules"
|
|
config_foreach fw_load_rule rule
|
|
|
|
echo "Loading includes"
|
|
config_foreach fw_load_include include
|
|
|
|
[ -z "$FW_NOTRACK_DISABLED" ] && {
|
|
echo "Optimizing conntrack"
|
|
config_foreach fw_load_notrack_zone zone
|
|
}
|
|
|
|
echo "Loading interfaces"
|
|
config_foreach fw_configure_interface interface add
|
|
|
|
fw_callback post core
|
|
|
|
uci_set_state firewall core zones "$FW_ZONES"
|
|
uci_set_state firewall core loaded 1
|
|
}
|
|
|
|
fw_stop() {
|
|
fw_init
|
|
|
|
fw_callback pre stop
|
|
|
|
local z n i
|
|
config_get z core zones
|
|
for z in $z; do
|
|
config_get n core "${z}_networks"
|
|
for n in $n; do
|
|
config_get i core "${n}_ifname"
|
|
[ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
|
|
INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
|
|
done
|
|
done
|
|
|
|
fw_clear ACCEPT
|
|
|
|
fw_callback post stop
|
|
|
|
uci_revert_state firewall
|
|
config_clear
|
|
|
|
local h
|
|
for h in $FW_HOOKS; do unset $h; done
|
|
|
|
unset FW_HOOKS
|
|
unset FW_INITIALIZED
|
|
}
|
|
|
|
fw_restart() {
|
|
fw_stop
|
|
fw_start
|
|
}
|
|
|
|
fw_reload() {
|
|
fw_restart
|
|
}
|
|
|
|
fw_is_loaded() {
|
|
local bool=$(uci_get_state firewall.core.loaded)
|
|
return $((! ${bool:-0}))
|
|
}
|
|
|
|
|
|
fw_die() {
|
|
echo "Error:" "$@" >&2
|
|
fw_log error "$@"
|
|
fw_stop
|
|
exit 1
|
|
}
|
|
|
|
fw_log() {
|
|
local level="$1"
|
|
[ -n "$2" ] && shift || level=notice
|
|
[ "$level" != error ] || echo "Error: $@" >&2
|
|
logger -t firewall -p user.$level "$@"
|
|
}
|
|
|
|
|
|
fw_init() {
|
|
[ -z "$FW_INITIALIZED" ] || return 0
|
|
|
|
. $FW_LIBDIR/config.sh
|
|
|
|
scan_interfaces
|
|
fw_config_append firewall
|
|
|
|
local hooks="core stop defaults zone notrack synflood"
|
|
local file lib hk pp
|
|
for file in $FW_LIBDIR/core_*.sh; do
|
|
. $file
|
|
hk=$(basename $file .sh)
|
|
hk=${hk#core_}
|
|
append hooks $hk
|
|
done
|
|
for file in $FW_LIBDIR/*.sh; do
|
|
lib=$(basename $file .sh)
|
|
lib=${lib##[0-9][0-9]_}
|
|
case $lib in
|
|
core*|fw|config|uci_firewall) continue ;;
|
|
esac
|
|
. $file
|
|
for hk in $hooks; do
|
|
for pp in pre post; do
|
|
type ${lib}_${pp}_${hk}_cb >/dev/null && {
|
|
append FW_CB_${pp}_${hk} ${lib}
|
|
append FW_HOOKS FW_CB_${pp}_${hk}
|
|
}
|
|
done
|
|
done
|
|
done
|
|
|
|
fw_callback post init
|
|
|
|
FW_INITIALIZED=1
|
|
return 0
|
|
}
|
|
|