openwrt/package/firewall/files/reflection.hotplug

#!/bin/sh

. /etc/functions.sh
. /usr/share/libubox/jshn.sh

find_iface_address()
{
	local iface="$1"
	local ipaddr="$2"
	local prefix="$3"

	local idx=1
	local tmp="$(ubus call network.interface."$iface" status 2>/dev/null)"

	json_load "${tmp:-{}}"
	json_get_type tmp address

	if [ "$tmp" = array ]; then
		json_select address

		while true; do
			json_get_type tmp $idx
			[ "$tmp" = object ] || break

			json_select $((idx++))
			json_get_var tmp address

			case "$tmp" in
				*:*) json_select .. ;;
				*)
					[ -n "$ipaddr" ] && json_get_var $ipaddr address
					[ -n "$prefix" ] && json_get_var $prefix mask
					return 0 
				;;
			esac
		done
	fi

	return 1
}

if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
	local wanip
	find_iface_address wan wanip
	[ -n "$wanip" ] || return

	iptables -t nat -F nat_reflection_in 2>/dev/null || {
		iptables -t nat -N nat_reflection_in
		iptables -t nat -A prerouting_rule -j nat_reflection_in
	}

	iptables -t nat -F nat_reflection_out 2>/dev/null || {
		iptables -t nat -N nat_reflection_out
		iptables -t nat -A postrouting_rule -j nat_reflection_out
	}

	iptables -t filter -F nat_reflection_fwd 2>/dev/null || {
		iptables -t filter -N nat_reflection_fwd
		iptables -t filter -A forwarding_rule -j nat_reflection_fwd
	}

	find_networks() {
		find_networks_cb() {
			local cfg="$1"
			local zone="$2"

			local name
			config_get name "$cfg" name

			[ "$name" = "$zone" ] && {
				local network
				config_get network "$cfg" network

				echo ${network:-$zone}
				return 1
			}
		}

		config_foreach find_networks_cb zone "$1"
	}

	setup_fwd() {
		local cfg="$1"

		local reflection
		config_get_bool reflection "$cfg" reflection 1
		[ "$reflection" == 1 ] || return

		local src
		config_get src "$cfg" src

		local target
		config_get target "$cfg" target DNAT

		[ "$src" = wan ] && [ "$target" = DNAT ] && {
			local dest
			config_get dest "$cfg" dest "lan"
			[ "$dest" != "*" ] || return

			local net
			for net in $(find_networks "$dest"); do
				local lanip lanmk
				find_iface_address "$net" lanip lanmk
				[ -n "$lanip" ] || return

				local proto
				config_get proto "$cfg" proto

				local epmin epmax extport
				config_get extport "$cfg" src_dport
				[ -n "$extport" ] || return

				epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
				[ "${epmin#!}" != "$epmax" ] || epmax=""

				local ipmin ipmax intport
				config_get intport "$cfg" dest_port "$extport"

				ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
				[ "${ipmin#!}" != "$ipmax" ] || ipmax=""

				local exthost
				config_get exthost "$cfg" src_dip "$wanip"

				local inthost
				config_get inthost "$cfg" dest_ip
				[ -n "$inthost" ] || return

				[ "$proto" = tcpudp ] && proto="tcp udp"

				[ "${inthost#!}" = "$inthost" ] || return 0
				[ "${exthost#!}" = "$exthost" ] || return 0

				[ "${epmin#!}" != "$epmin" ] && \
					extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \
					extport="--dport $epmin${epmax:+:$epmax}"

				[ "${ipmin#!}" != "$ipmin" ] && \
					intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \
					intport="--dport $ipmin${ipmax:+:$ipmax}"

				local p
				for p in ${proto:-tcp udp}; do
					case "$p" in
						tcp|udp|6|17)
							iptables -t nat -A nat_reflection_in \
								-s $lanip/$lanmk -d $exthost \
								-p $p $extport \
								-j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax}

							iptables -t nat -A nat_reflection_out \
								-s $lanip/$lanmk -d $inthost \
								-p $p $intport \
								-j SNAT --to-source $lanip

							iptables -t filter -A nat_reflection_fwd \
								-s $lanip/$lanmk -d $inthost \
								-p $p $intport \
								-j ACCEPT
						;;
					esac
				done
			done
		}
	}

	config_load firewall
	config_foreach setup_fwd redirect
fi
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago			`#!/bin/sh`

			`. /etc/functions.sh`
firewall: fix nat reflection after netifd switch (#11460) SVN-Revision: 31754 12 years ago			`. /usr/share/libubox/jshn.sh`

			`find_iface_address()`
			`{`
			`local iface="$1"`
			`local ipaddr="$2"`
			`local prefix="$3"`

firewall: rework interface address determination to skip ipv6 addresses SVN-Revision: 31755 12 years ago			`local idx=1`
firewall: fix nat reflection after netifd switch (#11460) SVN-Revision: 31754 12 years ago			`local tmp="$(ubus call network.interface."$iface" status 2>/dev/null)"`

			`json_load "${tmp:-{}}"`
			`json_get_type tmp address`

			`if [ "$tmp" = array ]; then`
			`json_select address`

firewall: rework interface address determination to skip ipv6 addresses SVN-Revision: 31755 12 years ago			`while true; do`
			`json_get_type tmp $idx`
			`[ "$tmp" = object ] \|\| break`

			`json_select $((idx++))`
			`json_get_var tmp address`

			`case "$tmp" in`
			`:) json_select .. ;;`
			`*)`
			`[ -n "$ipaddr" ] && json_get_var $ipaddr address`
			`[ -n "$prefix" ] && json_get_var $prefix mask`
			`return 0`
			`;;`
			`esac`
			`done`
firewall: fix nat reflection after netifd switch (#11460) SVN-Revision: 31754 12 years ago			`fi`
firewall: rework interface address determination to skip ipv6 addresses SVN-Revision: 31755 12 years ago
			`return 1`
firewall: fix nat reflection after netifd switch (#11460) SVN-Revision: 31754 12 years ago			`}`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firewall: - handle NAT reflection in firewall hotplug, solves synchronizing issues on boot - introduce masq_src and masq_dest options to limit zone masq to specific ip ranges, supports multiple subnets and negation SVN-Revision: 22888 14 years ago			`if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then`
firewall: fix nat reflection after netifd switch (#11460) SVN-Revision: 31754 12 years ago			`local wanip`
			`find_iface_address wan wanip`
			`[ -n "$wanip" ] \|\| return`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
			`iptables -t nat -F nat_reflection_in 2>/dev/null \|\| {`
			`iptables -t nat -N nat_reflection_in`
			`iptables -t nat -A prerouting_rule -j nat_reflection_in`
			`}`

			`iptables -t nat -F nat_reflection_out 2>/dev/null \|\| {`
			`iptables -t nat -N nat_reflection_out`
			`iptables -t nat -A postrouting_rule -j nat_reflection_out`
			`}`

firewall: also establish forward rules when setting up nat reflection, back out early if reflection is disabled SVN-Revision: 23201 14 years ago			`iptables -t filter -F nat_reflection_fwd 2>/dev/null \|\| {`
			`iptables -t filter -N nat_reflection_fwd`
			`iptables -t filter -A forwarding_rule -j nat_reflection_fwd`
			`}`

firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`find_networks() {`
			`find_networks_cb() {`
			`local cfg="$1"`
			`local zone="$2"`

			`local name`
			`config_get name "$cfg" name`

			`[ "$name" = "$zone" ] && {`
			`local network`
			`config_get network "$cfg" network`

			`echo ${network:-$zone}`
			`return 1`
			`}`
			`}`

			`config_foreach find_networks_cb zone "$1"`
			`}`
firewall: also establish forward rules when setting up nat reflection, back out early if reflection is disabled SVN-Revision: 23201 14 years ago
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago			`setup_fwd() {`
			`local cfg="$1"`

firewall: also establish forward rules when setting up nat reflection, back out early if reflection is disabled SVN-Revision: 23201 14 years ago			`local reflection`
			`config_get_bool reflection "$cfg" reflection 1`
			`[ "$reflection" == 1 ] \|\| return`

firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago			`local src`
			`config_get src "$cfg" src`

firewall: introduce SNAT support for redirect sections SVN-Revision: 22937 14 years ago			`local target`
			`config_get target "$cfg" target DNAT`

			`[ "$src" = wan ] && [ "$target" = DNAT ] && {`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago			`local dest`
			`config_get dest "$cfg" dest "lan"`
firewall: - allow multiple ports, protocols, macs, icmp types per rule - implement "limit" and "limit_burst" options for rules - implement "extra" option to rules and redirects for passing arbritary flags to iptables - implement negations for "src_port", "dest_port", "src_dport", "src_mac", "proto" and "icmp_type" options - allow wildcard (*) "src" and "dest" options in rules to allow specifying "any" source or destination - validate symbolic icmp-type names against the selected iptables binary - properly handle forwarded ICMPv6 traffic in the default configuration SVN-Revision: 27317 13 years ago			`[ "$dest" != "*" ] \|\| return`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`local net`
			`for net in $(find_networks "$dest"); do`
firewall: fix nat reflection after netifd switch (#11460) SVN-Revision: 31754 12 years ago			`local lanip lanmk`
			`find_iface_address "$net" lanip lanmk`
			`[ -n "$lanip" ] \|\| return`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`local proto`
			`config_get proto "$cfg" proto`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`local epmin epmax extport`
			`config_get extport "$cfg" src_dport`
			`[ -n "$extport" ] \|\| return`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`epmin="${extport%[-:]}"; epmax="${extport#[-:]}"`
firewall: fix port range quirk in previous commit SVN-Revision: 27335 13 years ago			`[ "${epmin#!}" != "$epmax" ] \|\| epmax=""`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`local ipmin ipmax intport`
			`config_get intport "$cfg" dest_port "$extport"`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`ipmin="${intport%[-:]}"; ipmax="${intport#[-:]}"`
firewall: fix port range quirk in previous commit SVN-Revision: 27335 13 years ago			`[ "${ipmin#!}" != "$ipmax" ] \|\| ipmax=""`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`local exthost`
			`config_get exthost "$cfg" src_dip "$wanip"`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`local inthost`
			`config_get inthost "$cfg" dest_ip`
			`[ -n "$inthost" ] \|\| return`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`[ "$proto" = tcpudp ] && proto="tcp udp"`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firewall: don't setup nat reflection if negations are used SVN-Revision: 23142 14 years ago			`[ "${inthost#!}" = "$inthost" ] \|\| return 0`
			`[ "${exthost#!}" = "$exthost" ] \|\| return 0`

firewall: properly handle negated ports in nat reflection SVN-Revision: 27334 13 years ago			`[ "${epmin#!}" != "$epmin" ] && \`
			`extport="! --dport ${epmin#!}${epmax:+:$epmax}" \|\| \`
			`extport="--dport $epmin${epmax:+:$epmax}"`

			`[ "${ipmin#!}" != "$ipmin" ] && \`
			`intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" \|\| \`
			`intport="--dport $ipmin${ipmax:+:$ipmax}"`

firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`local p`
			`for p in ${proto:-tcp udp}; do`
			`case "$p" in`
firewall: further tune ICMPv6 default rules according to RFC4890 (#9893) SVN-Revision: 27979 13 years ago			`tcp\|udp\|6\|17)`
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`iptables -t nat -A nat_reflection_in \`
			`-s $lanip/$lanmk -d $exthost \`
firewall: properly handle negated ports in nat reflection SVN-Revision: 27334 13 years ago			`-p $p $extport \`
			`-j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax}`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`iptables -t nat -A nat_reflection_out \`
			`-s $lanip/$lanmk -d $inthost \`
firewall: properly handle negated ports in nat reflection SVN-Revision: 27334 13 years ago			`-p $p $intport \`
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`-j SNAT --to-source $lanip`
firewall: also establish forward rules when setting up nat reflection, back out early if reflection is disabled SVN-Revision: 23201 14 years ago
			`iptables -t filter -A nat_reflection_fwd \`
			`-s $lanip/$lanmk -d $inthost \`
firewall: properly handle negated ports in nat reflection SVN-Revision: 27334 13 years ago			`-p $p $intport \`
firewall: also establish forward rules when setting up nat reflection, back out early if reflection is disabled SVN-Revision: 23201 14 years ago			`-j ACCEPT`
firwall: fix nat reflection for zones covering multiple networks SVN-Revision: 22442 14 years ago			`;;`
			`esac`
			`done`
firewall: add basic NAT reflection/NAT loopback support SVN-Revision: 22441 14 years ago			`done`
			`}`
			`}`

			`config_load firewall`
			`config_foreach setup_fwd redirect`
			`fi`