Re: [OpenWrt-Devel] [PATCH] firewall/iptables

Tue, 08 Dec 2009 04:41:48 -0800 


Hi,
After getting busybox 1.15.2, "local" macro is not a problem now. So I removed all modifications that removes local. To remind it, these changes are for ubicom32 platform, but for all no-mmu platforms in general. 
As ash cannot run on no-mmu system, we are using hush instead.
There are still not compatible features between ash/hush. I've listed them below. Please note that these are only 
problems that I've encountered in firewall/iptables scripts.

1/ hush needs "eval" to substitute string.
2/ hush doesn't handle line concatenation : "\"
3/ hush crashes if two scripts include each other. (uci_firewall.sh and /etc/hotplug.d/iface/20-firewall includes each other) 

I am attaching patch file that solving above problems.
we need your comments for these issues.

regards
ugur



Felix Fietkau wrote:

Jo-Philipp Wich wrote:

The following function supports multiple args like the original "local".

if ! type "local" >/dev/null; then
        local() {
                for _v in $*; do eval "$_v=''"; done
        }
fi


If you add that to /etc/profile (is that supported by hush?) then it
should be available system wide, in any script.

/etc/functions.sh would be a better place, imho. I think /etc/profile is
not automatically sourced by shell scripts. This function doesn't
currently cover all scripts, it needs to handle things like
local var="value"
as well without inserting extra = characters.

- Felix
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel



diff -ruN /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh
--- /home/ugur/Desktop/openwrt-trunk-r18672/package/firewall/files/uci_firewall.sh	2009-12-01 22:31:10.000000000 +0200
+++ /home/ugur/ubicom-distro/openwrt/package/firewall/files/uci_firewall.sh	2009-12-08 14:01:13.000000000 +0200
@@ -46,9 +46,10 @@
 
 	[ "$1" == "loopback" ] && return
 
-	config_get exists $ZONE_LIST $1
+    eval_ZONE_LIST=$(eval "echo $ZONE_LIST")
+    config_get exists $eval_ZONE_LIST $1
 	[ -n "$exists" ] && return
-	config_set $ZONE_LIST $1 1
+    config_set $eval_ZONE_LIST $1 1
 
 	$IPTABLES -N zone_$1
 	$IPTABLES -N zone_$1_MSSFIX
@@ -280,12 +281,12 @@
 
 	src_port_first=${src_port%-*}
 	src_port_last=${src_port#*-}
-	[ "$src_port_first" -ne "$src_port_last" ] && { \
+	[ "$src_port_first" -ne "$src_port_last" ] && { 
 		src_port="$src_port_first:$src_port_last"; }
 
 	dest_port_first=${dest_port%-*}
 	dest_port_last=${dest_port#*-}
-	[ "$dest_port_first" -ne "$dest_port_last" ] && { \
+	[ "$dest_port_first" -ne "$dest_port_last" ] && { 
 		dest_port="$dest_port_first:$dest_port_last"; }
 
 	ZONE=input
@@ -295,15 +296,13 @@
 	[ -n "$src" -a -n "$dest" ] && ZONE=zone_${src}_forward
 	[ -n "$dest" ] && TARGET=zone_${dest}_$target
 	add_rule() {
-		$IPTABLES -A $ZONE \
-			${proto:+-p $proto} \
-			${icmp_type:+--icmp-type $icmp_type} \
-			${src_ip:+-s $src_ip} \
-			${src_port:+--sport $src_port} \
-			${src_mac:+-m mac --mac-source $src_mac} \
-			${dest_ip:+-d $dest_ip} \
-			${dest_port:+--dport $dest_port} \
-			-j $TARGET
+        PROTO=$(eval "echo \"${proto:+-p $proto}\"")
+        SRC_IP=$(eval "echo \"${src_ip:+-s $src_ip}\"")
+        SRC_PORT=$(eval "echo \"${src_port:+--sport $src_port}\"")
+        SRC_MAC=$(eval "echo \"${src_mac:+-m mac --mac-source $src_mac}\"")
+        DEST_IP=$(eval "echo \"${dest_ip:+-d $dest_ip}\"")
+        DEST_PORT=$(eval "echo \"${dest_port:+--dport $dest_port}\"")
+        $IPTABLES -I $ZONE 1 $PROTO $SRC_IP $SRC_PORT $SRC_MAC $DEST_IP $DEST_PORT -j $TARGET
 	}
 	[ "$proto" == "tcpudp" -o -z "$proto" ] && {
 		proto=tcp
@@ -349,42 +348,40 @@
 	config_get dest_ip $1 dest_ip
 	config_get dest_port $1 dest_port
 	config_get proto $1 proto
-	[ -z "$src" -o -z "$dest_ip" ] && { \
+	[ -z "$src" -o -z "$dest_ip" ] && { 
 		echo "redirect needs src and dest_ip"; return ; }
 
 	src_port_first=${src_port%-*}
 	src_port_last=${src_port#*-}
-	[ "$src_port_first" -ne "$src_port_last" ] && { \
+	[ "$src_port_first" -ne "$src_port_last" ] && { 
 		src_port="$src_port_first:$src_port_last"; }
 
 	src_dport_first=${src_dport%-*}
 	src_dport_last=${src_dport#*-}
-	[ "$src_dport_first" -ne "$src_dport_last" ] && { \
+	[ "$src_dport_first" -ne "$src_dport_last" ] && { 
 		src_dport="$src_dport_first:$src_dport_last"; }
 
 	dest_port2=${dest_port:-$src_dport}
 	dest_port_first=${dest_port2%-*}
 	dest_port_last=${dest_port2#*-}
-	[ "$dest_port_first" -ne "$dest_port_last" ] && { \
+	[ "$dest_port_first" -ne "$dest_port_last" ] && { 
 		dest_port2="$dest_port_first:$dest_port_last"; }
 
 	add_rule() {
-		$IPTABLES -A zone_${src}_prerouting -t nat \
-			${proto:+-p $proto} \
-			${src_ip:+-s $src_ip} \
-			${src_port:+--sport $src_port} \
-			${src_dport:+--dport $src_dport} \
-			${src_mac:+-m mac --mac-source $src_mac} \
-			-j DNAT --to-destination $dest_ip${dest_port:+:$dest_port}
-
-		$IPTABLES -I zone_${src}_forward 1 \
-			${proto:+-p $proto} \
-			-d $dest_ip \
-			${src_ip:+-s $src_ip} \
-			${src_port:+--sport $src_port} \
-			${dest_port2:+--dport $dest_port2} \
-			${src_mac:+-m mac --mac-source $src_mac} \
-			-j ACCEPT
+        PROTO=$(eval "echo \"${proto:+-p $proto}\"")
+        SRC_IP=$(eval "echo \"${src_ip:+-s $src_ip}\"")
+        SRC_PORT=$(eval "echo \"${src_port:+--sport $src_port}\"")
+        SRC_DPORT=$(eval "echo \"${src_dport:+--dport $src_dport}\"")
+        SRC_MAC=$(eval "echo \"${src_mac:+-m mac --mac-source $src_mac}\"")
+        DEST_PORT=$(eval "echo \"${dest_port:+:$dest_port}\"")
+        $IPTABLES -A zone_${src}_prerouting -t nat $PROTO $SRC_IP $SRC_PORT $SRC_DPORT $SRC_MAC -j DNAT --to-destination $dest_ip$DEST_PORT
+
+        PROTO=$(eval "echo \"${proto:+-p $proto}\"")
+        SRC_IP=$(eval "echo \"${src_ip:+-s $src_ip}\"")
+        SRC_PORT=$(eval "echo \"${src_port:+--sport $src_port}\"")
+        DEST_PORT2=$(eval "echo \"${dest_port2:+--dport $dest_port2}\"")
+        SRC_MAC=$(eval "echo \"${src_mac:+-m mac --mac-source $src_mac}\"")
+        $IPTABLES -I zone_${src}_forward 1 $PROTO -d $dest_ip $SRC_IP $SRC_PORT $DEST_PORT2 $SRC_MAC -j ACCEPT
 	}
 	[ "$proto" == "tcpudp" -o -z "$proto" ] && {
 		proto=tcp
@@ -402,13 +399,43 @@
 	[ -e $path ] && . $path
 }
 
+INTERFACES=
 fw_addif() {
-	local up
-	local ifname
-	config_get up $1 up
-	config_get ifname $1 ifname
-	[ -n "$up" ] || return 0
-	(ACTION="ifup" INTERFACE="$1" . /etc/hotplug.d/iface/20-firewall)
+    unset ZONE
+    INTERFACE=$1
+    config_get ifname $INTERFACE ifname
+    [ "$ifname" == "lo" ] && return 0
+
+    load_zones() {
+         name=
+         network=
+        config_get name $1 name
+        config_get network $1 network
+        [ -z "$network" ] && network=$name
+        for n in $network; do
+            [ "$n" = "$INTERFACE" ] && ZONE="$ZONE $name"
+        done
+    }
+
+    config_foreach load_zones zone
+
+    [ -z "$ZONE" ] && return 0
+
+    for z in $ZONE; do
+         loaded=
+        config_get loaded core loaded
+        [ -n "$loaded" ] && [ -n "$z" ] && addif "$INTERFACE" "$ifname" "$z"
+    done
+
+}
+
+get_interfaces() {
+    up=
+    ifname=
+    config_get up $1 up
+    config_get ifname $1 ifname
+    [ -n "$up" ] || return 0
+    INTERFACES="$INTERFACES $1"
 }
 
 fw_custom_chains() {

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to