X-Git-Url: http://git.ozo.com/?a=blobdiff_plain;f=miniupnpd%2Ffiles%2Ffirewall.include;h=818af9dbc4446c3d4ae2ec69dcb74b8dbdb0c184;hb=416e1d77494809ff24dae70a5c2d1d1a5351585c;hp=5294c45db44113941aadfa9a9af33e0ede91da5f;hpb=aa9af551d0bf027ec683c04c4ea15a773b43af67;p=lede-routing%2F.git diff --git a/miniupnpd/files/firewall.include b/miniupnpd/files/firewall.include index 5294c45..818af9d 100644 --- a/miniupnpd/files/firewall.include +++ b/miniupnpd/files/firewall.include @@ -1,14 +1,6 @@ #!/bin/sh # miniupnpd integration for firewall3 -# Note: Correct way to do this would be probably to use -# /lib/functions/network.sh, and use network_find_wan{,6}, and then -# network_get_device, then determine their zones using fw3 -q network -# etc. However, network_find_wan* return only one device, and -# frequently incorrect one if multiple ISPs are in use. So this -# current ugly solution works, although perhaps makes holes where it -# shouldn't (if so, do override it in e.g. firewall.user) - IP6TABLES=/usr/sbin/ip6tables iptables -t filter -N MINIUPNPD 2>/dev/null @@ -16,11 +8,48 @@ iptables -t nat -N MINIUPNPD 2>/dev/null [ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null -# IPv4 - due to NAT, need to add both to nat and filter table -iptables -t filter -I delegate_forward 2 -j MINIUPNPD -iptables -t nat -I delegate_prerouting 2 -j MINIUPNPD +. /lib/functions/network.sh + +ADDED=0 + +add_extzone_rules() { + local ext_zone=$1 + + [ -z "$ext_zone" ] && return -# IPv6 if available - filter only -[ -x $IP6TABLES ] && { - $IP6TABLES -t filter -I delegate_forward 2 -j MINIUPNPD + # IPv4 - due to NAT, need to add both to nat and filter table + iptables -t filter -I zone_${ext_zone}_forward -j MINIUPNPD + iptables -t nat -I zone_${ext_zone}_prerouting -j MINIUPNPD + + # IPv6 if available - filter only + [ -x $IP6TABLES ] && { + $IP6TABLES -t filter -I zone_${ext_zone}_forward -j MINIUPNPD + } + ADDED=$(($ADDED + 1)) } + +# By default, user configuration is king. + +for ext_iface in $(uci -q get upnpd.config.external_iface); do + add_extzone_rules $(fw3 -q network "$ext_iface") +done + +add_extzone_rules $(uci -q get upnpd.config.external_zone) + +[ ! $ADDED = 0 ] && exit 0 + + +# If really nothing is available, resort to network_find_wan{,6} and +# assume external interfaces all have same firewall zone. + +# (This heuristic may fail horribly, in case of e.g. multihoming, so +# please set external_zone in that case!) + +network_find_wan wan_iface +network_find_wan6 wan6_iface + +for ext_iface in $wan_iface $wan6_iface; do + # fw3 -q network fails on sub-interfaces => map to device first + network_get_device ext_device $ext_iface + add_extzone_rules $(fw3 -q device "$ext_device") +done