You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
2.2 KiB

  1. #!/bin/sh
  2. # miniupnpd integration for firewall3
  3. IPTABLES="/usr/sbin/iptables"
  4. IP6TABLES="/usr/sbin/ip6tables"
  5. IPTARGS="-w 1"
  6. $IPTABLES -t filter -N MINIUPNPD 2>/dev/null
  7. $IPTABLES -t nat -N MINIUPNPD 2>/dev/null
  8. $IPTABLES -t nat -N MINIUPNPD-POSTROUTING 2>/dev/null
  9. [ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null
  10. . /lib/functions/network.sh
  11. # helper to insert in chain as penultimate
  12. iptables_prepend_rule() {
  13. local iptables="$1"
  14. local table="$2"
  15. local chain="$3"
  16. local target="$4"
  17. $iptables "$IPTARGS" -t "$table" -I "$chain" $($iptables "$IPTARGS" -t "$table" --line-numbers -nL "$chain" | \
  18. sed -ne '$s/[^0-9].*//p') -j "$target"
  19. }
  20. ADDED=0
  21. add_extzone_rules() {
  22. local ext_zone="$1"
  23. [ -z "$ext_zone" ] && return
  24. # IPv4 - due to NAT, need to add both to nat and filter table
  25. # need to insert as penultimate rule for input & forward & postrouting since final rule might be a fw3 REJECT
  26. iptables_prepend_rule "$IPTABLES" filter "zone_${ext_zone}_input" MINIUPNPD
  27. iptables_prepend_rule "$IPTABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
  28. $IPTABLES -t nat -A "zone_${ext_zone}_prerouting" -j MINIUPNPD
  29. iptables_prepend_rule "$IPTABLES" nat "zone_${ext_zone}_postrouting" MINIUPNPD-POSTROUTING
  30. # IPv6 if available - filter only
  31. [ -x $IP6TABLES ] && {
  32. iptables_prepend_rule "$IP6TABLES" filter "zone_${ext_zone}_input" MINIUPNPD
  33. iptables_prepend_rule "$IP6TABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
  34. }
  35. ADDED=$(($ADDED + 1))
  36. }
  37. # By default, user configuration is king.
  38. for ext_iface in $(uci -q get upnpd.config.external_iface); do
  39. add_extzone_rules $(fw3 -q network "$ext_iface")
  40. done
  41. add_extzone_rules $(uci -q get upnpd.config.external_zone)
  42. [ "$ADDED" -ne 0 ] && exit 0
  43. # If really nothing is available, resort to network_find_wan{,6} and
  44. # assume external interfaces all have same firewall zone.
  45. # (This heuristic may fail horribly, in case of e.g. multihoming, so
  46. # please set external_zone in that case!)
  47. network_find_wan wan_iface
  48. network_find_wan6 wan6_iface
  49. for ext_iface in $wan_iface $wan6_iface; do
  50. # fw3 -q network fails on sub-interfaces => map to device first
  51. network_get_device ext_device $ext_iface
  52. add_extzone_rules $(fw3 -q device "$ext_device")
  53. done