rule-details.lua 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319
  1. -- Copyright 2008 Steven Barth <steven@midlink.org>
  2. -- Copyright 2010-2012 Jo-Philipp Wich <jow@openwrt.org>
  3. -- Licensed to the public under the Apache License 2.0.
  4. local sys = require "luci.sys"
  5. local utl = require "luci.util"
  6. local dsp = require "luci.dispatcher"
  7. local nxo = require "nixio"
  8. local ft = require "luci.tools.firewall"
  9. local nw = require "luci.model.network"
  10. local m, s, o, k, v
  11. arg[1] = arg[1] or ""
  12. m = Map("firewall",
  13. translate("Firewall - Traffic Rules"),
  14. translate("This page allows you to change advanced properties of the \
  15. traffic rule entry, such as matched source and destination \
  16. hosts."))
  17. m.redirect = dsp.build_url("admin/network/firewall/rules")
  18. nw.init(m.uci)
  19. local rule_type = m.uci:get("firewall", arg[1])
  20. if rule_type == "redirect" and m:get(arg[1], "target") ~= "SNAT" then
  21. rule_type = nil
  22. end
  23. if not rule_type then
  24. luci.http.redirect(m.redirect)
  25. return
  26. --
  27. -- SNAT
  28. --
  29. elseif rule_type == "redirect" then
  30. local name = m:get(arg[1], "name") or m:get(arg[1], "_name")
  31. if not name or #name == 0 then
  32. name = translate("(Unnamed SNAT)")
  33. else
  34. name = "SNAT %s" % name
  35. end
  36. m.title = "%s - %s" %{ translate("Firewall - Traffic Rules"), name }
  37. local wan_zone = nil
  38. m.uci:foreach("firewall", "zone",
  39. function(s)
  40. local n = s.network or s.name
  41. if n then
  42. local i
  43. for i in utl.imatch(n) do
  44. if i == "wan" then
  45. wan_zone = s.name
  46. return false
  47. end
  48. end
  49. end
  50. end)
  51. s = m:section(NamedSection, arg[1], "redirect", "")
  52. s.anonymous = true
  53. s.addremove = false
  54. ft.opt_enabled(s, Button)
  55. ft.opt_name(s, Value, translate("Name"))
  56. o = s:option(Value, "proto",
  57. translate("Protocol"),
  58. translate("You may specify multiple by selecting \"-- custom --\" and \
  59. then entering protocols separated by space."))
  60. o:value("all", "All protocols")
  61. o:value("tcp udp", "TCP+UDP")
  62. o:value("tcp", "TCP")
  63. o:value("udp", "UDP")
  64. o:value("icmp", "ICMP")
  65. function o.cfgvalue(...)
  66. local v = Value.cfgvalue(...)
  67. if not v or v == "tcpudp" then
  68. return "tcp udp"
  69. end
  70. return v
  71. end
  72. o = s:option(Value, "src", translate("Source zone"))
  73. o.nocreate = true
  74. o.default = "wan"
  75. o.template = "cbi/firewall_zonelist"
  76. o = s:option(Value, "src_ip", translate("Source IP address"))
  77. o.rmempty = true
  78. o.datatype = "neg(ipaddr)"
  79. o.placeholder = translate("any")
  80. luci.sys.net.ipv4_hints(function(ip, name)
  81. o:value(ip, "%s (%s)" %{ ip, name })
  82. end)
  83. o = s:option(Value, "src_port",
  84. translate("Source port"),
  85. translate("Match incoming traffic originating from the given source \
  86. port or port range on the client host."))
  87. o.rmempty = true
  88. o.datatype = "neg(portrange)"
  89. o.placeholder = translate("any")
  90. o = s:option(Value, "dest", translate("Destination zone"))
  91. o.nocreate = true
  92. o.default = "lan"
  93. o.template = "cbi/firewall_zonelist"
  94. o = s:option(Value, "dest_ip", translate("Destination IP address"))
  95. o.datatype = "neg(ip4addr)"
  96. luci.sys.net.ipv4_hints(function(ip, name)
  97. o:value(ip, "%s (%s)" %{ ip, name })
  98. end)
  99. o = s:option(Value, "dest_port",
  100. translate("Destination port"),
  101. translate("Match forwarded traffic to the given destination port or \
  102. port range."))
  103. o.rmempty = true
  104. o.placeholder = translate("any")
  105. o.datatype = "neg(portrange)"
  106. o = s:option(Value, "src_dip",
  107. translate("SNAT IP address"),
  108. translate("Rewrite matched traffic to the given address."))
  109. o.rmempty = false
  110. o.datatype = "ip4addr"
  111. for k, v in ipairs(nw:get_interfaces()) do
  112. local a
  113. for k, a in ipairs(v:ipaddrs()) do
  114. o:value(a:host():string(), '%s (%s)' %{
  115. a:host():string(), v:shortname()
  116. })
  117. end
  118. end
  119. o = s:option(Value, "src_dport", translate("SNAT port"),
  120. translate("Rewrite matched traffic to the given source port. May be \
  121. left empty to only rewrite the IP address."))
  122. o.datatype = "portrange"
  123. o.rmempty = true
  124. o.placeholder = translate('Do not rewrite')
  125. s:option(Value, "extra",
  126. translate("Extra arguments"),
  127. translate("Passes additional arguments to iptables. Use with care!"))
  128. --
  129. -- Rule
  130. --
  131. else
  132. local name = m:get(arg[1], "name") or m:get(arg[1], "_name")
  133. if not name or #name == 0 then
  134. name = translate("(Unnamed Rule)")
  135. end
  136. m.title = "%s - %s" %{ translate("Firewall - Traffic Rules"), name }
  137. s = m:section(NamedSection, arg[1], "rule", "")
  138. s.anonymous = true
  139. s.addremove = false
  140. ft.opt_enabled(s, Button)
  141. ft.opt_name(s, Value, translate("Name"))
  142. o = s:option(ListValue, "family", translate("Restrict to address family"))
  143. o.rmempty = true
  144. o:value("", translate("IPv4 and IPv6"))
  145. o:value("ipv4", translate("IPv4 only"))
  146. o:value("ipv6", translate("IPv6 only"))
  147. o = s:option(Value, "proto", translate("Protocol"))
  148. o:value("all", translate("Any"))
  149. o:value("tcp udp", "TCP+UDP")
  150. o:value("tcp", "TCP")
  151. o:value("udp", "UDP")
  152. o:value("icmp", "ICMP")
  153. function o.cfgvalue(...)
  154. local v = Value.cfgvalue(...)
  155. if not v or v == "tcpudp" then
  156. return "tcp udp"
  157. end
  158. return v
  159. end
  160. o = s:option(DynamicList, "icmp_type", translate("Match ICMP type"))
  161. o:value("", "any")
  162. o:value("echo-reply")
  163. o:value("destination-unreachable")
  164. o:value("network-unreachable")
  165. o:value("host-unreachable")
  166. o:value("protocol-unreachable")
  167. o:value("port-unreachable")
  168. o:value("fragmentation-needed")
  169. o:value("source-route-failed")
  170. o:value("network-unknown")
  171. o:value("host-unknown")
  172. o:value("network-prohibited")
  173. o:value("host-prohibited")
  174. o:value("TOS-network-unreachable")
  175. o:value("TOS-host-unreachable")
  176. o:value("communication-prohibited")
  177. o:value("host-precedence-violation")
  178. o:value("precedence-cutoff")
  179. o:value("source-quench")
  180. o:value("redirect")
  181. o:value("network-redirect")
  182. o:value("host-redirect")
  183. o:value("TOS-network-redirect")
  184. o:value("TOS-host-redirect")
  185. o:value("echo-request")
  186. o:value("router-advertisement")
  187. o:value("router-solicitation")
  188. o:value("time-exceeded")
  189. o:value("ttl-zero-during-transit")
  190. o:value("ttl-zero-during-reassembly")
  191. o:value("parameter-problem")
  192. o:value("ip-header-bad")
  193. o:value("required-option-missing")
  194. o:value("timestamp-request")
  195. o:value("timestamp-reply")
  196. o:value("address-mask-request")
  197. o:value("address-mask-reply")
  198. o = s:option(Value, "src", translate("Source zone"))
  199. o.nocreate = true
  200. o.allowany = true
  201. o.default = "wan"
  202. o.template = "cbi/firewall_zonelist"
  203. o = s:option(Value, "src_mac", translate("Source MAC address"))
  204. o.datatype = "list(macaddr)"
  205. o.placeholder = translate("any")
  206. luci.sys.net.mac_hints(function(mac, name)
  207. o:value(mac, "%s (%s)" %{ mac, name })
  208. end)
  209. o = s:option(Value, "src_ip", translate("Source address"))
  210. o.datatype = "neg(ipaddr)"
  211. o.placeholder = translate("any")
  212. luci.sys.net.ipv4_hints(function(ip, name)
  213. o:value(ip, "%s (%s)" %{ ip, name })
  214. end)
  215. o = s:option(Value, "src_port", translate("Source port"))
  216. o.datatype = "list(neg(portrange))"
  217. o.placeholder = translate("any")
  218. o = s:option(Value, "dest", translate("Destination zone"))
  219. o.nocreate = true
  220. o.allowany = true
  221. o.allowlocal = true
  222. o.template = "cbi/firewall_zonelist"
  223. o = s:option(Value, "dest_ip", translate("Destination address"))
  224. o.datatype = "neg(ipaddr)"
  225. o.placeholder = translate("any")
  226. luci.sys.net.ipv4_hints(function(ip, name)
  227. o:value(ip, "%s (%s)" %{ ip, name })
  228. end)
  229. o = s:option(Value, "dest_port", translate("Destination port"))
  230. o.datatype = "list(neg(portrange))"
  231. o.placeholder = translate("any")
  232. o = s:option(ListValue, "target", translate("Action"))
  233. o.default = "ACCEPT"
  234. o:value("DROP", translate("drop"))
  235. o:value("ACCEPT", translate("accept"))
  236. o:value("REJECT", translate("reject"))
  237. o:value("NOTRACK", translate("don't track"))
  238. s:option(Value, "extra",
  239. translate("Extra arguments"),
  240. translate("Passes additional arguments to iptables. Use with care!"))
  241. end
  242. return m