miniupnpd/files/firewall.include

   1 #!/bin/sh
   2 # miniupnpd integration for firewall3
   3
   4 IP6TABLES=/usr/sbin/ip6tables
   5
   6 iptables -t filter -N MINIUPNPD 2>/dev/null
   7 iptables -t nat -N MINIUPNPD 2>/dev/null
   8
   9 [ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null
  10
  11 . /lib/functions/network.sh
  12
  13 ADDED=0
  14
  15 add_extzone_rules() {
  16     local ext_zone=$1
  17
  18     [ -z "$ext_zone" ] && return
  19
  20     # IPv4 - due to NAT, need to add both to nat and filter table
  21     iptables -t filter -I zone_${ext_zone}_forward -j MINIUPNPD
  22     iptables -t nat -I zone_${ext_zone}_prerouting -j MINIUPNPD
  23
  24     # IPv6 if available - filter only
  25     [ -x $IP6TABLES ] && {
  26         $IP6TABLES -t filter -I zone_${ext_zone}_forward -j MINIUPNPD
  27     }
  28     ADDED=$(($ADDED + 1))
  29 }
  30
  31 # By default, user configuration is king.
  32
  33 for ext_iface in $(uci -q get upnpd.config.external_iface); do
  34     add_extzone_rules $(fw3 -q network "$ext_iface")
  35 done
  36
  37 [ ! $ADDED = 0 ] && exit 0
  38
  39 # If it's not available, resort to network_find_wan{,6} and
  40 # assume external interfaces all have same firewall zone.
  41
  42 network_find_wan wan_iface
  43 network_find_wan6 wan6_iface
  44
  45 for ext_iface in $wan_iface $wan6_iface; do
  46     # fw3 -q network fails on sub-interfaces => map to device first
  47     network_get_device ext_device $ext_iface
  48     add_extzone_rules $(fw3 -q device "$ext_device")
  49 done