projects / project / firewall4.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
treewide: use modern syntax
[project/firewall4.git] / root / usr / share / firewall4 / main.uc
1 {%
2
3 let fw4 = require("fw4");
4
5 function read_state() {
6 let state = fw4.read_state();
7
8 if (!state) {
9 warn("Unable to read firewall state - do you need to start the firewall?\n");
10 exit(1);
11 }
12
13 return state;
14 }
15
16 function reload_sets() {
17 let state = read_state(),
18 sets = fw4.check_set_types();
19
20 for (let set in state.ipsets) {
21 if (!set.loadfile || !length(set.entries))
22 continue;
23
24 if (!exists(sets, set.name)) {
25 warn(`Named set '${set.name}' does not exist - do you need to restart the firewall?\n`);
26 continue;
27 }
28 else if (fw4.concat(sets[set.name]) != fw4.concat(set.types)) {
29 warn(`Named set '${set.name}' has a different type - want '${fw4.concat(set.types)}' but is '${fw4.concat(sets[set.name])}' - do you need to restart the firewall?\n`);
30 continue;
31 }
32
33 let first = true;
34 let printer = (entry) => {
35 if (first) {
36 print(`add element inet fw4 ${set.name} {\n`);
37 first = false;
38 }
39
40 print(` ${join(" . ", entry)},\n`);
41 };
42
43 print(`flush set inet fw4 ${set.name}\n`);
44
45 map(set.entries, printer);
46 fw4.parse_setfile(set, printer);
47
48 if (!first)
49 print("}\n\n");
50 }
51 }
52
53 function render_ruleset(use_statefile) {
54 fw4.load(use_statefile);
55
56 include("templates/ruleset.uc", { fw4, type, exists, length, include });
57 }
58
59 function lookup_network(net) {
60 let state = read_state();
61
62 for (let zone in state.zones) {
63 for (let network in (zone.network || [])) {
64 if (network.device == net) {
65 print(zone.name, "\n");
66 exit(0);
67 }
68 }
69 }
70
71 exit(1);
72 }
73
74 function lookup_device(dev) {
75 let state = read_state();
76
77 for (let zone in state.zones) {
78 for (let rule in (zone.match_rules || [])) {
79 if (dev in rule.devices_pos) {
80 print(zone.name, "\n");
81 exit(0);
82 }
83 }
84 }
85
86 exit(1);
87 }
88
89 function lookup_zone(name, dev) {
90 let state = read_state();
91
92 for (let zone in state.zones) {
93 if (zone.name == name) {
94 let devices = [];
95 map(zone.match_rules, (r) => push(devices, ...(r.devices_pos || [])));
96
97 if (dev) {
98 if (dev in devices) {
99 print(dev, "\n");
100 exit(0);
101 }
102
103 exit(1);
104 }
105
106 if (length(devices))
107 print(join("\n", devices), "\n");
108
109 exit(0);
110 }
111 }
112
113 exit(1);
114 }
115
116
117 switch (getenv("ACTION")) {
118 case "start":
119 return render_ruleset(true);
120
121 case "print":
122 return render_ruleset(false);
123
124 case "reload-sets":
125 return reload_sets();
126
127 case "network":
128 return lookup_network(getenv("OBJECT"));
129
130 case "device":
131 return lookup_device(getenv("OBJECT"));
132
133 case "zone":
134 return lookup_zone(getenv("OBJECT"), getenv("DEVICE"));
135 }
OpenWrt nftables firewall