3 let fw4 = require("fw4");
4 let ubus = require("ubus");
5 let fs = require("fs");
9 * Unfortunately, terse mode (-t) is incompatible with JSON output so
10 * we either need to parse a potentially huge JSON just to get the set
11 * header data or scrape the ordinary nft output to obtain the same
12 * information. Opt for the latter to avoid parsing potentially huge
15 function find_existing_sets() {
16 let fd = fs.popen("nft -t list sets inet", "r");
19 warn(sprintf("Unable to execute 'nft' for listing existing sets: %s\n",
27 while ((line = fd.read("line")) !== "") {
30 if ((m = match(line, /^table inet (.+) \{\n$/)) != null) {
33 else if ((m = match(line, /^\tset (.+) \{\n$/)) != null) {
36 else if ((m = match(line, /^\t\ttype (.+)\n$/)) != null) {
37 if (table == "fw4" && set)
38 sets[set] = split(m[1], " . ");
49 function read_state() {
50 let state = fw4.read_state();
53 warn("Unable to read firewall state - do you need to start the firewall?\n");
60 function reload_sets() {
61 let state = read_state(),
62 sets = find_existing_sets();
64 for (let set in state.ipsets) {
65 if (!set.loadfile || !length(set.entries))
68 if (!exists(sets, set.name)) {
69 warn(sprintf("Named set '%s' does not exist - do you need to restart the firewall?\n",
73 else if (fw4.concat(sets[set.name]) != fw4.concat(set.types)) {
74 warn(sprintf("Named set '%s' has a different type - want '%s' but is '%s' - do you need to restart the firewall?\n",
75 set.name, fw4.concat(set.types), fw4.concat(sets[set.name])));
80 let printer = (entry) => {
82 print("add element inet fw4 ", set.name, " {\n");
86 print("\t", join(" . ", entry), ",\n");
89 print("flush set inet fw4 ", set.name, "\n");
91 map(set.entries, printer);
92 fw4.parse_setfile(set, printer);
99 function resolve_lower_devices(devstatus, devname) {
100 let dir = fs.opendir("/sys/class/net/" + devname);
104 if (!devstatus || devstatus[devname]?.["hw-tc-offload"]) {
110 while ((e = dir.read()) != null)
111 if (index(e, "lower_") === 0)
112 push(devs, ...resolve_lower_devices(devstatus, substr(e, 6)));
121 function resolve_offload_devices() {
122 if (!fw4.default_option("flow_offloading"))
125 let devstatus = null;
128 if (fw4.default_option("flow_offloading_hw")) {
129 let bus = require("ubus").connect();
132 devstatus = bus.call("network.device", "status") || {};
137 for (let zone in fw4.zones())
138 for (let device in zone.match_devices)
139 push(devices, ...resolve_lower_devices(devstatus, device));
141 return uniq(devices);
144 function check_flowtable() {
145 let nft = fs.popen("nft --terse --json list flowtables inet");
150 info = json(nft.read("all"));
159 for (let item in info?.nftables)
160 if (item?.flowtable?.table == "fw4" && item?.flowtable?.name == "ft")
166 function render_ruleset(use_statefile) {
167 fw4.load(use_statefile);
169 include("templates/ruleset.uc", {
170 fw4, type, exists, length, include,
171 devices: resolve_offload_devices(),
172 flowtable: check_flowtable()
176 function lookup_network(net) {
177 let state = read_state();
179 for (let zone in state.zones) {
180 for (let network in (zone.network || [])) {
181 if (network.device == net) {
182 print(zone.name, "\n");
191 function lookup_device(dev) {
192 let state = read_state();
194 for (let zone in state.zones) {
195 for (let rule in (zone.match_rules || [])) {
196 if (dev in rule.devices_pos) {
197 print(zone.name, "\n");
206 function lookup_zone(name, dev) {
207 let state = read_state();
209 for (let zone in state.zones) {
210 if (zone.name == name) {
212 map(zone.match_rules, (r) => push(devices, ...(r.devices_pos || [])));
215 if (dev in devices) {
224 print(join("\n", devices), "\n");
234 switch (getenv("ACTION")) {
236 return render_ruleset(true);
239 return render_ruleset(false);
242 return reload_sets();
245 return lookup_network(getenv("OBJECT"));
248 return lookup_device(getenv("OBJECT"));
251 return lookup_zone(getenv("OBJECT"), getenv("DEVICE"));
projects / project / firewall4.git / blob