1 #!/bin/sh 2 3 set -o pipefail 4 5 MAIN=/usr/share/firewall4/main.uc 6 LOCK=/var/run/fw4.lock 7 STATE=/var/run/fw4.state 8 VERBOSE= 9 10 [ -e /dev/stdin ] && STDIN=/dev/stdin || STDIN=/proc/self/fd/0 11 12 [ -t 2 ] && export TTY=1 13 14 die() { 15 [ -n "$QUIET" ] || echo "$@" >&2 16 exit 1 17 } 18 19 start() { 20 { 21 flock -x 1000 22 23 case "$1" in 24 start) 25 [ -f $STATE ] && die "The fw4 firewall appears to be already loaded." 26 ;; 27 reload) 28 [ ! -f $STATE ] && die "The fw4 firewall does not appear to be loaded." 29 30 # Delete state to force reloading ubus state 31 rm -f $STATE 32 ;; 33 esac 34 35 ACTION=start \ 36 utpl -S $MAIN | nft $VERBOSE -f $STDIN 37 38 ACTION=includes \ 39 utpl -S $MAIN 40 } 1000>$LOCK 41 } 42 43 print() { 44 ACTION=print \ 45 utpl -S $MAIN 46 } 47 48 stop() { 49 { 50 flock -x 1000 51 52 nft delete table inet fw4 53 rm -f $STATE 54 55 } 1000>$LOCK 56 } 57 58 flush() { 59 { 60 flock -x 1000 61 62 local dummy family table 63 nft list tables | while read dummy family table; do 64 nft delete table "$family" "$table" 65 done 66 67 rm -f $STATE 68 } 1000>$LOCK 69 } 70 71 reload_sets() { 72 ACTION=reload-sets \ 73 flock -x $LOCK utpl -S $MAIN | nft $VERBOSE -f $STDIN 74 } 75 76 lookup() { 77 ACTION=$1 OBJECT=$2 DEVICE=$3 \ 78 flock -x $LOCK utpl -S $MAIN 79 } 80 81 while [ -n "$1" ]; do 82 case "$1" in 83 -q) 84 export QUIET=1 85 shift 86 ;; 87 -v) 88 export VERBOSE=-e 89 shift 90 ;; 91 *) 92 break 93 ;; 94 esac 95 done 96 97 case "$1" in 98 start|reload) 99 start "$1" 100 ;; 101 stop) 102 stop || die "The fw4 firewall does not appear to be loaded, try fw4 flush to delete all rules." 103 ;; 104 flush) 105 flush 106 ;; 107 restart) 108 QUIET=1 print | nft ${VERBOSE} -c -f $STDIN || die "The rendered ruleset contains errors, not doing firewall restart." 109 stop || rm -f $STATE 110 start 111 ;; 112 check) 113 if [ -n "$QUIET" ]; then 114 exec 1>/dev/null 115 exec 2>/dev/null 116 fi 117 118 print | nft ${VERBOSE} -c -f $STDIN && echo "Ruleset passes nftables check." 119 ;; 120 print) 121 print 122 ;; 123 reload-sets) 124 reload_sets 125 ;; 126 network|device|zone) 127 lookup "$@" 128 ;; 129 *) 130 cat <<EOT 131 Usage: 132 133 $0 [-v] [-q] start|stop|flush|restart|reload 134 135 Start, stop, flush, restart or reload the firewall respectively. 136 137 138 $0 [-v] [-q] reload-sets 139 140 Reload the contents of all declared sets but do not touch the 141 ruleset. 142 143 144 $0 [-q] print 145 146 Print the rendered ruleset. 147 148 149 $0 [-q] check 150 151 Test the rendered ruleset using nftables' check mode without 152 applying it to the running system. 153 154 155 $0 [-q] network {net} 156 157 Print the name of the firewall zone covering the given network. 158 159 Exits with code 1 if the network is not found or if no zone is 160 covering it. 161 162 163 $0 [-q] device {dev} 164 165 Print the name of the firewall zone covering the given device. 166 167 Exits with code 1 if the device is not found or if no zone is 168 covering it. 169 170 171 $0 [-q] zone {zone} [dev] 172 173 Print all covered devices of the given zone, optionally restricted 174 to only the given device name. 175 176 Exits with code 1 if zone is not found or if a device is specified 177 and not covered by the given zone. 178 179 EOT 180 ;; 181 esac
This page was automatically generated by LXR 0.3.1. • OpenWrt