default enable fullconenat in fw3

2025-04-16 14:23:38 +00:00 · 2018-09-22 18:31:40 +08:00 · 2018-09-22 18:31:40 +08:00 · 0f4c3eb2d5
commit 0f4c3eb2d5
parent 1d9f109abf
10 changed files with 35 additions and 182 deletions
--- a/include/target.mk
+++ b/include/target.mk
@ -18,7 +18,7 @@ iptables-mod-nat-extra kmod-nf-nathelper kmod-nf-nathelper-extra kmod-ipt-raw km
 default-settings ipset-lists luci luci-app-ddns luci-app-sqm luci-app-upnp luci-app-adbyby-plus luci-app-autoreboot \
 luci-app-filetransfer luci-app-ssr-pro luci-app-usb-printer luci-app-vsftpd ddns-scripts_aliyun luci-app-xlnetacc \
 luci-app-pptp-server luci-app-ipsec-vpnd luci-app-vlmcsd luci-app-wifischedule luci-app-wol  \
-luci-app-sfe luci-app-flowoffload luci-app-nlbwmon luci-app-fullconenat
+luci-app-sfe luci-app-flowoffload luci-app-nlbwmon
 # For nas targets
 DEFAULT_PACKAGES.nas:=block-mount fdisk lsblk mdadm
 # For router targets
--- a/package/lean/luci-app-fullconenat/Makefile
+++ b/package/lean/luci-app-fullconenat/Makefile
@ -1,14 +0,0 @@
-#-- Copyright (C) 2018 dz <dingzhong110@gmail.com>
-
-include $(TOPDIR)/rules.mk
-
-LUCI_TITLE:=LuCI support for FullConeNat
-LUCI_DEPENDS:=+iptables-mod-fullconenat
-LUCI_PKGARCH:=all
-PKG_VERSION:=1.4
-PKG_RELEASE:=2
-
-include $(TOPDIR)/feeds/luci/luci.mk
-
-# call BuildPackage - OpenWrt buildroot signature
-
--- a/package/lean/luci-app-fullconenat/luasrc/controller/fullconenat.lua
+++ b/package/lean/luci-app-fullconenat/luasrc/controller/fullconenat.lua
@ -1,11 +0,0 @@
-module("luci.controller.fullconenat", package.seeall)
-
-function index()
-	if not nixio.fs.access("/etc/config/fullconenat") then
-		return
-	end
-	local page
-	page = entry({"admin", "network", "fullconenat"}, cbi("fullconenat"), _("fullconenat"), 101)
-	page.i18n = "fullconenat"
-	page.dependent = true
-end
--- a/package/lean/luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua
+++ b/package/lean/luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua
@ -1,33 +0,0 @@
-#-- Copyright (C) 2018 dz <dingzhong110@gmail.com>
-
-require("nixio.fs")
-require("luci.http")
-
-m = Map("fullconenat", translate("Full cone NAT"),
-	translate("FullConeNat."))
-
-if luci.sys.call("iptables -t nat -L -n --line-numbers | grep FULLCONENAT >/dev/null") == 0 then
-	m = Map("fullconenat", translate("FullConeNat"), "%s - %s" %{translate("FULLCONENAT"), translate("<strong><font color=\"green\">Running</font></strong>")})
-else
-	m = Map("fullconenat", translate("FullConeNat"), "%s - %s" %{translate("FULLCONENAT"), translate("<strong><font color=\"red\">Not Running</font></strong>")})
-end
-
-
-- Basic
-s = m:section(TypedSection, "fullconenat", translate("Settings"), translate("FullConeNat Settings"))
-s.anonymous = true
-
-enable = s:option(Flag, "enabled", translate("Enable"), translate("<strong><font color=\"red\">Warning!!! There is security risk after opening.</font></strong>"))
-enable.default = 0
-enable.rmempty = false
-
---- ALL Eanble
-enable = s:option(Flag, "all_enabled", translate("ALL Enabled"))
-enable.default = 0
-enable.rmempty = false
-
--  fullconenat ip
-o = s:option(Value, "fullconenat_ip", translate("FullConeNat IP"), translate("FullConeNat IP:192.168.1.100,192.168.1.101,192.168.1.102"))
-o.rempty      = true
-
-return m
--- a/package/lean/luci-app-fullconenat/po/zh-cn/fullconenat.po
+++ b/package/lean/luci-app-fullconenat/po/zh-cn/fullconenat.po
@ -1,35 +0,0 @@
-msgid "fullconenat"
-msgstr "Full cone NAT"
-
-msgid "FULLCONENAT"
-msgstr "Full cone NAT"
-
-msgid "<strong><font color=\"green\">Running</font></strong>"
-msgstr "<strong><font color=\"green\">正在运行</font></strong>"
-
-msgid "<strong><font color=\"red\">Not Running</font></strong>"
-msgstr "<strong><font color=\"red\">未运行</font></strong>"
-
-
-
-msgid "Settings"
-msgstr "设置"
-
-msgid "FullConeNat Settings"
-msgstr "Full Cone NAT设置"
-
-msgid "Enable"
-msgstr "启用"
-
-msgid "<strong><font color=\"red\">Warning!!! There is security risk after opening.</font></strong>"
-msgstr "<strong><font color=\"red\">警告!!!开启后内网存在端口直接暴露的安全风险.</font></strong>"
-
-msgid "ALL Enabled"
-msgstr "全LAN子网开启-Full cone NAT（危险！）"
-
-msgid "FullConeNat IP"
-msgstr "只在以下内网映射IP开放Full Cone NAT"
-
-msgid "FullConeNat IP:192.168.1.100,192.168.1.101,192.168.1.102"
-msgstr "可多内网IP映射用,隔开.举例映射IP:192.168.1.100,192.168.1.101,192.168.1.102"
-
--- a/package/lean/luci-app-fullconenat/root/etc/config/fullconenat
+++ b/package/lean/luci-app-fullconenat/root/etc/config/fullconenat
@ -1,5 +0,0 @@
-
-config fullconenat 'config'
-	option all_enabled '0'
-	option fullconenat_ip '192.168.1.100'
-	option enabled '0'
--- a/package/lean/luci-app-fullconenat/root/etc/init.d/fullconenat
+++ b/package/lean/luci-app-fullconenat/root/etc/init.d/fullconenat
@ -1,69 +0,0 @@
-#!/bin/sh /etc/rc.common
-#-- Copyright (C) 2018 dz <dingzhong110@gmail.com>
-
-START=99
-
-re=0
-
-start(){
-	echo "enable"
-	enable=$(uci get fullconenat.config.enabled 2>/dev/null)
-	all_enable=$(uci get fullconenat.config.all_enabled 2>/dev/null)
-	fullconenat_ip=$(uci get fullconenat.config.fullconenat_ip 2>/dev/null)
-	if [ $enable -eq 1 ]; then
-	iptables -t nat -D zone_wan_prerouting -j FULLCONENAT
-	iptables -t nat -D zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT
-	iptables -t nat -D zone_wan_postrouting -j MASQUERADE
-	iptables -t nat -D zone_wan_postrouting -j FULLCONENAT
-	insmod xt_FULLCONENAT
-	sleep 5
-	sed -i '/FULLCONENAT/d' /etc/firewall.user
-	sed -i '/zone_wan_postrouting -j MASQUERADE/d' /etc/firewall.user
-		if [ $all_enable -eq 0 ]; then
-			echo "iptables -t nat -A zone_wan_prerouting -j FULLCONENAT" >> /etc/firewall.user
-			echo "iptables -t nat -A zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT" >> /etc/firewall.user
-			echo "iptables -t nat -A zone_wan_postrouting -j MASQUERADE" >> /etc/firewall.user
-		elif [ $all_enable -eq 1 ]; then
-			echo "iptables -t nat -A zone_wan_prerouting -j FULLCONENAT" >> /etc/firewall.user
-			echo "iptables -t nat -A zone_wan_postrouting -j FULLCONENAT" >> /etc/firewall.user
-		fi
-		sleep 1
-		uci set firewall.@zone[1].masq=0
-		uci commit firewall
-			if [ $re -eq 0 ]; then
-				echo $re
-				/etc/init.d/firewall restart
-			fi 
-	fi
-}
-
-stop(){
-	echo "stop"
-	fullconenat_ip=$(uci get fullconenat.config.fullconenat_ip 2>/dev/null)
-    enable=$(uci get fullconenat.config.enabled 2>/dev/null)	
-    if [ $enable -eq 0 ]; then
-		echo "disable"
-		rmmod xt_FULLCONENAT
-		sleep 1
-		iptables -t nat -D zone_wan_prerouting -j FULLCONENAT
-		iptables -t nat -D zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT
-		iptables -t nat -D zone_wan_postrouting -j MASQUERADE
-		iptables -t nat -D zone_wan_postrouting -j FULLCONENAT
-		sed -i '/zone_wan_postrouting -j MASQUERADE/d' /etc/firewall.user
-		sed -i '/FULLCONENAT/d' /etc/firewall.user
-		uci set firewall.@zone[1].masq=1
-		uci commit firewall
-	    if [ $re -ne 1 ]; then
-			echo $re
-			/etc/init.d/firewall restart
-        fi 
-	fi
-}
-
-
-restart(){
-	re=1
-	stop
-	start
-	/etc/init.d/firewall restart
-}
--- a/package/lean/luci-app-fullconenat/root/etc/uci-defaults/fullconenat
+++ b/package/lean/luci-app-fullconenat/root/etc/uci-defaults/fullconenat
@ -1,13 +0,0 @@
-#!/bin/sh
-
-uci -q batch <<-EOF >/dev/null
-	delete ucitrack.@fullconenat[-1]
-	add ucitrack fullconenat
-	set ucitrack.@fullconenat[-1].init=fullconenat
-	commit ucitrack
-EOF
-
-/etc/init.d/fullconenat enable
-
-rm -f /tmp/luci-indexcache
-exit 0
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@ -28,9 +28,19 @@ define Package/firewall
  SECTION:=net
  CATEGORY:=Base system
  TITLE:=OpenWrt C Firewall
-  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat +PACKAGE_firewall-FULLCONENAT:iptables-mod-fullconenat
 endef

+define Package/firewall/config
+if PACKAGE_firewall
+	config PACKAGE_firewall-FULLCONENAT
+		bool "Use FULLCONENAT"
+		default y
+endif		
+endef
+
+TARGET_CFLAGS += $(if $(CONFIG_PACKAGE_firewall-FULLCONENAT),-DUSE_FULLCONENAT,)
+
 define Package/firewall/description
 This package provides a config-compatible C implementation of the UCI firewall.
 endef
--- a/package/network/config/firewall/patches/fullconenat.patch
+++ b/package/network/config/firewall/patches/fullconenat.patch
@ -0,0 +1,23 @@
+diff --git a/zones.c b/zones.c
+index 505ab20..44500d5 100644
+--- a/zones.c
+++ b/zones.c
+@@ -708,8 +708,18 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ 				{
+ 					r = fw3_ipt_rule_new(handle);
+ 					fw3_ipt_rule_src_dest(r, msrc, mdest);
+#ifdef USE_FULLCONENAT
+					fw3_ipt_rule_target(r, "FULLCONENAT");
+#else
+ 					fw3_ipt_rule_target(r, "MASQUERADE");
+#endif
+ 					fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+#ifdef USE_FULLCONENAT
+					r = fw3_ipt_rule_new(handle);
+					fw3_ipt_rule_src_dest(r, msrc, mdest);
+					fw3_ipt_rule_target(r, "FULLCONENAT");
+					fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
+#endif
+ 				}
+ 			}
+ 		}