add FULLCONENAT support package and luci

package/lean/luci-app-fullconenat/Makefile

@@ -0,0 +1,14 @@
+#-- Copyright (C) 2018 dz <dingzhong110@gmail.com>
+
+include $(TOPDIR)/rules.mk
+
+LUCI_TITLE:=LuCI support for FullConeNat
+LUCI_DEPENDS:=+iptables-mod-fullconenat
+LUCI_PKGARCH:=all
+PKG_VERSION:=1.4
+PKG_RELEASE:=1
+
+include $(TOPDIR)/feeds/luci/luci.mk
+
+# call BuildPackage - OpenWrt buildroot signature
+

package/lean/luci-app-fullconenat/luasrc/controller/fullconenat.lua

@@ -0,0 +1,11 @@
+module("luci.controller.fullconenat", package.seeall)
+
+function index()
+	if not nixio.fs.access("/etc/config/fullconenat") then
+		return
+	end
+	local page
+	page = entry({"admin", "network", "fullconenat"}, cbi("fullconenat"), _("fullconenat"), 101)
+	page.i18n = "fullconenat"
+	page.dependent = true
+end

package/lean/luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua

@@ -0,0 +1,33 @@
+#-- Copyright (C) 2018 dz <dingzhong110@gmail.com>
+
+require("nixio.fs")
+require("luci.http")
+
+m = Map("fullconenat", translate("Full cone NAT"),
+	translate("FullConeNat."))
+
+if luci.sys.call("iptables -t nat -L -n --line-numbers | grep FULLCONENAT >/dev/null") == 0 then
+	m = Map("fullconenat", translate("FullConeNat"), "%s - %s" %{translate("FULLCONENAT"), translate("<strong><font color=\"green\">Running</font></strong>")})
+else
+	m = Map("fullconenat", translate("FullConeNat"), "%s - %s" %{translate("FULLCONENAT"), translate("<strong><font color=\"red\">Not Running</font></strong>")})
+end
+
+
+-- Basic
+s = m:section(TypedSection, "fullconenat", translate("Settings"), translate("FullConeNat Settings"))
+s.anonymous = true
+
+enable = s:option(Flag, "enabled", translate("Enable"), translate("<strong><font color=\"red\">Warning!!! There is security risk after opening.</font></strong>"))
+enable.default = 0
+enable.rmempty = false
+
+---- ALL Eanble
+enable = s:option(Flag, "all_enabled", translate("ALL Enabled"))
+enable.default = 0
+enable.rmempty = false
+
+--  fullconenat ip
+o = s:option(Value, "fullconenat_ip", translate("FullConeNat IP"), translate("FullConeNat IP:192.168.1.100,192.168.1.101,192.168.1.102"))
+o.rempty      = true
+
+return m

package/lean/luci-app-fullconenat/po/zh-cn/fullconenat.po

@@ -0,0 +1,35 @@
+msgid "fullconenat"
+msgstr "NAT类型-Full cone NAT"
+
+msgid "FULLCONENAT"
+msgstr "Full cone NAT"
+
+msgid "<strong><font color=\"green\">Running</font></strong>"
+msgstr "<strong><font color=\"green\">正在运行</font></strong>"
+
+msgid "<strong><font color=\"red\">Not Running</font></strong>"
+msgstr "<strong><font color=\"red\">未运行</font></strong>"
+
+
+
+msgid "Settings"
+msgstr "设置"
+
+msgid "FullConeNat Settings"
+msgstr "Full cone NAT设置"
+
+msgid "Enable"
+msgstr "启用"
+
+msgid "<strong><font color=\"red\">Warning!!! There is security risk after opening.</font></strong>"
+msgstr "<strong><font color=\"red\">警告!!!开启后存在安全风险.</font></strong>"
+
+msgid "ALL Enabled"
+msgstr "全网开启-Full cone NAT"
+
+msgid "FullConeNat IP"
+msgstr "映射IP"
+
+msgid "FullConeNat IP:192.168.1.100,192.168.1.101,192.168.1.102"
+msgstr "可多IP映射用,隔开.参考映射IP:192.168.1.100,192.168.1.101,192.168.1.102"
+

package/lean/luci-app-fullconenat/root/etc/config/fullconenat

@@ -0,0 +1,5 @@
+
+config fullconenat 'config'
+	option all_enabled '0'
+	option fullconenat_ip '192.168.1.100'
+	option enabled '0'

package/lean/luci-app-fullconenat/root/etc/init.d/fullconenat

@@ -0,0 +1,69 @@
+#!/bin/sh /etc/rc.common
+#-- Copyright (C) 2018 dz <dingzhong110@gmail.com>
+
+START=99
+
+re=0
+
+start(){
+	echo "enable"
+	enable=$(uci get fullconenat.config.enabled 2>/dev/null)
+	all_enable=$(uci get fullconenat.config.all_enabled 2>/dev/null)
+	fullconenat_ip=$(uci get fullconenat.config.fullconenat_ip 2>/dev/null)
+	if [ $enable -eq 1 ]; then
+	iptables -t nat -D zone_wan_prerouting -j FULLCONENAT
+	iptables -t nat -D zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT
+	iptables -t nat -D zone_wan_postrouting -j MASQUERADE
+	iptables -t nat -D zone_wan_postrouting -j FULLCONENAT
+	insmod xt_FULLCONENAT
+	sleep 5
+	sed -i '/FULLCONENAT/d' /etc/firewall.user
+	sed -i '/zone_wan_postrouting -j MASQUERADE/d' /etc/firewall.user
+		if [ $all_enable -eq 0 ]; then
+			echo "iptables -t nat -A zone_wan_prerouting -j FULLCONENAT" >> /etc/firewall.user
+			echo "iptables -t nat -A zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT" >> /etc/firewall.user
+			echo "iptables -t nat -A zone_wan_postrouting -j MASQUERADE" >> /etc/firewall.user
+		elif [ $all_enable -eq 1 ]; then
+			echo "iptables -t nat -A zone_wan_prerouting -j FULLCONENAT" >> /etc/firewall.user
+			echo "iptables -t nat -A zone_wan_postrouting -j FULLCONENAT" >> /etc/firewall.user
+		fi
+		sleep 1
+		uci set firewall.@zone[1].masq=0
+		uci commit firewall
+			if [ $re -eq 0 ]; then
+				echo $re
+				/etc/init.d/firewall restart
+			fi 
+	fi
+}
+
+stop(){
+	echo "stop"
+	fullconenat_ip=$(uci get fullconenat.config.fullconenat_ip 2>/dev/null)
+    enable=$(uci get fullconenat.config.enabled 2>/dev/null)	
+    if [ $enable -eq 0 ]; then
+		echo "disable"
+		rmmod xt_FULLCONENAT
+		sleep 1
+		iptables -t nat -D zone_wan_prerouting -j FULLCONENAT
+		iptables -t nat -D zone_wan_postrouting -s $fullconenat_ip -j FULLCONENAT
+		iptables -t nat -D zone_wan_postrouting -j MASQUERADE
+		iptables -t nat -D zone_wan_postrouting -j FULLCONENAT
+		sed -i '/zone_wan_postrouting -j MASQUERADE/d' /etc/firewall.user
+		sed -i '/FULLCONENAT/d' /etc/firewall.user
+		uci set firewall.@zone[1].masq=1
+		uci commit firewall
+	    if [ $re -ne 1 ]; then
+			echo $re
+			/etc/init.d/firewall restart
+        fi 
+	fi
+}
+
+
+restart(){
+	re=1
+	stop
+	start
+	/etc/init.d/firewall restart
+}

package/lean/luci-app-fullconenat/root/etc/uci-defaults/fullconenat

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+uci -q batch <<-EOF >/dev/null
+	delete ucitrack.@fullconenat[-1]
+	add ucitrack fullconenat
+	set ucitrack.@fullconenat[-1].init=fullconenat
+	commit ucitrack
+EOF
+
+/etc/init.d/fullconenat enable
+
+rm -f /tmp/luci-indexcache
+exit 0

package/lean/openwrt-fullconenat/Makefile

@@ -0,0 +1,65 @@
+#
+# Copyright (C) 2018 Chion Tang <tech@chionlab.moe>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=fullconenat
+PKG_VERSION:=1.0
+PKG_RELEASE:=4
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL:=https://github.com/Chion82/netfilter-full-cone-nat.git
+PKG_SOURCE_VERSION:=ec14efee249ef11409827a87d6a23dd53deb5149
+
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=LICENSE
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/iptables-mod-fullconenat
+  SUBMENU:=Firewall
+  SECTION:=net
+  CATEGORY:=Network
+  TITLE:=FULLCONENAT iptables extension
+  DEPENDS:=+iptables +kmod-ipt-fullconenat
+  MAINTAINER:=Chion Tang <tech@chionlab.moe>
+endef
+
+define Package/iptables-mod-fullconenat/install
+	$(INSTALL_DIR) $(1)/usr/lib/iptables
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/libipt_FULLCONENAT.so $(1)/usr/lib/iptables
+endef
+
+define KernelPackage/ipt-fullconenat
+  SUBMENU:=Netfilter Extensions
+  TITLE:=FULLCONENAT netfilter module
+  DEPENDS:=+kmod-nf-ipt +kmod-nf-nat
+  MAINTAINER:=Chion Tang <tech@chionlab.moe>
+  KCONFIG:=CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NF_CONNTRACK_CHAIN_EVENTS=y
+  FILES:=$(PKG_BUILD_DIR)/xt_FULLCONENAT.ko
+endef
+
+include $(INCLUDE_DIR)/kernel-defaults.mk
+
+define Build/Prepare
+	$(call Build/Prepare/Default)
+	$(CP) ./files/Makefile $(PKG_BUILD_DIR)/
+endef
+
+define Build/Compile
+	+$(MAKE) $(PKG_JOBS) -C "$(LINUX_DIR)" \
+        CROSS_COMPILE="$(TARGET_CROSS)" \
+        ARCH="$(LINUX_KARCH)" \
+        SUBDIRS="$(PKG_BUILD_DIR)" \
+        EXTRA_CFLAGS="$(BUILDFLAGS)" \
+        modules
+	$(call Build/Compile/Default)
+endef
+
+$(eval $(call BuildPackage,iptables-mod-fullconenat))
+$(eval $(call KernelPackage,ipt-fullconenat))

package/lean/openwrt-fullconenat/files/Makefile

@@ -0,0 +1,7 @@
+libipt_FULLCONENAT.so: libipt_FULLCONENAT.o
+	$(CC) -shared -lxtables -o $@ $^;
+libipt_FULLCONENAT.o: libipt_FULLCONENAT.c
+	$(CC) ${CFLAGS} -fPIC -D_INIT=$*_init -c -o $@ $<;
+
+obj-m += xt_FULLCONENAT.o
+