firewall code deduplication

6 years ago · 11b839c43c
2 changed files with 95 additions and 141 deletions
--- a/init.d/openwrt/functions
+++ b/init.d/openwrt/functions
@ -167,7 +167,7 @@ __fw_tpws6()
 done
 network_get_device DEVICE lan
 dnat6_target
- [ "$DNAT6_TARGET" != '-' ] && {
+ [ "$DNAT6_TARGET" != "-" ] && {
    ipt6 PREROUTING -t nat -i $DEVICE $IPT_FILTER_HTTP -j DNAT --to [$DNAT6_TARGET]:$TPPORT_HTTP
    [ "$1" != "1" ] || ipt6 PREROUTING -t nat -i $DEVICE $IPT_FILTER_HTTPS -j DNAT --to [$DNAT6_TARGET]:$TPPORT_HTTPS
 }
--- a/init.d/sysv/functions
+++ b/init.d/sysv/functions
@ -45,6 +45,16 @@ ipt_del()
 {
 	iptables -C $@ 2>/dev/null && iptables -D $@
 }
+ipt_add_del()
+{
+	if [ "$1" = "1" ]; then
+		shift
+		ipt $@
+	else
+		shift
+		ipt_del $@
+	fi
+}
 ipt6()
 {
 	ip6tables -C $@ 2>/dev/null || ip6tables -I $@
@ -53,6 +63,16 @@ ipt6_del()
 {
 	ip6tables -C $@ 2>/dev/null && ip6tables -D $@
 }
+ipt6_add_del()
+{
+	if [ "$1" = "1" ]; then
+		shift
+		ipt6 $@
+	else
+		shift
+		ipt6_del $@
+	fi
+}

 # there's no route_localnet for ipv6
 # the best we can is to route to link local of the incoming interface
@ -127,99 +147,63 @@ dnat6_target()
 	}
 }

-fw_tpws_add()
+print_op()
 {
-	# $1 - iptable filter for ipv4
-	# $2 - iptable filter for ipv6
-	# $3 - tpws port
-	[ "$DISABLE_IPV4" = "1" ] || {
-		echo "Adding iptables rule for tpws : $1"
-		[ -n "$IFACE_LAN" ] && {
-			ipt PREROUTING -t nat $IPT_ILAN -p tcp $1 -j DNAT --to 127.0.0.1:$3
-	 	}
-		ipt OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$3
-	}
-	[ "$DISABLE_IPV6" = "1" ] || {
-		echo "Adding ip6tables rule for tpws : $2"
-		[ -n "$IFACE_LAN" ] && {
-			dnat6_target
-			[ "$DNAT6_TARGET" != '-' ] && ipt6 PREROUTING -t nat $IPT_ILAN -p tcp $2 -j DNAT --to [$DNAT6_TARGET]:$3
-	 	}
-		ipt6 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $2 -j DNAT --to [::1]:$3
-	}
+	if [ "$1" = "1" ]; then
+		echo "Adding ip$4tables rule for $3 : $2"
+	else
+		echo "Deleting ip$4tables rule for $3 : $2"
+	fi
 }
-fw_tpws_del()
+
+fw_tpws()
 {
-	# $1 - iptable filter for ipv4
-	# $2 - iptable filter for ipv6
-	# $3 - tpws port
+	# $1 - 1 - add, 0 - del
+	# $2 - iptable filter for ipv4
+	# $3 - iptable filter for ipv6
+	# $4 - tpws port
 	[ "$DISABLE_IPV4" = "1" ] || {
-		echo "Deleting iptables rule for tpws : $1"
+		print_op $1 "$2" "tpws"
 		[ -n "$IFACE_LAN" ] && {
-			ipt_del PREROUTING -t nat $IPT_ILAN -p tcp $1 -j DNAT --to 127.0.0.1:$3
-		}
-		ipt_del OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $1 -j DNAT --to 127.0.0.1:$3
+			ipt_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $2 -j DNAT --to 127.0.0.1:$4
+	 	}
+		ipt_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $2 -j DNAT --to 127.0.0.1:$4
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
-		echo "Deleting ip6tables rule for tpws : $2"
+		print_op $1 "$3" "tpws" 6
 		[ -n "$IFACE_LAN" ] && {
 			dnat6_target
-			[ "$DNAT6_TARGET" != '-' ] && ipt6_del PREROUTING -t nat $IPT_ILAN -p tcp $2 -j DNAT --to [$DNAT6_TARGET]:$3
-		}
-		ipt6_del OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $2 -j DNAT --to [::1]:$3
-	}
-}
-
-fw_nfqws_add_pre()
-{
-	# $1 - iptable filter for ipv4
-	# $2 - iptable filter for ipv6
-	[ "$DISABLE_IPV4" = "1" ] || {
-		echo "Adding iptables rule for nfqws prerouting : $1"
-		ipt PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
-	}
-	[ "$DISABLE_IPV6" = "1" ] || {
-		echo "Adding ip6tables rule for nfqws prerouting : $2"
-		ipt6 PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
-	}
-}
-fw_nfqws_del_pre()
-{
-	# $1 - iptable filter for ipv4
-	# $2 - iptable filter for ipv6
-	[ "$DISABLE_IPV4" = "1" ] || {
-		echo "Deleting iptables rule for nfqws prerouting : $1"
-		ipt_del PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
-	}
-	[ "$DISABLE_IPV6" = "1" ] || {
-		echo "Deleting ip6tables rule for nfqws prerouting : $2"
-		ipt6_del PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
+			[ "$DNAT6_TARGET" != "-" ] && ipt6_add_del $1 PREROUTING -t nat $IPT_ILAN -p tcp $3 -j DNAT --to [$DNAT6_TARGET]:$4
+	 	}
+		ipt6_add_del $1 OUTPUT -t nat $IPT_OWAN -m owner ! --uid-owner $TPWS_USER -p tcp $3 -j DNAT --to [::1]:$4
 	}
 }
-fw_nfqws_add_post()
+fw_nfqws_pre()
 {
-	# $1 - iptable filter for ipv4
-	# $2 - iptable filter for ipv6
+	# $1 - 1 - add, 0 - del
+	# $2 - iptable filter for ipv4
+	# $3 - iptable filter for ipv6
 	[ "$DISABLE_IPV4" = "1" ] || {
-		echo "Adding iptables rule for nfqws postrouting : $1"
-		ipt POSTROUTING -t mangle $IPT_OWAN -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
+		print_op $1 "$2" "nfqws prerouting"
+		ipt_add_del $1 PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
-		echo "Adding ip6tables rule for nfqws postrouting : $2"
-		ipt6 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
+		print_op $1 "$3" "nfqws prerouting" 6
+		ipt6_add_del $1 PREROUTING -t raw $IPT_IWAN -p tcp --tcp-flags SYN,ACK SYN,ACK $3 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
 }
-fw_nfqws_del_post()
+fw_nfqws_post()
 {
-	# $1 - iptable filter for ipv4
-	# $2 - iptable filter for ipv6
+	# $1 - 1 - add, 0 - del
+	# $2 - iptable filter for ipv4
+	# $3 - iptable filter for ipv6
 	[ "$DISABLE_IPV4" = "1" ] || {
-		echo "Deleting iptables rule for nfqws postrouting : $1"
-		ipt_del POSTROUTING -t mangle $IPT_OWAN -p tcp $1 -j NFQUEUE --queue-num $QNUM --queue-bypass
+		print_op $1 "$2" "nfqws postrouting"
+		ipt_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
 	[ "$DISABLE_IPV6" = "1" ] || {
-		echo "Deleting ip6tables rule for nfqws postrouting : $2"
-		ipt6_del POSTROUTING -t mangle $IPT_OWAN -p tcp $2 -j NFQUEUE --queue-num $QNUM --queue-bypass
+		print_op $1 "$3" "nfqws postrouting" 6
+		ipt6_add_del $1 POSTROUTING -t mangle $IPT_OWAN -p tcp $3 -j NFQUEUE --queue-num $QNUM --queue-bypass
 	}
 }

@ -308,53 +292,56 @@ create_ipset()
 }


-zapret_apply_firewall()
+
+zapret_do_firewall()
 {
+	# $1 - 1 - add, 0 - del
+
 	case "${MODE}" in
 	    tpws_hostlist)
-			prepare_tpws
-			fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP
+			[ "$1" = "1" ] && prepare_tpws
+			fw_tpws $1 "--dport 80" "--dport 80" $TPPORT_HTTP
 			;;
 	    tpws_ipset)
-			create_ipset
-			prepare_tpws
-			fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
+			[ "$1" = "1" ] && create_ipset
+			[ "$1" = "1" ] && prepare_tpws
+			fw_tpws $1 "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
 			;;
 	    tpws_ipset_https)
-			create_ipset
-			prepare_tpws
-			fw_tpws_add "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
-			fw_tpws_add "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS
+			[ "$1" = "1" ] && create_ipset
+			[ "$1" = "1" ] && prepare_tpws
+			fw_tpws $1 "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
+			fw_tpws $1 "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS
 			;;
 	    tpws_all)
-			prepare_tpws
-			fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP
+			[ "$1" = "1" ] && prepare_tpws
+			fw_tpws $1 "--dport 80" "--dport 80" $TPPORT_HTTP
 			;;
 	    tpws_all_https)
-			prepare_tpws
-			fw_tpws_add "--dport 80" "--dport 80" $TPPORT_HTTP
-			fw_tpws_add "--dport 443" "--dport 443" $TPPORT_HTTPS
+			[ "$1" = "1" ] && prepare_tpws
+			fw_tpws $1 "--dport 80" "--dport 80" $TPPORT_HTTP
+			fw_tpws $1 "--dport 443" "--dport 443" $TPPORT_HTTPS
 			;;
 	    nfqws_ipset)
-			create_ipset
-			fw_nfqws_add_pre "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src"
-			fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
+			[ "$1" = "1" ] && create_ipset
+			fw_nfqws_pre $1 "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src"
+			fw_nfqws_post $1 "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
 			;;
 	    nfqws_ipset_https)
-			create_ipset
-			fw_nfqws_add_pre "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src"
-			fw_nfqws_add_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
+			[ "$1" = "1" ] && create_ipset
+			fw_nfqws_pre $1 "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src"
+			fw_nfqws_post $1 "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
 			;;
 	    nfqws_all)
-			fw_nfqws_add_pre "--sport 80" "--sport 80"
-			fw_nfqws_add_post "--dport 80" "--dport 80"
+			fw_nfqws_pre $1 "--sport 80" "--sport 80"
+			fw_nfqws_post $1 "--dport 80" "--dport 80"
 			;;
 	    nfqws_all_https)
-			fw_nfqws_add_pre "-m multiport --sports 80,443" "-m multiport --sports 80,443"
-			fw_nfqws_add_post "--dport 80" "--dport 80"
+			fw_nfqws_pre $1 "-m multiport --sports 80,443" "-m multiport --sports 80,443"
+			fw_nfqws_post $1 "--dport 80" "--dport 80"
 			;;
 	    ipset)
-			create_ipset
+			[ "$1" = "1" ] && create_ipset
 			;;
 	    custom)
 			# PLACEHOLDER
@ -364,6 +351,15 @@ zapret_apply_firewall()
 			;;
 	esac
 }
+zapret_apply_firewall()
+{
+	zapret_do_firewall 1 $@
+}
+zapret_unapply_firewall()
+{
+	zapret_do_firewall 0 $@
+}
+
 zapret_run_daemons()
 {
 	case "${MODE}" in
@ -395,48 +391,6 @@ zapret_run_daemons()
 			;;
 	esac
 }
-
-zapret_unapply_firewall()
-{
-	case "${MODE}" in
-	    tpws_hostlist|tpws_all)
-			fw_tpws_del "--dport 80" "--dport 80" $TPPORT_HTTP
-			;;
-	    tpws_ipset)
-			fw_tpws_del "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
-			;;
-	    tpws_ipset_https)
-			fw_tpws_del "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst" $TPPORT_HTTP
-			fw_tpws_del "--dport 443 -m set --match-set zapret dst" "--dport 443 -m set --match-set zapret6 dst" $TPPORT_HTTPS
-			;;
-	    tpws_all_https)
-			fw_tpws_del "--dport 80" "--dport 80" $TPPORT_HTTP
-			fw_tpws_del "--dport 443" "--dport 443" $TPPORT_HTTPS
-			;;
-	    nfqws_ipset)
-			fw_nfqws_del_pre "--sport 80 -m set --match-set zapret src" "--sport 80 -m set --match-set zapret6 src"
-			fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
-			;;
-	    nfqws_ipset_https)
-			fw_nfqws_del_pre "-m multiport --sports 80,443 -m set --match-set zapret src" "-m multiport --sports 80,443 -m set --match-set zapret6 src"
-			fw_nfqws_del_post "--dport 80 -m set --match-set zapret dst" "--dport 80 -m set --match-set zapret6 dst"
-			;;
-	    nfqws_all)
-			fw_nfqws_del_pre "--sport 80" "--sport 80"
-			fw_nfqws_del_post "--dport 80" "--dport 80"
-			;;
-	    nfqws_all_https)
-			fw_nfqws_del_pre "-m multiport --sports 80,443" "-m multiport --sports 80,443"
-			fw_nfqws_del_post "--dport 80" "--dport 80"
-			;;
-	    custom)
-			# PLACEHOLDER
-			echo !!! NEED ATTENTION !!!
-			echo Clear firewall rules here. Remove iptables changes made previously.
-			echo Study how other sections work.
-			;;
-	esac
-}
 zapret_stop_daemons()
 {
 	case "${MODE}" in