| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 |
- #!/bin/sh
- # miniupnpd integration for firewall3
- IP6TABLES=/usr/sbin/ip6tables
- iptables -t filter -N MINIUPNPD 2>/dev/null
- iptables -t nat -N MINIUPNPD 2>/dev/null
- iptables -t nat -N MINIUPNPD-POSTROUTING 2>/dev/null
- [ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null
- . /lib/functions/network.sh
- ADDED=0
- add_extzone_rules() {
- local ext_zone=$1
- [ -z "$ext_zone" ] && return
- # IPv4 - due to NAT, need to add both to nat and filter table
- iptables -t filter -I zone_${ext_zone}_forward -j MINIUPNPD
- iptables -t nat -I zone_${ext_zone}_prerouting -j MINIUPNPD
- iptables -t nat -I zone_${ext_zone}_postrouting -j MINIUPNPD-POSTROUTING
- # IPv6 if available - filter only
- [ -x $IP6TABLES ] && {
- $IP6TABLES -t filter -I zone_${ext_zone}_forward -j MINIUPNPD
- }
- ADDED=$(($ADDED + 1))
- }
- # By default, user configuration is king.
- for ext_iface in $(uci -q get upnpd.config.external_iface); do
- add_extzone_rules $(fw3 -q network "$ext_iface")
- done
- add_extzone_rules $(uci -q get upnpd.config.external_zone)
- [ ! $ADDED = 0 ] && exit 0
- # If really nothing is available, resort to network_find_wan{,6} and
- # assume external interfaces all have same firewall zone.
- # (This heuristic may fail horribly, in case of e.g. multihoming, so
- # please set external_zone in that case!)
- network_find_wan wan_iface
- network_find_wan6 wan6_iface
- for ext_iface in $wan_iface $wan6_iface; do
- # fw3 -q network fails on sub-interfaces => map to device first
- network_get_device ext_device $ext_iface
- add_extzone_rules $(fw3 -q device "$ext_device")
- done
|
