7 'require tools.widgets as widgets';
10 callConntrackHelpers: rpc.declare({
12 method: 'getConntrackHelpers',
13 expect: { result: [] }
18 this.callConntrackHelpers(),
19 firewall.getDefaults()
23 render: function(data) {
24 var ctHelpers = data[0],
28 m = new form.Map('firewall', _('Firewall - Zone Settings'),
29 _('The firewall creates zones over your network interfaces to control network traffic flow.'));
31 s = m.section(form.TypedSection, 'defaults', _('General Settings'));
35 o = s.option(form.Flag, 'syn_flood', _('Enable SYN-flood protection'));
36 o = s.option(form.Flag, 'drop_invalid', _('Drop invalid packets'));
39 s.option(form.ListValue, 'input', _('Input')),
40 s.option(form.ListValue, 'output', _('Output')),
41 s.option(form.ListValue, 'forward', _('Forward'))
44 for (var i = 0; i < p.length; i++) {
45 p[i].value('REJECT', _('reject'));
46 p[i].value('DROP', _('drop'));
47 p[i].value('ACCEPT', _('accept'));
50 /* Netfilter flow offload support */
52 if (L.hasSystemFeature('offloading')) {
53 s = m.section(form.TypedSection, 'defaults', _('Routing/NAT Offloading'),
54 _('Experimental feature. Not fully compatible with QoS/SQM.'));
59 o = s.option(form.Flag, 'flow_offloading',
60 _('Software flow offloading'),
61 _('Software based offloading for routing/NAT'));
64 o = s.option(form.Flag, 'flow_offloading_hw',
65 _('Hardware flow offloading'),
66 _('Requires hardware NAT support. Implemented at least for mt7621'));
68 o.depends('flow_offloading', '1');
72 s = m.section(form.GridSection, 'zone', _('Zones'));
77 s.tab('general', _('General Settings'));
78 s.tab('advanced', _('Advanced Settings'));
79 s.tab('conntrack', _('Conntrack Settings'));
80 s.tab('extra', _('Extra iptables arguments'));
82 o = s.taboption('general', form.DummyValue, '_generalinfo');
85 o.cfgvalue = function(section_id) {
86 var name = uci.get('firewall', section_id, 'name');
88 name = _("this new zone");
89 return _('This section defines common properties of %q. The <em>input</em> and <em>output</em> options set the default policies for traffic entering and leaving this zone while the <em>forward</em> option describes the policy for forwarded traffic between different networks within the zone. <em>Covered networks</em> specifies which available networks are members of this zone.')
90 .replace(/%s/g, name).replace(/%q/g, '"' + name + '"');
93 o = s.taboption('general', form.Value, 'name', _('Name'));
94 o.placeholder = _('Unnamed zone');
97 o.datatype = 'and(uciname,maxlength(11))';
98 o.write = function(section_id, formvalue) {
99 var cfgvalue = this.cfgvalue(section_id);
101 if (cfgvalue == null || cfgvalue == '')
102 return uci.set('firewall', section_id, 'name', formvalue);
103 else if (cfgvalue != formvalue)
104 return firewall.renameZone(cfgvalue, formvalue);
107 o = s.option(widgets.ZoneForwards, '_info', _('Zone ⇒ Forwardings'));
110 o.cfgvalue = function(section_id) {
111 return uci.get('firewall', section_id, 'name');
115 s.taboption('general', form.ListValue, 'input', _('Input')),
116 s.taboption('general', form.ListValue, 'output', _('Output')),
117 s.taboption('general', form.ListValue, 'forward', _('Forward'))
120 for (var i = 0; i < p.length; i++) {
121 p[i].value('REJECT', _('reject'));
122 p[i].value('DROP', _('drop'));
123 p[i].value('ACCEPT', _('accept'));
124 p[i].editable = true;
127 p[0].default = fwDefaults.getInput();
128 p[1].default = fwDefaults.getOutput();
129 p[2].default = fwDefaults.getForward();
131 o = s.taboption('general', form.Flag, 'masq', _('Masquerading'));
134 o = s.taboption('general', form.Flag, 'mtu_fix', _('MSS clamping'));
137 o = s.taboption('general', widgets.NetworkSelect, 'network', _('Covered networks'));
140 o.cfgvalue = function(section_id) {
141 return uci.get('firewall', section_id, 'network') || uci.get('firewall', section_id, 'name');
143 o.write = function(section_id, formvalue) {
144 var name = uci.get('firewall', section_id, 'name'),
145 cfgvalue = this.cfgvalue(section_id);
147 if (typeof(cfgvalue) == 'string' && Array.isArray(formvalue) && (cfgvalue == formvalue.join(' ')))
150 var tasks = [ firewall.getZone(name) ];
152 if (Array.isArray(formvalue))
153 for (var i = 0; i < formvalue.length; i++) {
154 var netname = formvalue[i];
155 tasks.push(network.getNetwork(netname).then(function(net) {
156 return net || network.addNetwork(netname, { 'proto': 'none' });
160 return Promise.all(tasks).then(function(zone_networks) {
161 if (zone_networks[0])
162 for (var i = 1; i < zone_networks.length; i++)
163 zone_networks[0].addNetwork(zone_networks[i].getName());
166 o.remove = function(section_id) {
167 return uci.set('firewall', section_id, 'network', ' ');
170 o = s.taboption('advanced', form.DummyValue, '_advancedinfo');
173 o.cfgvalue = function(section_id) {
174 var name = uci.get('firewall', section_id, 'name');
176 name = _("this new zone");
177 return _('The options below control the forwarding policies between this zone (%s) and other zones. <em>Destination zones</em> cover forwarded traffic <strong>originating from %q</strong>. <em>Source zones</em> match forwarded traffic from other zones <strong>targeted at %q</strong>. The forwarding rule is <em>unidirectional</em>, e.g. a forward from lan to wan does <em>not</em> imply a permission to forward from wan to lan as well.')
181 o = s.taboption('advanced', widgets.DeviceSelect, 'device', _('Covered devices'), _('Use this option to classify zone traffic by raw, non-<em>uci</em> managed network devices.'));
186 o = s.taboption('advanced', form.DynamicList, 'subnet', _('Covered subnets'), _('Use this option to classify zone traffic by source or destination subnet instead of networks or devices.'));
187 o.datatype = 'neg(cidr)';
191 o = s.taboption('advanced', form.ListValue, 'family', _('Restrict to address family'));
192 o.value('', _('IPv4 and IPv6'));
193 o.value('ipv4', _('IPv4 only'));
194 o.value('ipv6', _('IPv6 only'));
197 o = s.taboption('advanced', form.DynamicList, 'masq_src', _('Restrict Masquerading to given source subnets'));
198 o.depends('family', '');
199 o.depends('family', 'ipv4');
200 o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
201 o.placeholder = '0.0.0.0/0';
204 o = s.taboption('advanced', form.DynamicList, 'masq_dest', _('Restrict Masquerading to given destination subnets'));
205 o.depends('family', '');
206 o.depends('family', 'ipv4');
207 o.datatype = 'list(neg(or(uciname,hostname,ipmask4)))';
208 o.placeholder = '0.0.0.0/0';
211 o = s.taboption('conntrack', form.Flag, 'masq_allow_invalid', _('Allow "invalid" traffic'), _('Do not install extra rules to reject forwarded traffic with conntrack state <em>invalid</em>. This may be required for complex asymmetric route setups.'));
214 o = s.taboption('conntrack', form.Flag, 'auto_helper', _('Automatic helper assignment'), _('Automatically assign conntrack helpers based on traffic protocol and port'));
215 o.default = o.enabled;
218 o = s.taboption('conntrack', form.MultiValue, 'helper', _('Conntrack helpers'), _('Explicitly choses allowed connection tracking helpers for zone traffic'));
219 o.depends('auto_helper', '0');
221 for (var i = 0; i < ctHelpers.length; i++)
222 o.value(ctHelpers[i].name, '<span class="hide-close">%s (%s)</span><span class="hide-open">%s</span>'.format(ctHelpers[i].description, ctHelpers[i].name.toUpperCase(), ctHelpers[i].name.toUpperCase()));
224 o = s.taboption('advanced', form.Flag, 'log', _('Enable logging on this zone'));
227 o = s.taboption('advanced', form.Value, 'log_limit', _('Limit log messages'));
228 o.depends('log', '1');
229 o.placeholder = '10/minute';
232 o = s.taboption('extra', form.DummyValue, '_extrainfo');
235 o.cfgvalue = function(section_id) {
236 return _('Passing raw iptables arguments to source and destination traffic classification rules allows to match packets based on other criteria than interfaces or subnets. These options should be used with extreme care as invalid values could render the firewall ruleset broken, completely exposing all services.');
239 o = s.taboption('extra', form.Value, 'extra_src', _('Extra source arguments'), _('Additional raw <em>iptables</em> arguments to classify zone source traffic, e.g. <code>-p tcp --sport 443</code> to only match inbound HTTPS traffic.'));
241 o.cfgvalue = function(section_id) {
242 return uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
244 o.write = function(section_id, value) {
245 uci.unset('firewall', section_id, 'extra');
246 uci.set('firewall', section_id, 'extra_src', value);
249 o = s.taboption('extra', form.Value, 'extra_dest', _('Extra destination arguments'), _('Additional raw <em>iptables</em> arguments to classify zone destination traffic, e.g. <code>-p tcp --dport 443</code> to only match outbound HTTPS traffic.'));
251 o.cfgvalue = function(section_id) {
252 return uci.get('firewall', section_id, 'extra_dest') || uci.get('firewall', section_id, 'extra_src') || uci.get('firewall', section_id, 'extra');
254 o.write = function(section_id, value) {
255 uci.unset('firewall', section_id, 'extra');
256 uci.set('firewall', section_id, 'extra_dest', value);
259 o = s.taboption('general', form.DummyValue, '_forwardinfo');
262 o.cfgvalue = function(section_id) {
263 var name = uci.get('firewall', section_id, 'name');
265 name = _("this new zone");
266 return _('The options below control the forwarding policies between this zone (%s) and other zones. <em>Destination zones</em> cover forwarded traffic <strong>originating from %q</strong>. <em>Source zones</em> match forwarded traffic from other zones <strong>targeted at %q</strong>. The forwarding rule is <em>unidirectional</em>, e.g. a forward from lan to wan does <em>not</em> imply a permission to forward from wan to lan as well.')
270 out = o = s.taboption('general', widgets.ZoneSelect, 'out', _('Allow forward to <em>destination zones</em>:'));
274 o.filter = function(section_id, value) {
275 return (uci.get('firewall', section_id, 'name') != value);
277 o.cfgvalue = function(section_id) {
278 var out = (this.option == 'out'),
279 zone = this.lookupZone(uci.get('firewall', section_id, 'name')),
280 fwds = zone ? zone.getForwardingsBy(out ? 'src' : 'dest') : [],
283 for (var i = 0; i < fwds.length; i++)
284 value.push(out ? fwds[i].getDestination() : fwds[i].getSource());
288 o.write = o.remove = function(section_id, formvalue) {
289 var out = (this.option == 'out'),
290 zone = this.lookupZone(uci.get('firewall', section_id, 'name')),
291 fwds = zone ? zone.getForwardingsBy(out ? 'src' : 'dest') : [];
293 if (formvalue == null)
296 if (Array.isArray(formvalue)) {
297 for (var i = 0; i < fwds.length; i++) {
298 var cmp = out ? fwds[i].getDestination() : fwds[i].getSource();
299 if (!formvalue.filter(function(d) { return d == cmp }).length)
300 zone.deleteForwarding(fwds[i]);
303 for (var i = 0; i < formvalue.length; i++)
305 zone.addForwardingTo(formvalue[i]);
307 zone.addForwardingFrom(formvalue[i]);
311 inp = o = s.taboption('general', widgets.ZoneSelect, 'in', _('Allow forward from <em>source zones</em>:'));
315 o.write = o.remove = out.write;
316 o.filter = out.filter;
317 o.cfgvalue = out.cfgvalue;
projects / oweals / luci.git / blob