#!/bin/sh export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/mod/sbin:/mod/bin:/mod/usr/sbin:/mod/usr/bin:/var/mod/sbin export LD_LIBRARY_PATH=/mod/lib DAEMON=avm-firewall # Variablen fuer Pfade REAL=/var/flash/ar7.cfg REALCOPY=/var/tmp/firewall.ar7.copy CONFIG=/mod/etc/conf/avm-firewall.cfg TEMP1=/var/tmp/firewall.temp1 case "$1" in ""|load) BOXID=`sed -n 's/ProductID[ ]*//gp' /proc/sys/urlader/environment | tr -d '\t'` BOXOEM=`cat /proc/sys/urlader/firmware_version` # Original Regeln Kennzeichnen, falls noch nicht geschehen if [ `sed "/targets/q" $REAL | grep -c '/\*AVM\*/'` -eq 0 ]; then DEFar7=`cat "/etc/default.$BOXID/$BOXOEM/ar7.cfg" | sed -n '/dslifaces/,/} {/p'` DEFli=`echo "$DEFar7" | sed -n '/lowinput/,/}/p' | sed -n "s/^[ ]*\"//g ; /^permit\|^deny\|^reject/ s/\"[,;][ ]*/%/gp" | tr '\n' '|' | sed 's/%|$//' | tr '%' '\'` DEFho=`echo "$DEFar7" | sed -n '/highoutput/,/}/p' | sed -n "s/^[ ]*\"//g ; /^permit\|^deny\|^reject/ s/\"[,;][ ]*/%/gp" | tr '\n' '|' | sed 's/%|$//' | tr '%' '\'` tmp='cat $REAL | sed "/dslifaces/,/lowoutput/ {/'$DEFli'/ s/^[ ]*\".*\"[,;][ ]*$/&\/*AVM*\/ /g}" | sed "/dslifaces/,/} {/ {/highoutput/,/}/ {/'$DEFho'/ s/^[ ]*\".*\"[,;][ ]*$/&\/*AVM*\/ /g}}" > $REALCOPY' eval $tmp cat $REALCOPY > $REAL fi ;; esac # Suche nach Bereich von "dslifaces" bis "} {" DSLIFACES="`cat $REAL | sed -n '/dslifaces/,/} {/p' `"; # In diesem Bereich der von "lowinput" bis zu schliessenden Klammer LOWINPUT=`echo "$DSLIFACES" | sed -n '/lowinput/,/}/p' ` # "policy" und "accesslit" String erzeugen # nur policy ist immer da, denn leere Rulestabelle ist ohne accesslist-Eintrag! POL=`echo "$DSLIFACES" | sed '/policy/!d ; q' | sed 's/\(^.*= "\).*/\1/'` ACCL=`echo "$POL" | sed 's/policy = "/accesslist = /'` SPACES=`echo "$ACCL" | sed 's/./ /g'` RET=' ' # Die eigentlichen Rules rauslesen (Am Anfang Leereichen und " loeschen, am Ende die ", oder "; Kombination) LIRULES=`echo "$LOWINPUT"| sed -n "s/^[ ]*\(accesslist = \)*\"//g ; /^permit\|^deny\|^reject/ {s/\"[,;]//g;s/[ ]*$//gp}"` LIPOL="`echo "$LOWINPUT" | grep "policy =" | sed 's/^.*policy.*"\(.*\)";/\1/'`" HIGHOUTPUT="`echo "$DSLIFACES" | sed -n '/highoutput/,/}/p'`" HORULES=`echo "$HIGHOUTPUT"| sed -n "s/^[ ]*\(accesslist = \)*\"//g ; /^permit\|^deny\|^reject/ {s/\"[,;]//g;s/[ ]*$//gp}"` HOPOL="`echo "$HIGHOUTPUT" | grep "policy =" | sed 's/^.*policy.*"\(.*\)";/\1/'`" # Die FWD-Rules rauslesen (Am Anfang Leereichen und alles bis zum " loeschen, am Ende die ", oder "; Kombination) # dafuer wird der "gewuenschte Teil" im Ausdruck mit \( und \) eingefasst und mit \1 ersetzt FWDRULES=`echo "$DSLIFACES" | sed -n '/forwardrules/,/;/ { /shaper/ q ; s/^[^"]*"\(.*\)"[,;][ ]*/\1/gp}'` ; FWDSTART=`echo "$DSLIFACES" | sed -n 's/lowinput.*/forwardrules = /p'` ENDBRACE=`echo "$DSLIFACES" | sed -n 's/lowinput.*/\}/p'` FWDSPACES=`echo "$FWDSTART" | sed 's/./ /g'`; case "$1" in ""|load) echo "`cat $CONFIG | grep '_cgi\|_LOG' `" > $CONFIG echo "export AVM_FIREWALL_DO_ACTIVATE=''" >> $CONFIG echo "export AVM_FIREWALL_GUI=''" >> $CONFIG echo "export AVM_FIREWALL_RULESTABLE_LI='""$LIRULES""'" >> $CONFIG echo "export AVM_FIREWALL_RULESTABLE_HO='""$HORULES""'" >> $CONFIG echo "export AVM_FIREWALL_POLICY_LI='""$LIPOL""'" >> $CONFIG echo "export AVM_FIREWALL_POLICY_HO='""$HOPOL""'" >> $CONFIG echo "export AVM_FIREWALL_FORWARDINGRULES='""$FWDRULES""'" >> $CONFIG ;; esac case "$1" in ""|load|start|restart) . /mod/etc/conf/$DAEMON.cfg ;; esac start() { if [ ! -r "/mod/etc/conf/$DAEMON.cfg" ]; then echo "Error[$DAEMON]: not configured" 1>&2 exit 1 fi if ` grep "*gui*" /mod/etc/conf/avm-firewall.cfg `; then echo "`sed -e "s/\*gui\*//g" $CONFIG`" > $CONFIG echo "Saving new firewall rules..." # Die LI-Accesslist (vorne "Spaces", dann die "Rules" ans Ende ", letzte Zeile "; ) TMPACCL="" && [ -n "$AVM_FIREWALL_RULESTABLE_LI" ] && TMPACCL="$RET$ACCL$RET"`echo "$AVM_FIREWALL_RULESTABLE_LI" | sed "s/^/$SPACES\"/ ; s%\(..\)[ ]*\(/\*.*\*/\)*[ ]*$%\1\", \2 % ; $ s/, /;/"` LI="$POL$AVM_FIREWALL_POLICY_LI\";$TMPACCL" # Die HO-Liste... TMPACCL="" && [ -n "$AVM_FIREWALL_RULESTABLE_HO" ] && TMPACCL="$RET$ACCL$RET"`echo "$AVM_FIREWALL_RULESTABLE_HO" | sed "s/^/$SPACES\"/ ; s%\(..\)[ ]*\(/\*.*\*/\)*[ ]*$%\1\", \2 % ; $ s/, /;/"` HO="$POL$AVM_FIREWALL_POLICY_HO\";$TMPACCL" # Die Forwarding-Regeln... FWD="$ENDBRACE" && [ -n "$AVM_FIREWALL_FORWARDINGRULES" ] && FWD="${ENDBRACE}${RET}${FWDSTART}\""`echo "$AVM_FIREWALL_FORWARDINGRULES" | sed "2,$ s/^/$FWDSPACES\"/ ; s%\(..\)[ ]*\(/\*.*\*/\)*[ ]*$%\1\", \2% ; $ s/,/;/"`; # ... und alles Einsetzen ... cat $REAL | awk -v v1="$LI" -v v2="$HO" -v v3="$FWD" '/dslifaces/ {ifstart=1} ;/targets/ {ifstart=0}; /lowinput/{if (ifstart && !liend) {listart=1}};/highoutput/{if (ifstart && !hoend) {hostart=1}}; /policy/{{if (listart) {lirules=1;printli=1}}; {if (hostart) {horules=1;printho=1}}};/\}/{{if (lirules) {lirules=0; listart=0}}; {if(horules){horules=0; hostart=0 ; fwd=1 }}} ;/shaper/||/}/{if (fwd && fwdready) {fwd=0}} ;{if (lirules) {{if (printli) {print v1; liend=1; printli=0}}; {next}}} ;{if(horules){{if (printho){ print v2; hoend=1; printho=0}}; {next}}}; {if (fwd){ { if (!fwdready) {print v3; fwdready=1}}; {next}}}; {print}' > $REALCOPY # echte ar7.cfg schreiben cat $REALCOPY > $REAL if [ "$AVM_FIREWALL_DO_ACTIVATE" == "yes" ]; then echo "Requested activation of rule set. Restarting dsld ..." eval dsld -s eval ctlmgr -s sleep 1 killall -9 dsld 2> /dev/null killall -9 ctlmgr 2> /dev/null ctlmgr [ "$AVM_FIREWALL_LOG_DROPPED" != "yes" ] && LOGG="-n" || LOGG="" if [ "$AVM_FIREWALL_LOG" == "yes" ]; then dsld $LOGG -D AVM_FW else dsld $LOGG fi echo "done"; fi else echo "ERROR: Can only used by GUI." fi } stop () { echo "Stoping firewall is not possible. Firewall is running by AVM per default." exit 1 } case "$1" in start) start ;; stop) stop ;; restart) start ;; status) echo 'running' ;; ""|load) modreg cgi $DAEMON AVM-Firewall ;; unload) stop modunreg cgi $DAEMON ;; *) echo "Usage: $0 [start|stop|restart|status]" 1>&2 exit 1 ;; esac exit 0