[PATCH] firewall: provide examples of ssh port relocation on firewall and IPsec passthrough

Two examples of potentially useful configurations (commented out, of course): (a) map the ssh service running on the firewall to 22001 externally, without modifying the configuration of the daemon itself. this allows port 22 on the WAN side to then be port-forwarded to a LAN-based machine if desired, or if not, simply obscures the port from external attack. (b) allow IPsec/ESP and ISAKMP (UDP-based key exchange) to happen by default. useful for most modern VPN clients you might have on your WAN. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> git-svn-id: svn://svn.openwrt.org/openwrt/trunk@26805 3c298f89-4303-0410-b956-a3cf2f4a3e73
2025-04-21 12:27:27 +03:00 · 2011-05-02 12:54:31 +00:00
parent ac6cfcb956
commit 667c11ec82
2 changed files with 61 additions and 11 deletions
--- a/package/firewall/files/lib/core_interface.sh
+++ b/package/firewall/files/lib/core_interface.sh
@@ -1,27 +1,55 @@
-# Copyright (C) 2009-2010 OpenWrt.org
+# Copyright (C) 2009-2011 OpenWrt.org

 fw__uci_state_add() {
 	local var="$1"
 	local item="$2"

-	local val=" $(uci_get_state firewall core $var) "
-	val="${val// $item / }"
-	val="${val# }"
-	val="${val% }"
+	local list="$(uci_get_state firewall core $var)"
+	      list=" ${list:+$list }"
+
+	for item in $item; do
+		case "$list" in
+			"* $item *") continue;;
+			*) list="$list$item ";;
+		esac
+	done
+
+	list="${list% }"
+	list="${list# }"
+
 	uci_revert_state firewall core $var
-	uci_set_state firewall core $var "${val:+$val }$item"
+	uci_set_state firewall core $var "$list"
 }

 fw__uci_state_del() {
 	local var="$1"
 	local item="$2"

-	local val=" $(uci_get_state firewall core $var) "
-	val="${val// $item / }"
-	val="${val# }"
-	val="${val% }"
+	echo "del[$item]"
+
+	local list val
+	for val in $(uci_get_state firewall core "$var" | sort -u); do
+		list="${list:+$list }$val"
+	done
+
+	echo "list[$list]"
+
 	uci_revert_state firewall core $var
-	uci_set_state firewall core $var "$val"
+
+	[ -n "$list" ] && {
+		list=" $list "
+
+		for item in $item; do
+			list="${list// $item / }"
+		done
+
+		list="${list# }"
+		list="${list% }"
+
+		echo "list2[$list]"
+
+		uci_set_state firewall core $var "$list"
+	}
 }

 fw_configure_interface() {