[backfire] drop firewall v1

git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@25352 3c298f89-4303-0410-b956-a3cf2f4a3e73

package/firewall/Makefile

@@ -1,53 +0,0 @@
-#
-# Copyright (C) 2008-2009 OpenWrt.org
-#
-# This is free software, licensed under the GNU General Public License v2.
-# See /LICENSE for more information.
-
-include $(TOPDIR)/rules.mk
-
-PKG_NAME:=firewall
-
-PKG_VERSION:=1
-PKG_RELEASE:=21
-
-include $(INCLUDE_DIR)/package.mk
-
-define Package/firewall
-  SECTION:=net
-  CATEGORY:=Base system
-  URL:=http://openwrt.org/
-  TITLE:=OpenWrt firewall
-  DEPENDS:=+iptables +iptables-mod-conntrack +iptables-mod-nat
-  PKGARCH:=all
-endef
-
-define Package/firewall/description
- UCI based firewall for OpenWrt
-endef
-
-define Build/Compile
-	true
-endef
-
-define Package/firewall/conffiles
-/etc/config/firewall
-/etc/firewall.user
-endef
-
-define Package/firewall/install
-	$(INSTALL_DIR) $(1)/lib/firewall
-	$(INSTALL_DATA) ./files/uci_firewall.sh $(1)/lib/firewall
-	$(INSTALL_DIR) $(1)/etc/config
-	$(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall
-	$(INSTALL_DIR) $(1)/etc/init.d/
-	$(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
-	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
-	$(INSTALL_DATA) ./files/20-firewall $(1)/etc/hotplug.d/iface
-	$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
-	$(INSTALL_DATA) ./files/reflection.hotplug $(1)/etc/hotplug.d/firewall/10-nat-reflection
-	$(INSTALL_DIR) $(1)/etc
-	$(INSTALL_DATA) ./files/firewall.user $(1)/etc
-endef
-
-$(eval $(call BuildPackage,firewall))

package/firewall/files/20-firewall

@@ -1,5 +0,0 @@
-. /lib/firewall/uci_firewall.sh
-unset ZONE
-config_get ifname $INTERFACE ifname
-[ "$ifname" == "lo" ] && exit 0
-fw_event "$ACTION" "$INTERFACE"

package/firewall/files/firewall.config

@@ -1,96 +0,0 @@
-config defaults
-	option syn_flood	1
-	option input		ACCEPT
-	option output		ACCEPT 
-	option forward		REJECT
-
-config zone
-	option name		lan
-	option input	ACCEPT 
-	option output	ACCEPT 
-	option forward	REJECT
-
-config zone
-	option name		wan
-	option input	REJECT
-	option output	ACCEPT 
-	option forward	REJECT
-	option masq		1 
-	option mtu_fix	1
-
-config forwarding 
-	option src      lan
-	option dest     wan
-
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
-config rule
-	option src		wan
-	option proto		udp
-	option dest_port	68
-	option target		ACCEPT
-
-#Allow ping
-config rule
-	option src wan
-	option proto icmp
-	option icmp_type echo-request
-	option target ACCEPT
-
-# include a file with users custom iptables rules
-config include
-	option path /etc/firewall.user
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option dest		wan
-#	option proto	tcp
-#	option target	REJECT 
-
-# block a specific mac on wan
-#config rule
-#	option dest		wan
-#	option src_mac	00:11:22:33:44:66
-#	option target	REJECT 
-
-# block incoming ICMP traffic on a zone
-#config rule
-#	option src		lan
-#	option proto	ICMP
-#	option target	DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-#	option src			wan
-#	option src_dport	80
-#	option dest			lan
-#	option dest_ip		192.168.16.235
-#	option dest_port	80 
-#	option proto		tcp
-
-
-### FULL CONFIG SECTIONS
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port	80
-#	option dest		wan
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
-#	option target	REJECT 
-
-#config redirect
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port		1024
-#	option src_dport	80
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp

package/firewall/files/firewall.init

@@ -1,14 +0,0 @@
-#!/bin/sh /etc/rc.common
-# Copyright (C) 2008 OpenWrt.org
-
-START=45
-
-start() {
-	. /lib/firewall/uci_firewall.sh
-	fw_init
-}
-
-stop() {
-	. /lib/firewall/uci_firewall.sh
-	fw_stop	
-}

package/firewall/files/firewall.user

@@ -1,4 +0,0 @@
-# This file is interpreted as shell script.
-# Put your custom iptables rules here, they will
-# be executed with each firewall (re-)start.
-

package/firewall/files/reflection.hotplug

@@ -1,120 +0,0 @@
-#!/bin/sh
-
-. /etc/functions.sh
-
-if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
-	local wanip=$(uci -P/var/state get network.wan.ipaddr)
-
-	iptables -t nat -F nat_reflection_in 2>/dev/null || {
-		iptables -t nat -N nat_reflection_in
-		iptables -t nat -A prerouting_rule -j nat_reflection_in
-	}
-
-	iptables -t nat -F nat_reflection_out 2>/dev/null || {
-		iptables -t nat -N nat_reflection_out
-		iptables -t nat -A postrouting_rule -j nat_reflection_out
-	}
-
-	iptables -t filter -F nat_reflection_fwd 2>/dev/null || {
-		iptables -t filter -N nat_reflection_fwd
-		iptables -t filter -A forwarding_rule -j nat_reflection_fwd
-	}
-
-	find_networks() {
-		find_networks_cb() {
-			local cfg="$1"
-			local zone="$2"
-
-			local name
-			config_get name "$cfg" name
-
-			[ "$name" = "$zone" ] && {
-				local network
-				config_get network "$cfg" network
-
-				echo ${network:-$zone}
-				return 1
-			}
-		}
-
-		config_foreach find_networks_cb zone "$1"
-	}
-
-	setup_fwd() {
-		local cfg="$1"
-
-		local reflection
-		config_get_bool reflection "$cfg" reflection 1
-		[ "$reflection" == 1 ] || return
-
-		local src
-		config_get src "$cfg" src
-
-		local target
-		config_get target "$cfg" target
-
-		[ "$src" = wan ] && [ "${target:-DNAT}" = DNAT ] && {
-			local dest
-			config_get dest "$cfg" dest "lan"
-
-			local net
-			for net in $(find_networks "$dest"); do
-				local lanip=$(uci -P/var/state get network.$net.ipaddr)
-				local lanmk=$(uci -P/var/state get network.$net.netmask)
-
-				local proto
-				config_get proto "$cfg" proto
-
-				local epmin epmax extport
-				config_get extport "$cfg" src_dport
-				[ -n "$extport" ] || return
-
-				epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
-				[ "$epmin" != "$epmax" ] || epmax=""
-
-				local ipmin ipmax intport
-				config_get intport "$cfg" dest_port "$extport"
-
-				ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
-				[ "$ipmin" != "$ipmax" ] || ipmax=""
-
-				local exthost
-				config_get exthost "$cfg" src_dip "$wanip"
-
-				local inthost
-				config_get inthost "$cfg" dest_ip
-				[ -n "$inthost" ] || return
-
-				[ "$proto" = tcpudp ] && proto="tcp udp"
-
-				[ "${inthost#!}" = "$inthost" ] || return 0
-				[ "${exthost#!}" = "$exthost" ] || return 0
-
-				local p
-				for p in ${proto:-tcp udp}; do
-					case "$p" in
-						tcp|udp)
-							iptables -t nat -A nat_reflection_in \
-								-s $lanip/$lanmk -d $exthost \
-								-p $p --dport $epmin${epmax:+:$epmax} \
-								-j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax}
-
-							iptables -t nat -A nat_reflection_out \
-								-s $lanip/$lanmk -d $inthost \
-								-p $p --dport $ipmin${ipmax:+:$ipmax} \
-								-j SNAT --to-source $lanip
-
-							iptables -t filter -A nat_reflection_fwd \
-								-s $lanip/$lanmk -d $inthost \
-								-p $p --dport $ipmin${ipmax:+:$ipmax} \
-								-j ACCEPT
-						;;
-					esac
-				done
-			done
-		}
-	}
-
-	config_load firewall
-	config_foreach setup_fwd redirect
-fi

package/firewall/files/uci_firewall.sh

@@ -1,684 +0,0 @@
-#!/bin/sh
-# Copyright (C) 2008 John Crispin <blogic@openwrt.org>
-
-. /etc/functions.sh
-
-IPTABLES="echo iptables"
-IPTABLES=iptables
-
-config_clear
-include /lib/network
-scan_interfaces
-
-CONFIG_APPEND=1
-config_load firewall
-
-config fw_zones
-ZONE_LIST=$CONFIG_SECTION
-ZONE_NAMES=
-
-CUSTOM_CHAINS=1
-DEF_INPUT=DROP
-DEF_OUTPUT=DROP
-DEF_FORWARD=DROP
-CONNTRACK_ZONES=
-NOTRACK_DISABLED=
-
-add_state() {
-	local var="$1"
-	local item="$2"
-
-	local val="$(uci_get_state firewall core $var)"
-	uci_set_state firewall core $var "${val:+$val }$item"
-}
-
-del_state() {
-	local var="$1"
-	local item="$2"
-
-	local val=" $(uci_get_state firewall core $var) "
-	val="${val// $item / }"
-	val="${val# }"
-	val="${val% }"
-	uci_set_state firewall core $var "$val"
-}
-
-find_item() {
-	local item="$1"; shift
-	for i in "$@"; do
-		[ "$i" = "$item" ] && return 0
-	done
-	return 1
-}
-
-get_portrange() {
-	local _var="$1"
-	local _range="$2"
-	local _delim="${3:-:}"
-
-	local _min="${_range%%[:-]*}"
-	local _max="${_range##*[:-]}"
-
-	[ -n "$_min" ] && [ -n "$_max" ] && [ "$_min" != "$_max" ] && \
-		export -n -- "$_var=$_min$_delim$_max" || \
-		export -n -- "$_var=${_min:-$_max}"
-}
-
-get_negation() {
-	local _var="$1"
-	local _flag="$2"
-	local _ipaddr="$3"
-
-	[ "${_ipaddr#!}" != "$_ipaddr" ] && \
-		export -n -- "$_var=! $_flag ${_ipaddr#!}" || \
-		export -n -- "$_var=${_ipaddr:+$_flag $_ipaddr}"
-}
-
-load_policy() {
-	config_get input $1 input
-	config_get output $1 output
-	config_get forward $1 forward
-
-	DEF_INPUT="${input:-$DEF_INPUT}"
-	DEF_OUTPUT="${output:-$DEF_OUTPUT}"
-	DEF_FORWARD="${forward:-$DEF_FORWARD}"
-}
-
-create_zone() {
-	local name="$1"
-	local network="$2"
-	local input="$3"
-	local output="$4"
-	local forward="$5"
-	local mtu_fix="$6"
-	local masq="$7"
-	local masq_src="$8"
-	local masq_dest="$9"
-
-	local exists
-
-	[ "$name" == "loopback" ] && return
-
-	config_get exists $ZONE_LIST $name
-	[ -n "$exists" ] && return
-	config_set $ZONE_LIST $name 1
-
-	$IPTABLES -N zone_${name}
-	$IPTABLES -N zone_${name}_MSSFIX
-	$IPTABLES -N zone_${name}_ACCEPT
-	$IPTABLES -N zone_${name}_DROP
-	$IPTABLES -N zone_${name}_REJECT
-	$IPTABLES -N zone_${name}_forward
-	[ "$output" ] && $IPTABLES -A output -j zone_${name}_${output}
-	$IPTABLES -N zone_${name}_nat -t nat
-	$IPTABLES -N zone_${name}_prerouting -t nat
-	$IPTABLES -t raw -N zone_${name}_notrack
-	[ "$mtu_fix" == "1" ] && $IPTABLES -I FORWARD 1 -j zone_${name}_MSSFIX
-
-	if [ "$masq" == "1" ]; then
-		local msrc mdst
-		for msrc in ${masq_src:-0.0.0.0/0}; do
-			get_negation msrc '-s' "$msrc"
-			for mdst in ${masq_dest:-0.0.0.0/0}; do
-				get_negation mdst '-d' "$mdst"
-				$IPTABLES -A zone_${name}_nat -t nat $msrc $mdst -j MASQUERADE
-			done
-		done
-	fi
-
-	append ZONE_NAMES "$name"
-}
-
-
-addif() {
-	local network="$1"
-	local ifname="$2"
-	local zone="$3"
-
-	local n_if n_zone
-	config_get n_if core "${network}_ifname"
-	config_get n_zone core "${network}_zone"
-	[ -n "$n_zone" ] && {
-		if [ "$n_zone" != "$zone" ]; then
-			delif "$network" "$n_if" "$n_zone"
-		else
-			return
-		fi
-	}
-
-	logger "adding $network ($ifname) to firewall zone $zone"
-	$IPTABLES -A input -i "$ifname" -j zone_${zone}
-	$IPTABLES -I zone_${zone}_MSSFIX 1 -o "$ifname" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-	$IPTABLES -I zone_${zone}_ACCEPT 1 -o "$ifname" -j ACCEPT
-	$IPTABLES -I zone_${zone}_DROP 1 -o "$ifname" -j DROP
-	$IPTABLES -I zone_${zone}_REJECT 1 -o "$ifname" -j reject
-	$IPTABLES -I zone_${zone}_ACCEPT 1 -i "$ifname" -j ACCEPT
-	$IPTABLES -I zone_${zone}_DROP 1 -i "$ifname" -j DROP
-	$IPTABLES -I zone_${zone}_REJECT 1 -i "$ifname" -j reject
-
-	$IPTABLES -I PREROUTING 1 -t nat -i "$ifname" -j zone_${zone}_prerouting
-	$IPTABLES -I POSTROUTING 1 -t nat -o "$ifname" -j zone_${zone}_nat
-	$IPTABLES -A forward -i "$ifname" -j zone_${zone}_forward
-	$IPTABLES -I PREROUTING 1 -t raw -i "$ifname" -j zone_${zone}_notrack
-
-	uci_set_state firewall core "${network}_ifname" "$ifname"
-	uci_set_state firewall core "${network}_zone" "$zone"
-
-	add_state "${zone}_networks" "$network"
-
-	ACTION=add ZONE="$zone" INTERFACE="$network" DEVICE="$ifname" /sbin/hotplug-call firewall
-}
-
-delif() {
-	local network="$1"
-	local ifname="$2"
-	local zone="$3"
-
-	logger "removing $network ($ifname) from firewall zone $zone"
-	$IPTABLES -D input -i "$ifname" -j zone_$zone
-	$IPTABLES -D zone_${zone}_MSSFIX -o "$ifname" -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-	$IPTABLES -D zone_${zone}_ACCEPT -o "$ifname" -j ACCEPT
-	$IPTABLES -D zone_${zone}_DROP -o "$ifname" -j DROP
-	$IPTABLES -D zone_${zone}_REJECT -o "$ifname" -j reject
-	$IPTABLES -D zone_${zone}_ACCEPT -i "$ifname" -j ACCEPT
-	$IPTABLES -D zone_${zone}_DROP -i "$ifname" -j DROP
-	$IPTABLES -D zone_${zone}_REJECT -i "$ifname" -j reject
-
-	$IPTABLES -D PREROUTING -t nat -i "$ifname" -j zone_${zone}_prerouting
-	$IPTABLES -D POSTROUTING -t nat -o "$ifname" -j zone_${zone}_nat
-	$IPTABLES -D forward -i "$ifname" -j zone_${zone}_forward
-	$IPTABLES -D PREROUTING -t raw -i "$ifname" -j zone_${zone}_notrack
-
-	uci_revert_state firewall core "${network}_ifname"
-	uci_revert_state firewall core "${network}_zone"
-
-	del_state "${zone}_networks" "$network"
-
-	ACTION=remove ZONE="$zone" INTERFACE="$network" DEVICE="$ifname" /sbin/hotplug-call firewall
-}
-
-load_synflood() {
-	local rate=${1:-25}
-	local burst=${2:-50}
-	echo "Loading synflood protection"
-	$IPTABLES -N syn_flood
-	$IPTABLES -A syn_flood -p tcp --syn -m limit --limit $rate/second --limit-burst $burst -j RETURN
-	$IPTABLES -A syn_flood -j DROP
-	$IPTABLES -A INPUT -p tcp --syn -j syn_flood
-}
-
-fw_set_chain_policy() {
-	local chain=$1
-	local target=$2
-	[ "$target" == "REJECT" ] && {
-		$IPTABLES -A $chain -j reject
-		target=DROP
-	}
-	$IPTABLES -P $chain $target
-}
-
-fw_clear() {
-	$IPTABLES -F
-	$IPTABLES -t nat -F
-	$IPTABLES -t nat -X
-	$IPTABLES -t raw -F
-	$IPTABLES -t raw -X
-	$IPTABLES -X
-}
-
-fw_defaults() {
-	[ -n "$DEFAULTS_APPLIED" ] && {
-		echo "Error: multiple defaults sections detected"
-		return;
-	}
-	DEFAULTS_APPLIED=1
-
-	load_policy "$1"
-
-	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-	for f in /proc/sys/net/ipv4/conf/*/accept_redirects
-	do
-		echo 0 > $f
-	done
-	for f in /proc/sys/net/ipv4/conf/*/accept_source_route
-	do
-		echo 0 > $f
-	done
-
-	uci_revert_state firewall core
-	uci_set_state firewall core "" firewall_state
-
-	$IPTABLES -P INPUT DROP
-	$IPTABLES -P OUTPUT DROP
-	$IPTABLES -P FORWARD DROP
-
-	fw_clear
-	config_get_bool drop_invalid $1 drop_invalid 0
-
-	[ "$drop_invalid" -gt 0 ] && {
-		$IPTABLES -A INPUT -m state --state INVALID -j DROP
-		$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
-		$IPTABLES -A FORWARD -m state --state INVALID -j DROP
-		NOTRACK_DISABLED=1
-	}
-
-	$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-	$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-	$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-	$IPTABLES -A INPUT -i lo -j ACCEPT
-	$IPTABLES -A OUTPUT -o lo -j ACCEPT
-
-	config_get syn_flood $1 syn_flood
-	config_get syn_rate $1 syn_rate
-	config_get syn_burst $1 syn_burst
-	[ "$syn_flood" == "1" ] && load_synflood $syn_rate $syn_burst
-
-	echo "Adding custom chains"
-	fw_custom_chains
-
-	$IPTABLES -N input
-	$IPTABLES -N output
-	$IPTABLES -N forward
-
-	$IPTABLES -A INPUT -j input
-	$IPTABLES -A OUTPUT -j output
-	$IPTABLES -A FORWARD -j forward
-
-	$IPTABLES -N reject
-	$IPTABLES -A reject -p tcp -j REJECT --reject-with tcp-reset
-	$IPTABLES -A reject -j REJECT --reject-with icmp-port-unreachable
-
-	fw_set_chain_policy INPUT "$DEF_INPUT"
-	fw_set_chain_policy OUTPUT "$DEF_OUTPUT"
-	fw_set_chain_policy FORWARD "$DEF_FORWARD"
-}
-
-fw_zone_defaults() {
-	local name
-	local network
-	local masq
-
-	config_get name $1 name
-	config_get network $1 network
-	config_get_bool masq $1 masq "0"
-	config_get_bool conntrack $1 conntrack "0"
-	config_get_bool mtu_fix $1 mtu_fix 0
-
-	load_policy $1
-	[ "$forward" ] && $IPTABLES -A zone_${name}_forward -j zone_${name}_${forward}
-	[ "$input" ] && $IPTABLES -A zone_${name} -j zone_${name}_${input}
-}
-
-fw_zone() {
-	local name
-	local network
-	local mtu_fix
-	local conntrack
-	local masq
-	local masq_src
-	local masq_dest
-
-	config_get name $1 name
-	config_get network $1 network
-	config_get_bool masq $1 masq "0"
-	config_get_bool conntrack $1 conntrack "0"
-	config_get_bool mtu_fix $1 mtu_fix 0
-	config_get masq_src $1 masq_src
-	config_get masq_dest $1 masq_dest
-
-	load_policy $1
-	[ "$conntrack" = "1" -o "$masq" = "1" ] && append CONNTRACK_ZONES "$name"
-	[ -z "$network" ] && network=$name
-
-	create_zone "$name" "$network" "$input" "$output" "$forward" "$mtu_fix" \
-		"$masq" "$masq_src" "$masq_dest"
-
-	fw_custom_chains_zone "$name"
-}
-
-fw_rule() {
-	local src
-	local src_ip
-	local src_mac
-	local src_port
-	local src_mac
-	local dest
-	local dest_ip
-	local dest_port
-	local proto
-	local icmp_type
-	local target
-	local ruleset
-
-	config_get src $1 src
-	config_get src_ip $1 src_ip
-	config_get src_mac $1 src_mac
-	config_get src_port $1 src_port
-	config_get dest $1 dest
-	config_get dest_ip $1 dest_ip
-	config_get dest_port $1 dest_port
-	config_get proto $1 proto
-	config_get icmp_type $1 icmp_type
-	config_get target $1 target
-	config_get ruleset $1 ruleset
-
-	[ "$target" != "NOTRACK" ] || [ -n "$src" ] || {
-		echo "NOTRACK rule needs src"
-		return
-	}
-
-	local srcaddr destaddr
-	get_negation srcaddr '-s' "$src_ip"
-	get_negation destaddr '-d' "$dest_ip"
-
-	local srcports destports
-	get_portrange srcports "$src_port" ":"
-	get_portrange destports "$dest_port" ":"
-
-	ZONE=input
-	TABLE=filter
-	TARGET="${target:-DROP}"
-
-	if [ "$TARGET" = "NOTRACK" ]; then
-		TABLE=raw
-		ZONE="zone_${src}_notrack"
-	else
-		[ -n "$src" ] && ZONE="zone_${src}${dest:+_forward}"
-		[ -n "$dest" ] && TARGET="zone_${dest}_${TARGET}"
-	fi
-
-	add_rule() {
-		local pos
-		eval 'pos=$((++FW__RULE_COUNT_'$ZONE'))'
-
-		$IPTABLES -t $TABLE -I $ZONE $pos \
-			$srcaddr $destaddr \
-			${proto:+-p $proto} \
-			${icmp_type:+--icmp-type $icmp_type} \
-			${srcports:+--sport $srcports} \
-			${src_mac:+-m mac --mac-source $src_mac} \
-			${destports:+--dport $destports} \
-			-j $TARGET
-	}
-
-	[ "$proto" == "tcpudp" ] && proto="tcp udp"
-	for proto in ${proto:-tcp udp}; do
-		add_rule
-	done
-}
-
-fw_forwarding() {
-	local src
-	local dest
-	local masq
-
-	config_get src $1 src
-	config_get dest $1 dest
-	[ -n "$src" ] && z_src=zone_${src}_forward || z_src=forward
-	[ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT
-	$IPTABLES -I $z_src 1 -j $z_dest
-
-	# propagate masq zone flag
-	find_item "$src" $CONNTRACK_ZONES && append CONNTRACK_ZONES $dest
-	find_item "$dest" $CONNTRACK_ZONES && append CONNTRACK_ZONES $src
-}
-
-fw_redirect() {
-	local src
-	local src_ip
-	local src_dip
-	local src_port
-	local src_dport
-	local src_mac
-	local dest
-	local dest_ip
-	local dest_port
-	local proto
-	local target
-
-	config_get src $1 src
-	config_get src_ip $1 src_ip
-	config_get src_dip $1 src_dip
-	config_get src_port $1 src_port
-	config_get src_dport $1 src_dport
-	config_get src_mac $1 src_mac
-	config_get dest $1 dest
-	config_get dest_ip $1 dest_ip
-	config_get dest_port $1 dest_port
-	config_get proto $1 proto
-	config_get target $1 target
-
-	local fwdchain natchain natopt nataddr natports srcdaddr srcdports
-	if [ "${target:-DNAT}" == "DNAT" ]; then
-		[ -n "$src" -a -n "$dest_ip$dest_port" ] || {
-			echo "DNAT redirect needs src and dest_ip or dest_port"
-			return
-		}
-
-		fwdchain="zone_${src}_forward"
-
-		natopt="--to-destination"
-		natchain="zone_${src}_prerouting"
-		nataddr="$dest_ip"
-		get_portrange natports "$dest_port" "-"
-
-		get_negation srcdaddr '-d' "$src_dip"
-		get_portrange srcdports "$src_dport" ":"
-
-		find_item "$src" $CONNTRACK_ZONES || \
-			append CONNTRACK_ZONES "$src"
-
-	elif [ "$target" == "SNAT" ]; then
-		[ -n "$dest" -a -n "$src_dip" ] || {
-			echo "SNAT redirect needs dest and src_dip"
-			return
-		}
-
-		fwdchain="${src:+zone_${src}_forward}"
-
-		natopt="--to-source"
-		natchain="zone_${dest}_nat"
-		nataddr="$src_dip"
-		get_portrange natports "$src_dport" "-"
-
-		get_negation srcdaddr '-d' "$dest_ip"
-		get_portrange srcdports "$dest_port" ":"
-
-		find_item "$dest" $CONNTRACK_ZONES || \
-			append CONNTRACK_ZONES "$dest"
-
-	else
-		echo "redirect target must be either DNAT or SNAT"
-		return
-	fi
-
-	local srcaddr destaddr
-	get_negation srcaddr '-s' "$src_ip"
-	get_negation destaddr '-d' "$dest_ip"
-
-	local srcports destports
-	get_portrange srcports "$src_port" ":"
-	get_portrange destports "${dest_port-$src_dport}" ":"
-
-	add_rule() {
-		local pos
-		eval 'pos=$((++FW__REDIR_COUNT_'$natchain'))'
-
-		$IPTABLES -I $natchain $pos -t nat \
-			$srcaddr $srcdaddr \
-			${proto:+-p $proto} \
-			${srcports:+--sport $srcports} \
-			${srcdports:+--dport $srcdports} \
-			${src_mac:+-m mac --mac-source $src_mac} \
-			-j ${target:-DNAT} $natopt $nataddr${natports:+:$natports}
-
-		[ -n "$dest_ip" ] && \
-		$IPTABLES -I ${fwdchain:-forward} 1 \
-			$srcaddr $destaddr \
-			${proto:+-p $proto} \
-			${srcports:+--sport $srcports} \
-			${destports:+--dport $destports} \
-			${src_mac:+-m mac --mac-source $src_mac} \
-			-j ACCEPT
-	}
-
-	[ "$proto" == "tcpudp" ] && proto="tcp udp"
-	for proto in ${proto:-tcp udp}; do
-		add_rule
-	done
-}
-
-fw_include() {
-	local path
-	config_get path $1 path
-	[ -e $path ] && . $path
-}
-
-get_interface_zones() {
-	local interface="$2"
-	local name
-	local network
-	local masq_src
-	local masq_dest
-	config_get name $1 name
-	config_get network $1 network
-	config_get masq_src $1 masq_src
-	config_get masq_dest $1 masq_dest
-	[ -z "$network" ] && network=$name 
-	for n in $network; do
-		[ "$n" = "$interface" ] && {
-			append add_zone "$name"
-			append add_masq_src "$masq_src"
-			append add_masq_dest "$masq_dest"
-		}
-	done
-}
-
-fw_event() {
-	local action="$1"
-	local interface="$2"
-	local ifname="$(sh -c ". /etc/functions.sh; include /lib/network; scan_interfaces; config_get "$interface" ifname")"
-	local add_zone=
-	local add_masq_src=
-	local add_masq_dest=
-	local up
-
-	[ -z "$ifname" ] && return 0
-	config_foreach get_interface_zones zone "$interface"
-	[ -z "$add_zone" ] && return 0
-
-	case "$action" in
-		ifup)
-			for z in $add_zone; do 
-				local loaded masq_src masq_dest
-				config_get loaded core loaded
-				[ -n "$loaded" ] && addif "$interface" "$ifname" "$z" "$add_masq_src" "$add_masq_dest"
-			done
-		;;
-		ifdown)
-			config_get up "$interface" up
-
-			for z in $ZONE; do 
-				local masq_src masq_dest
-				config_get masq_src core "${z}_masq_src"
-				config_get masq_dest core "${z}_masq_dest"
-				[ "$up" == "1" ] && delif "$interface" "$ifname" "$z" "$masq_src" "$masq_dest"
-			done
-		;;
-	esac
-}
-
-fw_addif() {
-	local up
-	local ifname
-	config_get up $1 up
-	[ -n "$up" ] || return 0
-	fw_event ifup "$1"
-}
-
-fw_custom_chains() {
-	[ -n "$CUSTOM_CHAINS" ] || return 0
-	$IPTABLES -N input_rule
-	$IPTABLES -N output_rule
-	$IPTABLES -N forwarding_rule
-	$IPTABLES -N prerouting_rule -t nat
-	$IPTABLES -N postrouting_rule -t nat
-
-	$IPTABLES -A INPUT -j input_rule
-	$IPTABLES -A OUTPUT -j output_rule
-	$IPTABLES -A FORWARD -j forwarding_rule
-	$IPTABLES -A PREROUTING -t nat -j prerouting_rule
-	$IPTABLES -A POSTROUTING -t nat -j postrouting_rule
-}
-
-fw_custom_chains_zone() {
-	local zone="$1"
-
-	[ -n "$CUSTOM_CHAINS" ] || return 0
-	$IPTABLES -N input_${zone}
-	$IPTABLES -N forwarding_${zone}
-	$IPTABLES -N prerouting_${zone} -t nat
-	$IPTABLES -I zone_${zone} 1 -j input_${zone}
-	$IPTABLES -I zone_${zone}_forward 1 -j forwarding_${zone}
-	$IPTABLES -I zone_${zone}_prerouting 1 -t nat -j prerouting_${zone}
-}
-
-fw_check_notrack() {
-	local zone="$1"
-	config_get name "$zone" name
-	[ -n "$NOTRACK_DISABLED" ] || \
-		find_item "$name" $CONNTRACK_ZONES || \
-		$IPTABLES -t raw -A zone_${name}_notrack -j NOTRACK
-}
-
-fw_init() {
-	DEFAULTS_APPLIED=
-
-	echo "Loading defaults"
-	config_foreach fw_defaults defaults
-	echo "Loading zones"
-	config_foreach fw_zone zone
-	echo "Loading forwarding"
-	config_foreach fw_forwarding forwarding
-	echo "Loading redirects"
-	config_foreach fw_redirect redirect
-	echo "Loading rules"
-	config_foreach fw_rule rule
-	echo "Loading includes"
-	config_foreach fw_include include
-	echo "Loading zone defaults"
-	config_foreach fw_zone_defaults zone
-	uci_set_state firewall core loaded 1
-	config_set core loaded 1
-	config_foreach fw_check_notrack zone
-	INTERFACES="$(sh -c '
-		. /etc/functions.sh; config_load network
-		echo_up() { local up; config_get_bool up "$1" up 0; [ $up = 1 ] && echo "$1"; }
-		config_foreach echo_up interface
-	')"
-	for interface in $INTERFACES; do
-		fw_event ifup "$interface"
-	done
-
-	uci_set_state firewall core zones "$ZONE_NAMES"
-}
-
-fw_stop() {
-	local z n i
-	config_get z core zones
-	for z in $z; do
-		config_get n core "${z}_networks"
-		for n in $n; do
-			config_get i core "${n}_ifname"
-			[ -n "$i" ] && env -i ACTION=remove ZONE="$z" INTERFACE="$n" DEVICE="$i" \
-				/sbin/hotplug-call firewall
-		done
-	done
-
-	fw_clear
-	$IPTABLES -P INPUT ACCEPT
-	$IPTABLES -P OUTPUT ACCEPT
-	$IPTABLES -P FORWARD ACCEPT
-	uci_revert_state firewall
-}