I modified nbd's qosfw-scripts v0.5 to allow loopback connections as discussed at http://forum.openwrt.org/viewtopic.php?id=4030
If you can, pls check this for bugs/posible improvements and then I wll put it on the wiki
This file replaces /usr/lib/qosfw/firewall.awk
BEGIN {
print "proto=\"$(nvram get wan_proto)\""
print "[ -z \"$proto\" -o \"$proto\" = \"none\" ] && exit"
print "ifname=\"$(nvram get wan_ifname)\""
print "[ -z \"$ifname\" ] && exit"
print "ifconfig \"$ifname\" 2>&- >&- || exit"
print ""
print "iptables -X input_$ifname 2>&- >&-"
print "iptables -N input_$ifname 2>&- >&-"
print "iptables -X forward_$ifname 2>&- >&-"
print "iptables -N forward_$ifname 2>&- >&-"
print "iptables -t nat -X prerouting_$ifname 2>&- >&-"
print "iptables -t nat -N prerouting_$ifname 2>&- >&-"
print ""
print "iptables -I input_rule 1 -i \"$ifname\" -j input_$ifname"
print "iptables -I forwarding_rule 1 -i \"$ifname\" -j forward_$ifname"
print "iptables -t nat -I prerouting_rule 1 -i \"$ifname\" -j prerouting_$ifname"
print ""
FS=":"
}
($1 == "accept") {
target = " -j ACCEPT"
print "iptables -t nat -A prerouting_$ifname" str2ipt($2) target
print "iptables -A input_$ifname " str2ipt($2) target
print ""
}
($1 == "drop") {
print "iptables -t nat -A prerouting_$ifname" str2ipt($2) " -j DROP"
print ""
}
($1 == "forward") {
target=" -j DNAT --to " $3
if ($4 != "") {
str2data($2)
if ((_l["proto"] == "tcp") || (_l["proto"] == "udp")) {
fwopts = " -p " _l["proto"] " --dport " $4
target = target ":" $4
}
else fwopts=""
}
#added until "#commented out 2 lines"
#make debugging = 1 to print the commands it is running
print "WAN_IP=\"$(nvram get wan_ipaddr)\""
debugging = 0
printvar = "iptables -t nat -A prerouting_rule -d $WAN_IP" str2ipt($2) target
print printvar
if (debugging == "1") print "echo \"" printvar "\""
printvar = "iptables -A forwarding_rule -d " $3 fwopts " -j ACCEPT"
print printvar
if (debugging == "1") print "echo \"" printvar "\""
printvar = "iptables -t nat -A postrouting_rule -s 192.168.1.0/24" str2post($2) " -d " $3 " -j MASQUERADE"
print printvar
if (debugging == "1") print "echo \"" printvar "\""
printvar = ""
#commented out 2 lines
#print "iptables -t nat -A prerouting_$ifname" str2ipt($2) target
#print "iptables -A forward_$ifname -d " $3 fwopts " -j ACCEPT"
print ""
}
function str2post(str) {
str2data(str)
_cmd = ""
if (_l["iface"] != "") _cmd = _cmd " -i " _l["iface"]
if (_l["proto"] != "") {
_cmd = _cmd " -p " _l["proto"]
if ((_l["proto"] == "tcp") || (_l["proto"] == "udp")) {
if (_l["sport"] != "") _cmd = _cmd portstr("src", _l["sport"])
if ($4 != "") {
if (_l["dport"] != "") _cmd = _cmd portstr("dest", $4)
}else{
if (_l["dport"] != "") _cmd = _cmd portstr("dest", _l["dport"])
}
}
}
if (_l["layer7"] != "") {
if (insmod_l7 != 1) {
print "insmod ipt_layer7 >&- 2>&-"
insmod_l7 = 1
}
_cmd = _cmd " -m layer7 --l7proto " _l["layer7"]
}
return _cmd
}And in /usr/lib/qosfw/common.awk in the function str2ipt on the line "if (_l["dest"] != "") _cmd = _cmd " -i " _l["dest"]" change the "dest" to "iface"
That should allow you to firewall/qos based on interface instead of destination IP
Then create a file called /etc/hotplug.d/iface/S09-firewall and put the following in it to get it to rerun the firewall every time the router gets a new IP:
#!/bin/sh
#run the firewall
if [ "$ACTION" = "ifup" -a "$INTERFACE" = "wan" ]; then
/etc/init.d/S45firewall
fiNOTE: I have not tested the interface functionality, so I don't know if you actually can setup rules based on iface at the moment.
Note to mbm: HAHA, NO GPIO!
(Last edited by eatnumber1 on 26 Feb 2006, 03:54)