bbfdm crash debug

Added library function that read teh uci file of firewallmngr.
convert it to generate firewall uci file.

bbfdm/Makefile

@@ -5,13 +5,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=bbfdm
-PKG_VERSION:=1.7.16
+PKG_VERSION:=1.7.17
 
 USE_LOCAL:=0
 ifneq ($(USE_LOCAL),1)
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/bbfdm.git
-PKG_SOURCE_VERSION:=7997de62b748f682dbfe0fd4c0c6c00f5628cebd
+PKG_SOURCE_VERSION:=8c998e886ce5345cfead5092ccf5447b8a8f7ee7
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
 PKG_MIRROR_HASH:=skip
 endif

bbfdm/files/etc/config/bbfdm

@@ -1,6 +1,6 @@
 config bbfdmd 'bbfdmd'
 	option enable '1'
 	option loglevel '1'
-	option refresh_time '10'
+	option refresh_time '300'
 	option transaction_timeout '30'
 	option subprocess_level '2'

firewallmngr/Makefile

@@ -0,0 +1,59 @@
+#
+# Copyright (C) 2022-2024 IOPSYS Software Solutions AB
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=firewallmngr
+PKG_VERSION:=1.0.0
+
+#LOCAL_DEV:=1
+#ifneq ($(LOCAL_DEV),1)
+#PKG_SOURCE_PROTO:=git
+#PKG_SOURCE_URL:=https://dev.iopsys.eu/bbf/firewallmngr.git
+#PKG_SOURCE_VERSION:=4f429e25c6e7a69c5171186731bc560befa5a660
+#PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
+#PKG_MIRROR_HASH:=skip
+#endif
+
+PKG_LICENSE:=BSD-3-Clause
+PKG_LICENSE_FILES:=LICENSE
+
+include $(INCLUDE_DIR)/package.mk
+include ../bbfdm/bbfdm.mk
+
+#MAKE_PATH:=src
+
+define Package/firewallmngr
+  SECTION:=utils
+  CATEGORY:=Utilities
+  SUBMENU:=TRx69
+  DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +firewall
+  TITLE:=Package to add Device.Firewall data model support.
+endef
+
+define Package/firewallmngr/description
+  Package to add Device.Firewall data model support.
+endef
+
+#ifeq ($(LOCAL_DEV),0)
+#define Build/Prepare
+#	$(CP) -rf ./src/* $(PKG_BUILD_DIR)/
+#endef
+#endif
+
+define Package/firewallmngr/install
+	$(INSTALL_DIR) $(1)/etc/firewallmngr
+	$(INSTALL_DIR) $(1)/etc/firewallmngr/plugins
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_DIR) $(1)/lib/fwmngr
+	$(INSTALL_DATA) ./files/etc/config/firewallmngr  $(1)/etc/config/
+	$(INSTALL_DATA) ./files/etc/init.d/firewallmngr  $(1)/etc/init.d/
+	$(INSTALL_DATA) ./files/lib/fwmngr/fwmngr.sh  $(1)/lib/fwmngr/
+	$(call BbfdmInstallPluginInMicroservice, $(1)/etc/firewallmngr,./files/etc/firewallmngr/nat.json)
+	$(call BbfdmInstallPluginInMicroservice, $(1)/etc/firewallmngr/plugins,$(PKG_BUILD_DIR)/libfirewallmngr.so)
+	$(call BbfdmInstallMicroServiceInputFile,$(1),./files/etc/bbfdm/micro_services/firewallmngr.json)
+endef
+
+$(eval $(call BuildPackage,firewallmngr))

firewallmngr/files/etc/bbfdm/micro_services/firewallmngr.json

@@ -0,0 +1,18 @@
+{
+	"daemon": {
+		"config": {
+			"loglevel": "4"
+		},
+		"input": {
+			"type": "JSON",
+			"name": "/etc/firewallmngr/nat.json",
+			"plugin_dir": "/etc/firewallmngr/plugins"
+		},
+		"output": {
+			"type": "UBUS",
+			"parent_dm": "Device.",
+			"root_obj": "bbfdm",
+			"multiple_objects": ["NAT","Firewall"]
+		}
+	}
+}

firewallmngr/files/etc/config/firewallmngr

@@ -0,0 +1,133 @@
+config firewall 'firewall'
+	option config 'Advanced'
+	option Advanced_level 'level1'
+
+config level 'level1'
+	option name 'level1'
+	option chain 'chain1'
+	option port_mapping_enabled '1'
+	option default_policy 'reject'
+	option default_log_policy '0'
+	option enable '1'
+
+config chain 'chain1'
+	option enable '1'
+	option name 'chain1'
+
+config rule 'rule1'
+	option chain 'chain1'
+	option enable '1'
+	option order '1'
+	option target 'accept'
+	option source_interface 'lan'
+
+config rule 'rule2'
+	option chain 'chain1'
+	option enable '1'
+	option order '2'
+	option description 'Allow-DHCP-Renew'
+	option target 'accept'
+	option source_interface 'wan'
+	option ip_version '4'
+	option protocol '17'
+	option dest_port '68'
+
+config rule 'rule3'
+	option chain 'chain1'
+	option enable '1'
+	option order '3'
+	option description 'Allow-Ping'
+	option target 'accept'
+	option source_interface 'wan'
+	option ip_version '4'
+	option protocol '1'
+
+config rule 'rule4'
+	option chain 'chain1'
+	option enable '1'
+	option order '4'
+	option description 'Allow-IGMP'
+	option target 'accept'
+	option source_interface 'wan'
+	option ip_version '4'
+	option protocol '2'
+
+config rule 'rule5'
+	option chain 'chain1'
+	option enable '1'
+	option order '5'
+	option description 'Allow-DHCPv6'
+	option target 'accept'
+	option source_interface 'wan'
+	option ip_version '6'
+	option protocol '17'
+	option dest_port '546'
+
+config rule 'rule6'
+	option chain 'chain1'
+	option enable '1'
+	option order '6'
+	option description 'Allow-MLD'
+	option target 'accept'
+	option source_interface 'wan'
+	option ip_version '6'
+	option source_ip 'fe80::'
+	option source_mask 'fe80::/10'
+	option protocol '1'
+
+config rule 'rule7'
+	option chain 'chain1'
+	option enable '1'
+	option order '7'
+	option description 'Allow-ICMPv6-Input'
+	option target 'accept'
+	option source_interface 'wan'
+	option ip_version '6'
+	option protocol '1'
+
+config rule 'rule8'
+	option chain 'chain1'
+	option enable '1'
+	option order '8'
+	option description 'Allow-ICMPv6-Forward'
+	option target 'accept'
+	option source_interface 'wan'
+	option dest_all_interface '1'
+	option ip_version '6'
+	option protocol '1'
+
+config rule 'rule9'
+	option chain 'chain1'
+	option enable '1'
+	option order '9'
+	option description 'Allow-IPSec-ESP'
+	option target 'accept'
+	option source_interface 'wan'
+	option dest_interface 'lan'
+	option protocol '50'
+
+config rule 'rule10'
+	option chain 'chain1'
+	option enable '1'
+	option order '10'
+	option description 'Allow-ISAKMP'
+	option target 'accept'
+	option source_interface 'wan'
+	option dest_interface 'lan'
+	option protocol '17'
+	option dest_port '500'
+
+config rule 'rule11'
+	option chain 'chain1'
+	option enable '1'
+	option order '11'
+	option description 'Support-UDP-Traceroute'
+	option target 'reject'
+	option source_interface 'wan'
+	option ip_version '4'
+	option protocol '17'
+	option dest_port '33434'
+	option dest_port_range_max '33689'
+
+
+

firewallmngr/files/etc/firewallmngr/nat.json

@@ -0,0 +1,566 @@
+{
+	"json_plugin_version": 2,
+	"Device.NAT.": {
+			"type": "object",
+			"protocols": [
+				"cwmp",
+				"usp"
+			],
+			"access": false,
+			"array": false,
+			"InterfaceSettingNumberOfEntries": {
+				"type": "unsignedInt",
+				"read": true,
+				"write": false,
+				"protocols": [
+					"cwmp",
+					"usp"
+				],
+				"datatype": "unsignedInt",
+				"mapping": [
+				{
+					"type": "uci",
+					"uci": {
+						"object": "firewallmngr",
+						"section": {
+							"type": "nat_interface_setting"
+						},
+						"option": {
+							"name": "@Count"
+						}
+					}
+				}
+				]
+			},
+			"PortMappingNumberOfEntries": {
+				"type": "unsignedInt",
+				"read": true,
+				"write": false,
+				"protocols": [
+					"cwmp",
+					"usp"
+				],
+				"datatype": "unsignedInt",
+				"mapping": [
+				{
+					"type": "uci",
+					"uci": {
+						"object": "firewallmngr",
+						"section": {
+							"type": "nat_portmapping"
+						},
+						"option": {
+							"name": "@Count"
+						}
+					}
+				}
+				]
+
+			},
+			"MaxNumberOfPortMappings": {
+				"type": "unsignedInt",
+				"read": true,
+				"write": false,
+				"protocols": [
+					"cwmp",
+					"usp"
+				],
+				"datatype": "unsignedInt",
+				"default": "32"
+			},
+			"Device.NAT.InterfaceSetting.{i}.": {
+				"type": "object",
+				"protocols": [
+					"cwmp",
+					"usp"
+				],
+				"uniqueKeys": [
+					"Alias",
+					"Interface"
+				],
+				"access": true,
+				"array": true,
+				"mapping": [
+				{
+					"type": "uci",
+					"uci": {
+						"file": "firewallmngr", 
+						"section": {
+							"type": "nat_interface_setting"
+						}, 
+						"dmmapfile": "dmmap_nat"
+					}
+				}
+				],
+				"Enable": {
+					"type": "boolean",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"default": "false",
+					"datatype": "boolean",
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "enable"
+					}
+					]
+				},
+				"Status": {
+					"type": "string",
+					"read": true,
+					"write": false,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"default": "Disabled",
+					"datatype": "string",
+					"enumerations": [
+						"Disabled",
+						"Enabled",
+						"Enabled_NATForcedDisabled",
+						"Enabled_PortMappingDisabled",
+						"Error_Misconfigured",
+						"Error"
+					]
+				},
+				"Alias": {
+					"type": "string",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "Alias",
+					"range": [
+						{
+							"max": 64
+						}
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "alias"
+					}
+					]
+
+				},
+				"Interface": {
+					"type": "string",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "string",
+					"range": [
+						{
+							"max": 256
+						}
+					],
+					"flags": [
+						"Reference"
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "interface",
+						"linker_obj": "Device.IP.Interface.[Name==@key]."
+					}
+					]
+				},
+				"SourceNetwork": {
+					"type": "string",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"list": {
+						"datatype": "string",
+						"range": [
+							{
+								"max": 256
+							}
+						]
+					}
+				},
+				"TCPTranslationTimeout": {
+					"type": "int",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"default": "300",
+					"datatype": "int",
+					"range": [
+						{
+							"min": -1
+						}
+					],
+					"unit": "seconds"
+				},
+				"UDPTranslationTimeout": {
+					"type": "int",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"default": "30",
+					"datatype": "int",
+					"range": [
+						{
+							"min": -1
+						}
+					],
+					"unit": "seconds"
+				}
+			},
+			"Device.NAT.PortMapping.{i}.": {
+				"type": "object",
+				"protocols": [
+					"cwmp",
+					"usp"
+				],
+				"uniqueKeys": [
+					"Alias",
+					"RemoteHost",
+					"ExternalPort",
+					"Protocol"
+				],
+				"access": true,
+				"array": true,
+				"mapping": [
+				{
+					"type": "uci",
+					"uci": {
+						"file": "firewallmngr", 
+						"section": {
+							"type": "nat_portmapping"
+						}, 
+						"dmmapfile": "dmmap_nat"
+					}
+				}
+				],
+				"Enable": {
+					"type": "boolean",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"default": "false",
+					"datatype": "boolean",
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "enable"
+					}
+					]
+				},
+				"Status": {
+					"type": "string",
+					"read": true,
+					"write": false,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"default": "Disabled",
+					"datatype": "string",
+					"enumerations": [
+						"Disabled",
+						"Enabled",
+						"Error_Misconfigured",
+						"Error"
+					]
+				},
+				"Origin": {
+					"type": "string",
+					"read": true,
+					"write": false,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"default": "Controller",
+					"datatype": "string",
+					"enumerations": [
+						"User",
+						"System",
+						"UPnP",
+						"Controller"
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "origin"
+					}
+					]
+
+				},
+				"Alias": {
+					"type": "string",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "Alias",
+					"range": [
+						{
+							"max": 64
+						}
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "alias"
+					}
+					]
+
+				},
+				"Interface": {
+					"type": "string",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "string",
+					"range": [
+						{
+							"max": 256
+						}
+					],
+					"flags": [
+						"Reference"
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "interface",
+						"linker_obj": "Device.IP.Interface.*.Name"
+					}
+					]
+				},
+				"AllInterfaces": {
+					"type": "boolean",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"default": "false",
+					"datatype": "boolean",
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "all_interfaces"
+					}
+					]
+
+				},
+				"LeaseDuration": {
+					"type": "unsignedInt",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "unsignedInt",
+					"unit": "seconds",
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "lease_duration"
+					}
+					]
+
+				},
+				"RemoteHost": {
+					"type": "string",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "string",
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "remote_host"
+					}
+					]
+
+				},
+				"ExternalPort": {
+					"type": "unsignedInt",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "unsignedInt",
+					"range": [
+						{
+							"min": 0,
+							"max": 65535
+						}
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "external_port"
+					}
+					]
+
+				},
+				"ExternalPortEndRange": {
+					"type": "unsignedInt",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"default": "0",
+					"datatype": "unsignedInt",
+					"range": [
+						{
+							"min": 0,
+							"max": 65535
+						}
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "external_port_end"
+					}
+					]
+
+				},
+				"InternalPort": {
+					"type": "unsignedInt",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "unsignedInt",
+					"range": [
+						{
+							"min": 0,
+							"max": 65535
+						}
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "internal_port"
+					}
+					]
+
+				},
+				"Protocol": {
+					"type": "string",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "string",
+					"enumerations": [
+						"TCP",
+						"UDP"
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "protocol"
+					}
+					]
+
+				},
+				"InternalClient": {
+					"type": "string",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "string",
+					"range": [
+						{
+							"max": 256
+						}
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "internal_client"
+					}
+					]
+
+				},
+				"Description": {
+					"type": "string",
+					"read": true,
+					"write": true,
+					"protocols": [
+						"cwmp",
+						"usp"
+					],
+					"datatype": "string",
+					"range": [
+						{
+							"max": 256
+						}
+					],
+					"mapping": [
+					{
+						"data": "@Parent",
+						"type": "uci_sec",
+						"key": "description"
+					}
+					]
+				}
+			}
+		}
+}

firewallmngr/files/etc/init.d/firewallmngr

@@ -0,0 +1,16 @@
+#!/bin/sh /etc/rc.common
+
+START=18
+USE_PROCD=1
+
+. /lib/fwmngr/fwmngr.sh
+. /etc/bbfdm/bbfdm_services.sh
+
+
+start_service() {
+	configure_firewall
+}
+
+service_triggers() {
+	procd_add_reload_trigger firewallmngr
+}

firewallmngr/files/lib/fwmngr/fwmngr.sh

@@ -0,0 +1,300 @@
+#!/bin/sh
+#set -x
+
+. /lib/functions.sh
+
+TEMP_UCI_PATH="/tmp/firewall"
+
+INPUT="REJECT"
+OUTPUT="ACCEPT"
+FORWARD="REJECT"
+
+zone_list=""
+
+get_rule_ip_family() {
+	if [ "$1" == "4" ]; then
+		echo "ipv4"
+	elif [ "$1" == "6" ]; then
+		echo "ipv6"
+	else
+		echo "-1"
+	fi
+}
+
+set_rule_target() {
+	local rule_sec="$1"
+	local target="$2"
+	local targetchain="$3"
+	if [ "$target" == "Accept" ] || [ "$target" == "accept" ] || [ "$target" == "Reject" ] || [ "$target" == "reject" ] || [ "$target" == "Drop" ] || [ "$target" == "drop" ]; then
+		uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.target="$(echo $target | awk '{ print toupper($target) }')"
+	elif [ "$target" == "Retrun" ]; then
+		uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.target="MARK"
+	elif [ "$target" == "TargetChain" ]; then
+		uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.target="$targetchain"
+	else
+		uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.target="DROP"
+	fi
+}
+
+set_rule_protocol() {
+	local rule_sec="$1"
+	local protocol="$protocol"
+	uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.proto="$protocol"
+#TODO implementaton to configure icmpType
+}
+
+create_firewall_zone_config() {
+	local intf="$1"
+	local masq="$2"
+	local zone_exist="false"
+	local is_bridge="false"
+	local intf_dev=""
+	local dev=""
+	local zn=""
+
+	is_device_type_bridge() {
+		config_get dev $1 "name"
+		config_get dev_type $1 "type"
+		if [ "$dev" == "$intf_dev" ] &&  [ "$dev_type" == "bridge" ]; then
+			is_bridge="true"
+		fi
+	}
+
+	for zn in $zone_list; do
+		if [ "$zn" == "$intf" ]; then
+			zone_exist="true"
+		fi
+	done
+	if [ "$zone_exist" == "false" ]; then
+		zone_list="$zone_list $intf"
+
+		#default masq is set to 1 for zone wan
+		if [ "$intf" == "wan" ]; then
+			masq="1"
+		fi
+	
+		zone_sec=$(uci -p "$TEMP_UCI_PATH" add "firewall" "zone")
+		uci -p "$TEMP_UCI_PATH" set firewall.$zone_sec.enabled="1"
+		uci -p "$TEMP_UCI_PATH" set firewall.$zone_sec.name="$intf"
+
+		intf_dev=$(uci -q get network.$intf.device)
+		config_load network
+		config_foreach is_device_type_bridge device 
+
+		uci -p "$TEMP_UCI_PATH" set firewall.$zone_sec.output="$OUTPUT"
+		if [ "$is_bridge" == "true" ]; then
+			uci -p "$TEMP_UCI_PATH" set firewall.$zone_sec.input="ACCEPT"
+			uci -p "$TEMP_UCI_PATH" set firewall.$zone_sec.forward="ACCEPT"
+		else
+			uci -p "$TEMP_UCI_PATH" set firewall.$zone_sec.input="REJECT"
+			uci -p "$TEMP_UCI_PATH" set firewall.$zone_sec.forward="REJECT"
+		fi
+		uci -p "$TEMP_UCI_PATH" add_list firewall.$zone_sec.network="$intf"
+		[ "$masq" == "1" ] && uci -p "$TEMP_UCI_PATH" set firewall.$zone_sec.masq="1"
+		uci -p "$TEMP_UCI_PATH" rename firewall.$zone_sec="$intf"
+	else
+		[ "$masq" == "1" ] && uci -p "$TEMP_UCI_PATH" add_list firewall.${intf}.masq="1"
+	fi
+}
+
+#create_redirect_config() {
+
+#}
+
+handle_firewall_rule() {
+	local rule="$1"
+	local chain_name="$2"
+	local chain=""
+	local is_enable=""
+	local src_intf=""
+	local ip_version=""
+	local ip_famiexitproto=""
+	local protocol=""
+	local dest_intf=""
+	local target=""
+	local targetchain=""
+	local desc=""
+	local dest_port=""
+	local src_port=""
+	local src_port_range_max=""
+	local dest_port_range_max=""
+	local src_ip=""
+	local dest_ip=""
+
+	config_get is_enable "$rule" "enable" 0
+	[ "$is_enable" == "1" ] || return
+
+	config_get chain "$rule" "chain"
+	[ "$chain" == "$chain_name" ] || return
+
+	config_get src_intf "$rule" "source_interface"
+	config_get dest_intf "$rule" "dest_interface"
+
+	if [ -n "$src_intf" ]; then
+		create_firewall_zone_config "$src_intf" "0"
+	fi
+
+	if [ -n "$dest_intf" ]; then
+		create_firewall_zone_config "$dest_intf" "0"
+	fi
+
+	config_get ip_version "$rule" "ip_version"
+	ip_family="$(get_rule_ip_family $ip_version)"
+	config_get protocol "$rule" "protocol"
+	config_get src_port "$rule" "src_port"
+	config_get dest_port "$rule" "dest_port"
+	config_get src_ip "$rule" "src_ip"
+	config_get dest_ip "$rule" "dest_ip"
+	config_get dest_port_range_max "$rule" "dest_port_range_max"
+	config_get src_port_range_max "$rule" "src_port_range_max"
+	config_get target "$rule" "target"
+	config_get targetchain "$rule" "targetchain"
+	config_get desc "$rule" "description"
+
+	rule_sec=$(uci -p "$TEMP_UCI_PATH" add firewall rule)
+	uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.enabled="1"
+	uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.name="$desc"
+	uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.src="$src_intf"
+	uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.dst="$dst_intf"
+	uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.family="$ip_family"
+	set_rule_target "$rule_sec" "$target" "$tagetchain"
+	set_rule_protocol "$rule_sec" "$protocol"
+	if [ -z "$dest_port_range_max" ]; then
+		uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.dest_port="$dest_port"
+	else
+		uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.dest_port="$dest_port:$dest_port_range_max"
+	fi
+
+	if [ -z "$src_port_range_max" ]; then
+		uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.src_port="$src_port"
+	else
+		uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.src_port="$src_port:$src_port_range_max"
+	fi
+	uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.src_ip="$src_ip"
+	uci -p "$TEMP_UCI_PATH" set firewall.$rule_sec.dest_ip="$dest_ip"
+        uci -p "$TEMP_UCI_PATH" rename firewall.$rule_sec="$rule"
+}
+
+handle_nat_interface_setting() {
+	local nat_intf_cfg="$1"
+	local interface=""
+	local enable=""
+
+	config_get enable $nat_intf_cfg "enable"
+	[ -z "$enable" ] && return
+	config_get interface $nat_intf_cfg "interface"
+	if [ "$enable" == "1" ] && [ -n "$interface" ]; then
+		create_firewall_zone_config "$interface" "1"
+	fi
+}
+
+handle_nat_port_mapping() {
+	local nat_port_cfg="$1"
+	local enable=""
+	local interface=""
+	local all_interface=""
+	local lease_duration=""
+	local remote_host=""
+	local external_port=""
+	local external_port_end=""
+	local internal_port=""
+	local protocol=""
+	local internal_client=""
+	local description=""
+	local redirect_sec=""
+	local epoch_sec=""
+	local stop_epoch=""
+	local stop_ymd=""
+	local stop_hms=""
+
+	config_get enable $nat_port_cfg "enable"
+	masq=$(uci -q get firewall.$interface.masq)
+	if [ -z "$enable" ] && ! [ "$masq" == "1" ]; then
+		return
+	fi
+	config_get interface $nat_port_cfg "interface"
+	config_get internal_client $nat_port_cfg "internal_client"
+	if [ -z "$interface" ] || [ -z "$internal_client" ]; then
+		return
+	fi
+	config_get all_interface $nat_port_cfg "all_interface"
+	config_get lease_duration $nat_port_cfg "lease_duration"
+	config_get remote_host $nat_port_cfg "remote_host"
+	config_get external_port $nat_port_cfg "external_port" "0"
+	config_get external_port_end $nat_port_cfg "external_port_end" "0"
+	config_get internal_port $nat_port_cfg "internal_port"
+	config_get protocol $nat_port_cfg "protocol"
+	protocol=$(echo $protocol | awk '{print tolower($0)}')
+	config_get description $nat_port_cfg "description"
+
+	redirect_sec=$(uci -p "$TEMP_UCI_PATH" add firewall redirect)
+	uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.src="$interface"
+	uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.enabled="1"
+	uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.dest_ip="$internal_client"
+	[ -z "$protocol" ] || uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.protocol="$protocol"
+	[ -z "$remote_host" ] || uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.src_ip="$remote_host"
+	if [ -n "$lease_duration" ] && ! [ "$lease_duration" == "0" ]; then
+		epoch_sec=$(date +%s)
+		stop_epoch=$(( epoch_sec + lease_duration ))
+		stop_ymd=$(date -d @${stop_epoch} +%Y-%m-%d)
+		stop_hms=$(date -d @${stop_epoch} +%H:%M:%S)
+		uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.stop_date="$stop_ymd"
+		uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.stop_time="$stop_hms"
+	fi
+	if [ "$external_port_end" == "0" ]; then
+		if ! [ "$external_port" == "0" ]; then
+			uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.src_dport="$external_port"
+		fi
+	else
+		uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.src_dport="$external_port-$external_port_end"
+	fi
+	[ -z "$internal_port" ] || uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.dest_port="$internal_port"
+	[ -z "$description" ] || uci -p "$TEMP_UCI_PATH" set firewall.$redirect_sec.description="$description"
+
+        uci -p "$TEMP_UCI_PATH" rename firewall.$redirect_sec="$nat_port_cfg"
+}
+
+configure_firewall() {
+	rm -rf "$TEMP_UCI_PATH"/firewall 2>/dev/null
+	mkdir -p "$TEMP_UCI_PATH"
+	touch "$TEMP_UCI_PATH"/firewall
+	zone_list=""
+
+	config_load firewallmngr
+	fw_config="$(uci -q get firewallmngr.firewall.config)"
+	[ -z "$fw_config" ] && return
+	[ "$fw_config" == "Advanced" ] || return
+
+	fw_level="$(uci -q get firewallmngr.firewall.${fw_config}_level)"
+	[ -z "$fw_level" ] && return
+	enabled="$(uci -q get firewallmngr.${fw_level}.enable)"
+
+	[ "$enabled" == "1" ] || exit
+
+	chain="$(uci -q get firewallmngr.${fw_level}.chain)"
+	[ -z "$chain" ] && exit
+
+	enabled="$(uci -q get firewallmngr.${chain}.enable)"
+	chain_name="$(uci -q get firewallmngr.${chain}.name)"
+
+#configure firewall global config
+	global_sec=$(uci -p "$TEMP_UCI_PATH" add firewall globals)
+        uci -p "$TEMP_UCI_PATH" set firewall.$global_sec.enabled="1"
+        uci -p "$TEMP_UCI_PATH" rename firewall.$global_sec="globals"
+
+#configure firewall default config
+	default_sec=$(uci -p "$TEMP_UCI_PATH" add firewall default)
+	uci -p "$TEMP_UCI_PATH" set firewall.$default_sec.syn_flood="1"
+	uci -p "$TEMP_UCI_PATH" set firewall.$default_sec.input="$INPUT"
+	uci -p "$TEMP_UCI_PATH" set firewall.$default_sec.output="$OUTPUT"
+	uci -p "$TEMP_UCI_PATH" set firewall.$default_sec.forward="$FORWARD"
+
+	config_foreach handle_firewall_rule rule "$chain_name"
+
+	config_load firewallmngr
+	config_foreach handle_nat_interface_setting nat_interface_setting
+	config_foreach handle_nat_port_mapping nat_portmapping
+
+	uci -c "$TEMP_UCI_PATH" commit firewall
+	cp "$TEMP_UCI_PATH"/firewall /etc/config/
+}

firewallmngr/src/Makefile

@@ -0,0 +1,17 @@
+LIB = libfirewallmngr.so
+
+LIB_OBJS = firewallmngr.o
+
+PROG_CFLAGS = $(CFLAGS) -Wall -Werror -fPIC
+LIB_LDFLAGS = $(LDFLAGS)
+
+%.o: %.c
+	$(CC) $(PROG_CFLAGS) -c -o $@ $<
+
+all: $(LIB)
+
+$(LIB): $(LIB_OBJS)
+	$(CC) $(PROG_CFLAGS) -shared -o $@ $^ $(LIB_LDFLAGS)
+
+clean:
+	rm -f *.o $(LIB)

firewallmngr/src/common.c

@@ -0,0 +1,12 @@
+char *Config[] = {"High", "Low", "Off", "Advanced", "Policy", NULL};
+char *DefaultPolicy[] = {"Drop", "Accept", "Reject", NULL};
+char *TargetChain[] = {"Drop", "Accept", "Reject", "Chain", NULL};
+char *ReverseTargetChain[] = {"Drop", "Accept", "Reject", "Chain", NULL};
+char *Target[] = {"Drop", "Accept", "Reject", "Return", "TargetChain", NULL};
+char *ConnectionState[] = {"INVALID", "NEW", "RELATED", "ESTABLISHED", NULL};
+char *MACAddress[] = {"^$", "^([0-9A-Fa-f][0-9A-Fa-f]:){5}([0-9A-Fa-f][0-9A-Fa-f])$", NULL};
+char *MACAddress[] = {"^$", "^([0-9A-Fa-f][0-9A-Fa-f]:){5}([0-9A-Fa-f][0-9A-Fa-f])$", NULL};
+char *Origin[] = {"User", "System", "Controller", NULL};
+char *IPv4Address[] = {"^$", "^((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])$", NULL};
+char *IPv4Prefix[] = {"^$", "^/(3[0-2]|[012]?[0-9])$", "^((25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9]?[0-9])/(3[0-2]|[012]?[0-9])$", NULL};
+char *Action[] = {"Drop", "Accept", "Reject", NULL};

firewallmngr/src/firewallmngr.h

@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2024 iopsys Software Solutions AB
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation
+ *
+ *	Author: Husaam Mehdi <husaam.mehdi@iopsys.eu>
+ */
+
+#ifndef __FIREWALLMNGR_H
+#define __FIREWALLMNGR_H
+
+#include <libbbfdm-api/dmcommon.h>
+#include <libbbfdm_api.h>
+
+extern DMOBJ tFirewallObj[];
+extern DMLEAF tFirewallParams[];
+extern DMLEAF tFirewallLevelParams[];
+extern DMOBJ tFirewallChainObj[];
+extern DMLEAF tFirewallChainParams[];
+extern DMLEAF tFirewallChainRuleParams[];
+extern DMLEAF tFirewallDMZParams[];
+extern DMLEAF tFirewallServiceParams[];
+
+#endif //__FIREWALLMNGR_H

port-trigger/Makefile

@@ -26,7 +26,7 @@ define Package/port-trigger
   SECTION:=utils
   CATEGORY:=Utilities
   TITLE:=Port Trigger Daemon
-  DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +kmod-ipt-trigger +kmod-ip6t-trigger +iptables-mod-nfqueue
+  DEPENDS:=+libuci +libubox +libubus +libblobmsg-json +libjson-c +libbbfdm-api +kmod-ipt-trigger +kmod-ip6t-trigger +iptables-mod-nfqueue +firewallmngr
 endef
 
 define Package/port-trigger/description
@@ -43,13 +43,11 @@ define Package/port-trigger/install
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_DIR) $(1)/lib/port-trigger
-	$(CP) ./files/* $(1)/
-                                                                                
+	$(INSTALL_DIR) $(1)/etc/firewallmngr/plugins
 	$(INSTALL_BIN) ./files/etc/init.d/port-trigger $(1)/etc/init.d/
 	$(INSTALL_DATA) ./files/etc/config/port-trigger $(1)/etc/config/
 	$(INSTALL_DATA) ./files/lib/port-trigger/port_trigger.sh $(1)/lib/port-trigger/
-	$(call BbfdmInstallPluginInMicroservice, $(1)/etc/port-trigger,$(PKG_BUILD_DIR)/bbf_plugin/libporttrigger.so)
-	$(call BbfdmInstallMicroServiceInputFile,$(1),./files/etc/bbfdm/micro_services/port-trigger.json)
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/bbf_plugin/libporttrigger.so $(1)/etc/firewallmngr/plugins/
 endef
 
 $(eval $(call BuildPackage,port-trigger))