From 4476ee0dba7cfece304a4358797d5eac98f2ab68 Mon Sep 17 00:00:00 2001
From: Toastman <toastman@galactic_core>
Date: Fri, 23 Sep 2011 04:59:27 +0700
Subject: [PATCH] Changed default policy about LAN/bridge access: LAN bridges
 are no longer accessible from each other by default. Access between LANs can
 be granted/managed via a new/experimental GUI.

---
 release/src/router/httpd/tomato.c          |   3 +
 release/src/router/rc/firewall.c           |  73 ++++++---
 release/src/router/www/advanced-access.asp | 239 +++++++++++++++++++++++++++++
 release/src/router/www/tomato.js           |   3 +-
 4 files changed, 294 insertions(+), 24 deletions(-)
 create mode 100644 release/src/router/www/advanced-access.asp

diff --git a/release/src/router/httpd/tomato.c b/release/src/router/httpd/tomato.c
index b75891da4a..5a04fdbab1 100644
--- a/release/src/router/httpd/tomato.c
+++ b/release/src/router/httpd/tomato.c
@@ -767,6 +767,9 @@ static const nvset_t nvset_list[] = {
 	{ "dr_wan_rx",			V_LENGTH(0, 32)		},
 #endif
 
+// advanced-access
+	{ "lan_access",			V_LENGTH(0, 4096)	},
+
 // advanced-wireless
 	{ "wl_country",			V_LENGTH(0, 64)		},	// !!TB - Country code
 	{ "wl_country_code",		V_LENGTH(0, 4)		},	// !!TB - Country code
diff --git a/release/src/router/rc/firewall.c b/release/src/router/rc/firewall.c
index ba0aa29535..48e10f3b9d 100644
--- a/release/src/router/rc/firewall.c
+++ b/release/src/router/rc/firewall.c
@@ -38,13 +38,7 @@ char lan3face[IFNAMSIZ + 1];
 #ifdef TCONFIG_IPV6
 char wan6face[IFNAMSIZ + 1];
 #endif
-
-
 char lan_cclass[sizeof("xxx.xxx.xxx.") + 1];
-//char lan1_cclass[sizeof("xxx.xxx.xxx.") + 1];
-//char lan2_cclass[sizeof("xxx.xxx.xxx.") + 1];
-//char lan3_cclass[sizeof("xxx.xxx.xxx.") + 1];
-
 #ifdef LINUX26
 static int can_enable_fastnat;
 #endif
@@ -973,22 +967,20 @@ static void filter_forward(void)
 
 	ip46t_write(
 		"-A FORWARD -i %s -o %s -j ACCEPT\n",			// accept all lan to lan
-//		"-A FORWARD -m state --state INVALID -j DROP\n",	// drop if INVALID state
-
 		lanface, lanface);
 	if (strcmp(lan1face,"")!=0)
-		ipt_write(
+		ip46t_write(
 			"-A FORWARD -i %s -o %s -j ACCEPT\n",
 			lan1face, lan1face);
 	if (strcmp(lan2face,"")!=0)
-		ipt_write(
+		ip46t_write(
 			"-A FORWARD -i %s -o %s -j ACCEPT\n",
 			lan2face, lan2face);
 	if (strcmp(lan3face,"")!=0)
-		ipt_write(
+		ip46t_write(
 			"-A FORWARD -i %s -o %s -j ACCEPT\n",
 			lan3face, lan3face);
-	ipt_write(
+	ip46t_write(
 		"-A FORWARD -m state --state INVALID -j DROP\n");		// drop if INVALID state
 
 	// IPv4 only ?
@@ -1043,17 +1035,52 @@ static void filter_forward(void)
 		}
 	}
 
-	ip46t_write("-A FORWARD -i %s -j %s\n",					// from lan
-		lanface, chain_out_accept);
-	if (strcmp(lan1face,"")!=0)
-		ipt_write("-A FORWARD -i %s -j %s\n",					// from lan
-			lan1face, chain_out_accept);
-	if (strcmp(lan2face,"")!=0)
-		ipt_write("-A FORWARD -i %s -j %s\n",					// from lan
-			lan2face, chain_out_accept);
-	if (strcmp(lan3face,"")!=0)
-		ipt_write("-A FORWARD -i %s -j %s\n",					// from lan
-			lan3face, chain_out_accept);
+	for (i = 0; i < wanfaces.count; ++i) {
+		if (*(wanfaces.iface[i].name)) {
+			ip46t_write("-A FORWARD -i %s -o %s -j %s\n", lanface, wanfaces.iface[i].name, chain_out_accept);
+			if (strcmp(lan1face,"")!=0)
+				ip46t_write("-A FORWARD -i %s -o %s -j %s\n", lan1face, wanfaces.iface[i].name, chain_out_accept);
+			if (strcmp(lan2face,"")!=0)
+				ip46t_write("-A FORWARD -i %s -o %s -j %s\n", lan2face, wanfaces.iface[i].name, chain_out_accept);
+			if (strcmp(lan3face,"")!=0)
+				ip46t_write("-A FORWARD -i %s -o %s -j %s\n", lan3face, wanfaces.iface[i].name, chain_out_accept);
+		}
+	}
+
+	const char *d, *sbr, *saddr, *dbr, *daddr, *desc;
+	char *nv, *nvp, *b;
+	int n;
+	nvp = nv = strdup(nvram_safe_get("lan_access"));
+	if (nv) {
+		while ((b = strsep(&nvp, ">")) != NULL) {
+			/*
+				1<0<1.2.3.4<1<5.6.7.8<30,45-50<desc
+
+				1 = enabled
+				0 = src bridge
+				1.2.3.4 = src addr
+				1 = dst bridge
+				5.6.7.8 = dst addr
+				desc = desc
+			*/
+			n = vstrsep(b, "<", &d, &sbr, &saddr, &dbr, &daddr, &desc);
+			if (*d != '1')
+				continue;
+			if (!ipt_addr(src, sizeof(src), saddr, "src", IPT_V4|IPT_V6, 1, "LAN access IPv4", desc))
+				continue;
+			if (!ipt_addr(dst, sizeof(dst), daddr, "dst", IPT_V4|IPT_V6, 1, "LAN access IPv4", desc))
+				continue;
+
+			ip46t_write("-A FORWARD -i %s%s -o %s%s %s %s -j ACCEPT\n",
+				"br",
+				sbr,
+				"br",
+				dbr,
+				src,
+				dst);
+		}
+	}
+	free(nv);
 
 	// IPv4 only
 	if (nvram_get_int("upnp_enable") & 3) {
diff --git a/release/src/router/www/advanced-access.asp b/release/src/router/www/advanced-access.asp
new file mode 100644
index 0000000000..36b5fa5983
--- /dev/null
+++ b/release/src/router/www/advanced-access.asp
@@ -0,0 +1,239 @@
+<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.0//EN'>
+<!--
+	Tomato GUI
+	Copyright (C) 2006-2007 Jonathan Zarate
+	http://www.polarcloud.com/tomato/
+	For use with Tomato Firmware only.
+	No part of this file may be used without permission.
+	LAN Access admin module by Augusto Bott
+-->
+<html>
+<head>
+<meta http-equiv='content-type' content='text/html;charset=utf-8'>
+<meta name='robots' content='noindex,nofollow'>
+<title>[<% ident(); %>] Advanced: LAN Access</title>
+<link rel='stylesheet' type='text/css' href='tomato.css'>
+<% css(); %>
+<script type='text/javascript' src='tomato.js'></script>
+<style type='text/css'>
+#la-grid .co1 {
+  text-align: center;
+  width: 30px;
+}
+#la-grid .co3,
+#la-grid .co5 {
+  text-align: center;
+  width: 120px;
+}
+#la-grid .co6 {
+  text-align: center;
+  width: 250px;
+}
+#la-grid .co2,
+#la-grid .co4 {
+  text-align: center;
+}
+
+#la-grid .centered {
+  text-align: center;
+}
+</style>
+<script type='text/javascript' src='wireless.jsx?_http_id=<% nv(http_id); %>'></script>
+<script type='text/javascript'>
+<% nvram ("lan_ifname,lan1_ifname,lan2_ifname,lan3_ifname,lan_access");%> 
+
+var MAX_BRIDGE_ID = 3;
+
+var la = new TomatoGrid();
+la.setup = function() {
+	this.init('la-grid', 'sort', 50, [
+	{ type: 'checkbox', prefix: '<div class="centered">', suffix: '</div>' },
+	{ type: 'select', options: [[0, 'LAN (br0)'],[1, 'LAN1 (br1)'],[2, 'LAN2 (br2)'],[3, 'LAN3 (br3)']], prefix: '<div class="centered">', suffix: '</div>' },
+	{ type: 'text', maxlen: 32 },
+	{ type: 'select', options: [[0, 'LAN (br0)'],[1, 'LAN1 (br1)'],[2, 'LAN2 (br2)'],[3, 'LAN3 (br3)']], prefix: '<div class="centered">', suffix: '</div>' },
+	{ type: 'text', maxlen: 32 },
+	{ type: 'text', maxlen: 32 }]);
+	this.headerSet(['On', 'Src', 'Src Address', 'Dst', 'Dst Address', 'Description']);
+
+	var r = nvram.lan_access.split('>');
+	for (var i = 0; i < r.length; ++i) {
+		if(r[i].length) {
+			var l = r[i].split('<');
+			l[0] *= 1;
+			l[1] *= 1;
+			l[3] *= 1;
+			la.insertData(-1, [ l[0], l[1], l[2], l[3], l[4], l[5] ] );
+		}
+	}
+
+	la.recolor();
+	la.showNewEditor();
+	la.resetNewEditor();
+}
+
+la.sortCompare = function(a, b) {
+	var col = this.sortColumn;
+	var da = a.getRowData();
+	var db = b.getRowData();
+	var r;
+
+	switch (col) {
+	case 2:	// src
+	case 4:	// dst
+		r = cmpIP(da[col], db[col]);
+		break;
+	case 0:	// on
+	case 1: // src br
+	case 3:	// dst br
+		r = cmpInt(da[col], db[col]);
+		break;
+	default:
+		r = cmpText(da[col], db[col]);
+		break;
+	}
+
+	return this.sortAscending ? r : -r;
+}
+
+la.resetNewEditor = function() {
+	var f = fields.getAll(this.newEditor);
+	f[0].checked=true;
+	f[2].value='';
+	f[4].value='';
+	f[5].value='';
+	var total=0;
+	for (var i=0; i<= MAX_BRIDGE_ID; i++) {
+		var j = (i == 0) ? '' : i.toString();
+		if (nvram['lan' + j + '_ifname'].length < 1) {
+			f[1].options[i].disabled=true;
+			f[3].options[i].disabled=true;
+		} else {
+			++total;
+		}
+	}
+	if((f[1].selectedIndex == f[3].selectedIndex) && (total > 1)) {
+		while (f[1].selectedIndex == f[3].selectedIndex) {
+			f[3].selectedIndex = (f[3].selectedIndex%(MAX_BRIDGE_ID+1)+1);
+		}
+	}
+	ferror.clearAll(fields.getAll(this.newEditor));
+}
+
+la.verifyFields = function(row, quiet) {
+	var f = fields.getAll(row);
+
+	if(f[1].selectedIndex == f[3].selectedIndex) {
+		var m = 'Source and Destination interfaces must be different';
+		ferror.set(f[1], m, quiet);
+		ferror.set(f[3], m, quiet);
+		return 0;
+	}
+	ferror.clear(f[1]);
+	ferror.clear(f[3]);
+
+	f[2].value = f[2].value.trim();
+	f[4].value = f[4].value.trim();
+
+	if ((f[2].value.length) && (!v_iptaddr(f[2], quiet))) return 0;
+	if ((f[4].value.length) && (!v_iptaddr(f[4], quiet))) return 0;
+
+	ferror.clear(f[2]);
+	ferror.clear(f[4]);
+
+	f[5].value = f[5].value.replace(/>/g, '_');
+	if (!v_nodelim(f[5], quiet, 'Description')) return 0;
+
+	return 1;
+}
+
+la.dataToView = function(data) {
+	return [(data[0] != 0) ? 'On' : '',
+			['LAN', 'LAN1', 'LAN2', 'LAN3'][data[1]],
+			data[2],
+			['LAN', 'LAN1', 'LAN2', 'LAN3'][data[3]],
+			data[4],
+			data[5] ];
+}
+
+la.dataToFieldValues = function (data) {
+	return [(data[0] != 0) ? 'checked' : '',
+			data[1],
+			data[2],
+			data[3],
+			data[4],
+			data[5] ];
+}
+
+la.fieldValuesToData = function(row) {
+	var f = fields.getAll(row);
+	return [f[0].checked ? 1 : 0,
+			f[1].selectedIndex,
+			f[2].value,
+			f[3].selectedIndex,
+			f[4].value,
+			f[5].value ];
+}
+
+function save()
+{
+	if (la.isEditing()) return;
+	la.resetNewEditor();
+
+	var fom = E('_fom');
+	var ladata = la.getAllData();
+
+	var s = '';
+	for (var i = 0; i < ladata.length; ++i) {
+		s += ladata[i].join('<') + '>';
+	}
+	fom.lan_access.value = s;
+
+	form.submit(fom, 0);
+}
+
+function init() {
+	la.setup();
+}
+
+</script>
+</head>
+<body onload='init()'>
+<form id='_fom' method='post' action='tomato.cgi'>
+<table id='container' cellspacing=0>
+<tr><td colspan=2 id='header'>
+  <div class='title'>Tomato</div>
+  <div class='version'>Version <% version(); %></div>
+</td></tr>
+<tr id='body'><td id='navi'><script type='text/javascript'>navi()</script></td>
+<td id='content'>
+<div id='ident'><% ident(); %></div>
+<input type='hidden' name='_nextpage' value='advanced-access.asp'>
+<input type='hidden' name='_nextwait' value='10'>
+<input type='hidden' name='_service' value='firewall-restart'>
+<input type='hidden' name='lan_access'>
+
+<div class='section-title'>LAN Access</div>
+<div class='section'>
+  <table class='tomato-grid' cellspacing=1 id='la-grid'></table>
+</div>
+</div>
+
+<div>
+<ul>
+<li><b>Src</b> - Source LAN bridge.</li>
+<li><b>Src Address</b> <i>(optional)</i> - Source address allowed. Ex: "1.2.3.4", "1.2.3.4 - 2.3.4.5", "1.2.3.0/24".</li>
+<li><b>Dst</b> - Destination LAN bridge.</li>
+<li><b>Dst Address</b> <i>(optional)</i> - Destination address inside the LAN.</li>
+</ul>
+</div>
+
+</td></tr>
+<tr><td id='footer' colspan=2>
+ <span id='footer-msg'></span>
+ <input type='button' value='Save' id='save-button' onclick='save()'>
+ <input type='button' value='Cancel' id='cancel-button' onclick='javascript:reloadPage();'>
+</td></tr>
+</table>
+</form>
+</body>
+</html>
diff --git a/release/src/router/www/tomato.js b/release/src/router/www/tomato.js
index 0f71a971e5..eaea8bd915 100644
--- a/release/src/router/www/tomato.js
+++ b/release/src/router/www/tomato.js
@@ -2373,6 +2373,7 @@ function navi()
 			['Miscellaneous',	'misc.asp'],
 			['Routing',			'routing.asp'],
 			['VLAN',			'vlan.asp'],
+			['LAN Access',			'access.asp'],
 			['Wireless',		'wireless.asp'] ] ],
 		['Port Forwarding', 	'forward', 0, [
 			['Basic',			'basic.asp'],
@@ -2426,7 +2427,7 @@ REMOVE-END */
 		['Administration',		'admin', 0, [
 			['Admin Access',	'access.asp'],
 			['Bandwidth Monitoring','bwm.asp'],
-			['Buttons / LED',	'buttons.asp'],
+			['Buttons/LED',	'buttons.asp'],
 /* CIFS-BEGIN */
 			['CIFS Client',		'cifs.asp'],
 /* CIFS-END */
-- 
2.11.4.GIT