firewall: various enhancements

	- reduce mssfix related log spam (#10681)
	- separate src and dest terminal chains (#11453, #12945)
	- disable per-zone custom chains by default, they're rarely used

Additionally introduce options "device", "subnet", "extra", "extra_src" and "extra_dest"
to allow defining zones not related to uci interfaces, e.g. to match "ppp+" or any tcp
traffic to and from a specific port.

SVN-Revision: 35484

1 files changed, 12 insertions, 5 deletions

diff --git a/package/network/config/firewall/files/lib/core_rule.sh b/package/network/config/firewall/files/lib/core_rule.sh
index f49c42af55..0ce2122be4 100644
--- a/package/network/config/firewall/files/lib/core_rule.sh
+++ b/package/network/config/firewall/files/lib/core_rule.sh
@@ -34,7 +34,7 @@ fw_load_rule() {
 	fw_callback pre rule
 
 	local table=f
-	local chain=input
+	local chain=delegate_output
 	local target="${rule_target:-REJECT}"
 	if [ "$target" == "NOTRACK" ]; then
 		table=r
@@ -42,16 +42,23 @@ fw_load_rule() {
 	else
 		if [ -n "$rule_src" ]; then
 			if [ "$rule_src" != "*" ]; then
-				chain="zone_${rule_src}${rule_dest:+_forward}"
+				if [ -n "$rule_dest" ]; then
+					chain="zone_${rule_src}_forward"
+				else
+					chain="zone_${rule_src}_input"
+				fi
 			else
-				chain="${rule_dest:+forward}"
-				chain="${chain:-input}"
+				chain="${rule_dest:+delegate_forward}"
+				chain="${chain:-delegate_input}"
 			fi
 		fi
 
 		if [ -n "$rule_dest" ]; then
 			if [ "$rule_dest" != "*" ]; then
-				target="zone_${rule_dest}_${target}"
+				target="zone_${rule_dest}_dest_${target}"
+				if [ -z "$rule_src" ]; then
+					chain="zone_${rule_dest}_output"
+				fi
 			elif [ "$target" = REJECT ]; then
 				target=reject
 			fi