From 3ffd27f90558a7df28b983b7b635b62e0480f509 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Wed, 19 May 2010 01:55:46 +0000 Subject: firewall: implement disable_ipv6 uci option SVN-Revision: 21503 --- package/firewall/files/lib/core_init.sh | 8 +++++++- package/firewall/files/lib/fw.sh | 8 ++++---- 2 files changed, 11 insertions(+), 5 deletions(-) (limited to 'package/firewall/files') diff --git a/package/firewall/files/lib/core_init.sh b/package/firewall/files/lib/core_init.sh index 82939b9416..2dd989e494 100644 --- a/package/firewall/files/lib/core_init.sh +++ b/package/firewall/files/lib/core_init.sh @@ -16,6 +16,9 @@ FW_DEFAULT_INPUT_POLICY=REJECT FW_DEFAULT_OUTPUT_POLICY=REJECT FW_DEFAULT_FORWARD_POLICY=REJECT +FW_DISABLE_IPV4=0 +FW_DISABLE_IPV6=0 + fw_load_defaults() { fw_config_get_section "$1" defaults { \ @@ -34,6 +37,7 @@ fw_load_defaults() { boolean accept_redirects 0 \ boolean accept_source_route 0 \ boolean custom_chains 1 \ + boolean disable_ipv6 0 \ } || return [ -n "$FW_DEFAULTS_APPLIED" ] && { echo "Error: multiple defaults sections detected" @@ -50,6 +54,8 @@ fw_load_defaults() { FW_ACCEPT_REDIRECTS=$defaults_accept_redirects FW_ACCEPT_SRC_ROUTE=$defaults_accept_source_route + FW_DISABLE_IPV6=$defaults_disable_ipv6 + fw_callback pre defaults # Seems like there are only one sysctl for both IP versions. @@ -96,7 +102,7 @@ fw_load_defaults() { fw add i f forwarding_rule fw add i n prerouting_rule fw add i n postrouting_rule - + fw add i f INPUT input_rule fw add i f OUTPUT output_rule fw add i f FORWARD forwarding_rule diff --git a/package/firewall/files/lib/fw.sh b/package/firewall/files/lib/fw.sh index 72aa37c5bf..1dd5227c16 100644 --- a/package/firewall/files/lib/fw.sh +++ b/package/firewall/files/lib/fw.sh @@ -72,7 +72,7 @@ fw__exec() { # { } if [ $tab == '-' ]; then type $app > /dev/null 2> /dev/null fw__rc $(($? & 1)) - return + return fi local mod eval "mod=\$FW_${fam}_${tab}" @@ -85,7 +85,7 @@ fw__exec() { #
{ } 6) mod=ip6table_${tab} ;; *) mod=. ;; esac - grep "^${mod} " /proc/modules > /dev/null + grep -q "^${mod} " /proc/modules mod=$? export FW_${fam}_${tab}=$mod fw__rc $mod @@ -100,8 +100,8 @@ fw__exec() { #
{ } local app= local pol= case "$fam" in - 4) app=iptables ;; - 6) app=ip6tables ;; + 4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables || return ;; + 6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;; i) fw__dualip "$@"; return ;; I) fw__autoip "$@"; return ;; e) app=ebtables ;; -- cgit v1.2.3