firewall: - introduce per-section "option enabled" which defaults to "1" - useful to disable rules or zones without having to delete them - annotate default traffic rules with names - bump version
SVN-Revision: 29577
This commit is contained in:
parent
0cd03df3b1
commit
77dda8d67a
3 changed files with 11 additions and 2 deletions
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||||
PKG_NAME:=firewall
|
PKG_NAME:=firewall
|
||||||
|
|
||||||
PKG_VERSION:=2
|
PKG_VERSION:=2
|
||||||
PKG_RELEASE:=42
|
PKG_RELEASE:=43
|
||||||
|
|
||||||
include $(INCLUDE_DIR)/package.mk
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
|
|
@ -29,6 +29,7 @@ config forwarding
|
||||||
# We need to accept udp packets on port 68,
|
# We need to accept udp packets on port 68,
|
||||||
# see https://dev.openwrt.org/ticket/4108
|
# see https://dev.openwrt.org/ticket/4108
|
||||||
config rule
|
config rule
|
||||||
|
option name Allow-DHCP-Renew
|
||||||
option src wan
|
option src wan
|
||||||
option proto udp
|
option proto udp
|
||||||
option dest_port 68
|
option dest_port 68
|
||||||
|
@ -37,6 +38,7 @@ config rule
|
||||||
|
|
||||||
# Allow IPv4 ping
|
# Allow IPv4 ping
|
||||||
config rule
|
config rule
|
||||||
|
option name Allow-Ping
|
||||||
option src wan
|
option src wan
|
||||||
option proto icmp
|
option proto icmp
|
||||||
option icmp_type echo-request
|
option icmp_type echo-request
|
||||||
|
@ -46,6 +48,7 @@ config rule
|
||||||
# Allow DHCPv6 replies
|
# Allow DHCPv6 replies
|
||||||
# see https://dev.openwrt.org/ticket/10381
|
# see https://dev.openwrt.org/ticket/10381
|
||||||
config rule
|
config rule
|
||||||
|
option name Allow-DHCPv6
|
||||||
option src wan
|
option src wan
|
||||||
option proto udp
|
option proto udp
|
||||||
option src_ip fe80::/10
|
option src_ip fe80::/10
|
||||||
|
@ -57,6 +60,7 @@ config rule
|
||||||
|
|
||||||
# Allow essential incoming IPv6 ICMP traffic
|
# Allow essential incoming IPv6 ICMP traffic
|
||||||
config rule
|
config rule
|
||||||
|
option name Allow-ICMPv6-Input
|
||||||
option src wan
|
option src wan
|
||||||
option proto icmp
|
option proto icmp
|
||||||
list icmp_type echo-request
|
list icmp_type echo-request
|
||||||
|
@ -73,6 +77,7 @@ config rule
|
||||||
|
|
||||||
# Allow essential forwarded IPv6 ICMP traffic
|
# Allow essential forwarded IPv6 ICMP traffic
|
||||||
config rule
|
config rule
|
||||||
|
option name Allow-ICMPv6-Forward
|
||||||
option src wan
|
option src wan
|
||||||
option dest *
|
option dest *
|
||||||
option proto icmp
|
option proto icmp
|
||||||
|
|
|
@ -35,6 +35,10 @@ fw_config_get_section() { # <config> <prefix> <type> <name> <default> ...
|
||||||
config_get "${prefix}TYPE" "$config" TYPE
|
config_get "${prefix}TYPE" "$config" TYPE
|
||||||
}
|
}
|
||||||
|
|
||||||
|
local enabled
|
||||||
|
config_get_bool enabled "$config" enabled 1
|
||||||
|
[ $enabled -eq 1 ] || return 1
|
||||||
|
|
||||||
[ "$1" == '{' ] && shift
|
[ "$1" == '{' ] && shift
|
||||||
while [ $# -ge 3 ]; do
|
while [ $# -ge 3 ]; do
|
||||||
local type=$1
|
local type=$1
|
||||||
|
|
Loading…
Reference in a new issue