-# Copyright (C) 2009-2010 OpenWrt.org
+# Copyright (C) 2009-2012 OpenWrt.org
fw__uci_state_add() {
local var="$1"
local item="$2"
local val="$(uci_get_state firewall core $var)"
- uci_set_state firewall core $var "${val:+$val }$item"
+ local e1; for e1 in $item; do
+ local e2; for e2 in $val; do
+ [ "$e1" = "$e2" ] && e1=""
+ done
+ val="${val:+$val${e1:+ }}$e1"
+ done
+
+ uci_toggle_state firewall core $var "$val"
}
fw__uci_state_del() {
local var="$1"
local item="$2"
- local val=" $(uci_get_state firewall core $var) "
- val="${val// $item / }"
- val="${val# }"
- val="${val% }"
- uci_set_state firewall core $var "$val"
+ local rest=""
+ local val="$(uci_get_state firewall core $var)"
+ local e1; for e1 in $val; do
+ local e2; for e2 in $item; do
+ [ "$e1" = "$e2" ] && e1=""
+ done
+ rest="${rest:+$rest${e1:+ }}$e1"
+ done
+
+ uci_toggle_state firewall core $var "$rest"
}
fw_configure_interface() {
# Need v4 while zone is v6
*/*.*) fw_log info "zone $zone does not support IPv4 address family, skipping"; return ;;
+
+ # Strip prefix
+ *) mode="${mode#G}" ;;
esac
+ lock /var/run/firewall-interface.lock
+
fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -o "$ifname" $onet }
fw $action $mode f ${chain}_ACCEPT ACCEPT $ { -i "$ifname" $inet }
fw $action $mode f ${chain}_DROP DROP $ { -o "$ifname" $onet }
fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }
- fw $action $mode f ${chain}_MSSFIX TCPMSS $ { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
+ [ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
+ fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
+ { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
fw $action $mode f input ${chain} $ { -i "$ifname" $inet }
fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }
fw $action $mode n PREROUTING ${chain}_prerouting $ { -i "$ifname" $inet }
fw $action $mode r PREROUTING ${chain}_notrack $ { -i "$ifname" $inet }
fw $action $mode n POSTROUTING ${chain}_nat $ { -o "$ifname" $onet }
+
+ lock -u /var/run/firewall-interface.lock
}
local old_zones old_ifname old_subnets
fw_sysctl_interface $ifname
fw_callback post interface
- uci_set_state firewall core "${iface}_aliases" "$aliases"
+ uci_toggle_state firewall core "${iface}_aliases" "$aliases"
} || {
local subnets=
config_get subnets core "${iface}_subnets"
append subnets "$aliasnet"
config_set core "${iface}_subnets" "$subnets"
- uci_set_state firewall core "${iface}_subnets" "$subnets"
+ uci_toggle_state firewall core "${iface}_subnets" "$subnets"
}
local new_zones=
}
config_foreach load_zone zone
- uci_set_state firewall core "${iface}_zone" "$new_zones"
- uci_set_state firewall core "${iface}_ifname" "$ifname"
+ uci_toggle_state firewall core "${iface}_zone" "$new_zones"
+ uci_toggle_state firewall core "${iface}_ifname" "$ifname"
}
fw_sysctl_interface() {