package/dnsmasq: add support for bogus-nxdomain (thanks to Mickey Knox), bump release...

[openwrt.git] / package / firewall / files / lib / fw.sh

diff --git a/package/firewall/files/lib/fw.sh b/package/firewall/files/lib/fw.sh
index c06e864..86e8171 100644 (file)
--- a/package/firewall/files/lib/fw.sh
+++ b/package/firewall/files/lib/fw.sh
@@ -51,8 +51,8 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
                shift
                while [ "$1" != '}' ]; do
                        case "$1" in
-                               *.*.*.*) ip4=1 ;;
                                *:*) ip6=1 ;;
+                               *.*.*.*) ip4=1 ;;
                        esac
                        shift
                done
@@ -72,7 +72,7 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
                if [ $tab == '-' ]; then
                        type $app > /dev/null 2> /dev/null
                        fw__rc $(($? & 1))
-                       return 
+                       return
                fi
                local mod
                eval "mod=\$FW_${fam}_${tab}"
@@ -85,7 +85,7 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
                        6) mod=ip6table_${tab} ;;
                        *) mod=. ;;
                esac
-               grep "^${mod} " /proc/modules > /dev/null
+               grep -q "^${mod} " /proc/modules
                mod=$?
                export FW_${fam}_${tab}=$mod
                fw__rc $mod
@@ -100,8 +100,8 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
        local app=
        local pol=
        case "$fam" in
-               4) app=iptables ;;
-               6) app=ip6tables ;;
+               4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables  || return ;;
+               6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
                i) fw__dualip "$@"; return ;;
                I) fw__autoip "$@"; return ;;
                e) app=ebtables ;;
@@ -150,12 +150,19 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
 
        if [ $# -gt 0 ]; then
                shift
-               if [ $cmd == del ]; then
-                       pos=-
+               if [ $cmd == delete ]; then
+                       pos=
                fi
        fi
        while [ $# -gt 1 ]; do
-               echo -n  "$1"
+               case "$app:$1" in
+                       ip6tables:--icmp-type) echo -n "--icmpv6-type" ;;
+                       ip6tables:icmp|ip6tables:ICMP) echo -n "icmpv6" ;;
+                       iptables:--icmpv6-type) echo -n "--icmp-type" ;;
+                       iptables:icmpv6) echo -n "icmp" ;;
+                       *:}|*:{) shift; continue ;;
+                       *) echo -n "$1" ;;
+               esac
                echo -ne "\0"
                shift
        done | xargs -0 ${FW_TRACE:+-t} \
@@ -180,3 +187,24 @@ fw_get_port_range() {
        fi
 }
 
+fw_get_family_mode() {
+       local hint="$1"
+       local zone="$2"
+       local mode="$3"
+
+       local ipv4 ipv6
+       [ -n "$FW_ZONES4$FW_ZONES6" ] && {
+               list_contains FW_ZONES4 $zone && ipv4=1 || ipv4=0
+               list_contains FW_ZONES6 $zone && ipv6=1 || ipv6=0
+       } || {
+               ipv4=$(uci_get_state firewall core ${zone}_ipv4 0)
+               ipv6=$(uci_get_state firewall core ${zone}_ipv6 0)
+       }
+
+       case "$hint:$ipv4:$ipv6" in
+               *4:1:*|*:1:0) echo 4 ;;
+               *6:*:1|*:0:1) echo 6 ;;
+               *) echo $mode ;;
+       esac
+}
+