X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/6b2e482b317dd94119a2a8f0b101ebd4c1c07753..7a1551ae774b1b323b055197fe8fe30913b28a79:/package/firewall/files/uci_firewall.sh

diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index 21485cb5d..8d7538201 100755
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -294,8 +294,11 @@ fw_rule() {
 	[ -n "$src" -a -z "$dest" ] && ZONE=zone_$src
 	[ -n "$src" -a -n "$dest" ] && ZONE=zone_${src}_forward
 	[ -n "$dest" ] && TARGET=zone_${dest}_$target
+
+	eval 'RULE_COUNT=$((++RULE_COUNT_'$ZONE'))'
+
 	add_rule() {
-		$IPTABLES -A $ZONE \
+		$IPTABLES -I $ZONE $RULE_COUNT \
 			${proto:+-p $proto} \
 			${icmp_type:+--icmp-type $icmp_type} \
 			${src_ip:+-s $src_ip} \
@@ -343,6 +346,7 @@ fw_redirect() {
 
 	config_get src $1 src
 	config_get src_ip $1 src_ip
+	config_get src_dip $1 src_dip
 	config_get src_port $1 src_port
 	config_get src_dport $1 src_dport
 	config_get src_mac $1 src_mac
@@ -354,24 +358,25 @@ fw_redirect() {
 
 	src_port_first=${src_port%-*}
 	src_port_last=${src_port#*-}
-	[ "$src_port_first" -ne "$src_port_last" ] && { \
+	[ "$src_port_first" != "$src_port_last" ] && { \
 		src_port="$src_port_first:$src_port_last"; }
 
 	src_dport_first=${src_dport%-*}
 	src_dport_last=${src_dport#*-}
-	[ "$src_dport_first" -ne "$src_dport_last" ] && { \
+	[ "$src_dport_first" != "$src_dport_last" ] && { \
 		src_dport="$src_dport_first:$src_dport_last"; }
 
 	dest_port2=${dest_port:-$src_dport}
 	dest_port_first=${dest_port2%-*}
 	dest_port_last=${dest_port2#*-}
-	[ "$dest_port_first" -ne "$dest_port_last" ] && { \
+	[ "$dest_port_first" != "$dest_port_last" ] && { \
 		dest_port2="$dest_port_first:$dest_port_last"; }
 
 	add_rule() {
 		$IPTABLES -A zone_${src}_prerouting -t nat \
 			${proto:+-p $proto} \
 			${src_ip:+-s $src_ip} \
+			${src_dip:+-d $src_dip} \
 			${src_port:+--sport $src_port} \
 			${src_dport:+--dport $src_dport} \
 			${src_mac:+-m mac --mac-source $src_mac} \
@@ -417,7 +422,8 @@ get_interface_zones() {
 fw_event() {
 	local action="$1"
 	local interface="$2"
-	local ifname="$(sh -c ". /etc/functions.sh; config_load network; config_get "$interface" ifname")"
+	local ifname="$(sh -c ". /etc/functions.sh; include /lib/network; scan_interfaces; config_get "$interface" ifname")"
+	add_zone=
 	local up
 
 	[ -z "$ifname" ] && return 0
@@ -503,10 +509,15 @@ fw_init() {
 	echo "Loading zone defaults"
 	config_foreach fw_zone_defaults zone
 	uci_set_state firewall core loaded 1
+	config_set core loaded 1
 	config_foreach fw_check_notrack zone
-	INTERFACES="$(sh -c '. /etc/functions.sh; config_load network; config_foreach echo interface')"
+	INTERFACES="$(sh -c '
+		. /etc/functions.sh; config_load network
+		echo_up() { local up; config_get_bool up "$1" up 0; [ $up = 1 ] && echo "$1"; }
+		config_foreach echo_up interface
+	')"
 	for interface in $INTERFACES; do
-		fw_addif "$interface"
+		fw_event ifup "$interface"
 	done
 }