[package] firewall:

	- introduce per-section "option enabled" which defaults to "1" - useful to disable rules or zones without having to delete them
	- annotate default traffic rules with names
	- bump version

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@29577 3c298f89-4303-0410-b956-a3cf2f4a3e73

diff --git a/package/firewall/Makefile b/package/firewall/Makefile
index 6106348..3c5e10f 100644 (file)
--- a/package/firewall/Makefile
+++ b/package/firewall/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=firewall
 
 PKG_VERSION:=2
 PKG_NAME:=firewall
 
 PKG_VERSION:=2

-PKG_RELEASE:=42
+PKG_RELEASE:=43

 
 include $(INCLUDE_DIR)/package.mk
 
 
 include $(INCLUDE_DIR)/package.mk
 

diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
index 4ba165f..77832ff 100644 (file)
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -29,6 +29,7 @@ config forwarding
 # We need to accept udp packets on port 68,
 # see https://dev.openwrt.org/ticket/4108
 config rule
 # We need to accept udp packets on port 68,
 # see https://dev.openwrt.org/ticket/4108
 config rule

+       option name             Allow-DHCP-Renew

        option src              wan
        option proto            udp
        option dest_port        68
        option src              wan
        option proto            udp
        option dest_port        68


@@ -37,6 +38,7 @@ config rule
 
 # Allow IPv4 ping
 config rule
 
 # Allow IPv4 ping
 config rule

+       option name             Allow-Ping

        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option src              wan
        option proto            icmp
        option icmp_type        echo-request


@@ -46,6 +48,7 @@ config rule
 # Allow DHCPv6 replies
 # see https://dev.openwrt.org/ticket/10381
 config rule
 # Allow DHCPv6 replies
 # see https://dev.openwrt.org/ticket/10381
 config rule

+       option name             Allow-DHCPv6

        option src              wan
        option proto            udp
        option src_ip           fe80::/10
        option src              wan
        option proto            udp
        option src_ip           fe80::/10


@@ -57,6 +60,7 @@ config rule
 
 # Allow essential incoming IPv6 ICMP traffic
 config rule
 
 # Allow essential incoming IPv6 ICMP traffic
 config rule

+       option name             Allow-ICMPv6-Input

        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        option src              wan
        option proto    icmp
        list icmp_type          echo-request


@@ -73,6 +77,7 @@ config rule
 
 # Allow essential forwarded IPv6 ICMP traffic
 config rule                                   
 
 # Allow essential forwarded IPv6 ICMP traffic
 config rule                                   

+       option name             Allow-ICMPv6-Forward

        option src              wan
        option dest             *
        option proto            icmp
        option src              wan
        option dest             *
        option proto            icmp

diff --git a/package/firewall/files/lib/config.sh b/package/firewall/files/lib/config.sh
index 996cef8..8b2399f 100644 (file)
--- a/package/firewall/files/lib/config.sh
+++ b/package/firewall/files/lib/config.sh
@@ -34,7 +34,11 @@ fw_config_get_section() { # <config> <prefix> <type> <name> <default> ...
                export ${NO_EXPORT:+-n} -- "${prefix}NAME"="${config}"
                config_get "${prefix}TYPE" "$config" TYPE
        }
                export ${NO_EXPORT:+-n} -- "${prefix}NAME"="${config}"
                config_get "${prefix}TYPE" "$config" TYPE
        }

-       
+
+       local enabled
+       config_get_bool enabled "$config" enabled 1
+       [ $enabled -eq 1 ] || return 1
+

        [ "$1" == '{' ] && shift
        while [ $# -ge 3 ]; do
                local type=$1
        [ "$1" == '{' ] && shift
        while [ $# -ge 3 ]; do
                local type=$1