firewall: - fix ip6tables rules when icmp_type option is set - add "family" option...

[openwrt/.git] / package / firewall / files / lib / fw.sh

diff --git a/package/firewall/files/lib/fw.sh b/package/firewall/files/lib/fw.sh
index 1dd5227c164f6147f03b8e523ce283ed8ebfb01d..553642070ca34745dc9e65187cf7393bd0e115e7 100644 (file)
--- a/package/firewall/files/lib/fw.sh
+++ b/package/firewall/files/lib/fw.sh
@@ -155,7 +155,14 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
                fi
        fi
        while [ $# -gt 1 ]; do
-               echo -n  "$1"
+               case "$app:$1" in
+                       ip6tables:--icmp-type) echo -n "--icmpv6-type" ;;
+                       ip6tables:icmp|ip6tables:ICMP) echo -n "icmpv6" ;;
+                       iptables:--icmpv6-type) echo -n "--icmp-type" ;;
+                       iptables:icmpv6) echo -n "icmp" ;;
+                       *:}|*:{) shift; continue ;;
+                       *) echo -n "$1" ;;
+               esac
                echo -ne "\0"
                shift
        done | xargs -0 ${FW_TRACE:+-t} \
@@ -180,3 +187,24 @@ fw_get_port_range() {
        fi
 }
 
+fw_get_family_mode() {
+       local hint="$1"
+       local zone="$2"
+       local mode="$3"
+
+       local ipv4 ipv6
+       [ -n "$FW_ZONES4$FW_ZONES6" ] && {
+               list_contains FW_ZONES4 $zone && ipv4=1 || ipv4=0
+               list_contains FW_ZONES6 $zone && ipv6=1 || ipv6=0
+       } || {
+               ipv4=$(uci_get_state firewall core ${zone}_ipv4 0)
+               ipv6=$(uci_get_state firewall core ${zone}_ipv6 0)
+       }
+
+       case "$hint:$ipv4:$ipv6" in
+               *4:1:*|*:1:0) echo 4 ;;
+               *6:*:1|*:0:1) echo 6 ;;
+               *) echo $mode ;;
+       esac
+}
+