mirror of
git://projects.qi-hardware.com/openwrt-xburst.git
synced 2024-09-12 19:32:06 +03:00
5acb7ec58a
- defer firewall start until the first interface is brought up by hotplug, fixes race conditions on slow devices - create a file lock during firewall start and wait for it in hotplug events, prevents race conditions between start and addif - start firewall actions in background from hotplug handler since the firewall itself fires further hotplug events which results in a deadlock if not forked off - get loaded state direcly from the uci binary since updated value is not recognized by config_get after uci_set_state - bump package revision to r2 git-svn-id: svn://svn.openwrt.org/openwrt/trunk@21486 3c298f89-4303-0410-b956-a3cf2f4a3e73
140 lines
2.2 KiB
Bash
140 lines
2.2 KiB
Bash
# Copyright (C) 2009-2010 OpenWrt.org
|
|
|
|
FW_LIBDIR=${FW_LIBDIR:-/lib/firewall}
|
|
|
|
. $FW_LIBDIR/fw.sh
|
|
include /lib/network
|
|
|
|
fw_start() {
|
|
fw_init
|
|
|
|
lock /var/lock/firewall.start
|
|
|
|
FW_DEFAULTS_APPLIED=
|
|
|
|
fw_is_loaded && {
|
|
echo "firewall already loaded" >&2
|
|
exit 1
|
|
}
|
|
uci_set_state firewall core "" firewall_state
|
|
|
|
fw_clear DROP
|
|
|
|
fw_callback pre core
|
|
|
|
echo "Loading defaults"
|
|
fw_config_once fw_load_defaults defaults
|
|
|
|
echo "Loading zones"
|
|
config_foreach fw_load_zone zone
|
|
|
|
echo "Loading forwardings"
|
|
config_foreach fw_load_forwarding forwarding
|
|
|
|
echo "Loading redirects"
|
|
config_foreach fw_load_redirect redirect
|
|
|
|
echo "Loading rules"
|
|
config_foreach fw_load_rule rule
|
|
|
|
echo "Loading includes"
|
|
config_foreach fw_load_include include
|
|
|
|
[ -n "$FW_NOTRACK_DISABLED" ] && {
|
|
echo "Optimizing conntrack"
|
|
config_foreach fw_load_notrack_zone zone
|
|
}
|
|
|
|
echo "Loading interfaces"
|
|
config_foreach fw_configure_interface interface add
|
|
|
|
fw_callback post core
|
|
|
|
uci_set_state firewall core loaded 1
|
|
|
|
lock -u /var/lock/firewall.start
|
|
}
|
|
|
|
fw_stop() {
|
|
fw_init
|
|
|
|
fw_callback pre stop
|
|
|
|
fw_clear ACCEPT
|
|
|
|
fw_callback post stop
|
|
|
|
uci_revert_state firewall
|
|
config_clear
|
|
unset FW_INITIALIZED
|
|
}
|
|
|
|
fw_restart() {
|
|
fw_stop
|
|
fw_start
|
|
}
|
|
|
|
fw_reload() {
|
|
fw_restart
|
|
}
|
|
|
|
fw_is_loaded() {
|
|
local bool=$(uci -q -P /var/state get firewall.core.loaded)
|
|
return $((! ${bool:-0}))
|
|
}
|
|
|
|
|
|
fw_die() {
|
|
echo "Error:" "$@" >&2
|
|
fw_log error "$@"
|
|
fw_stop
|
|
exit 1
|
|
}
|
|
|
|
fw_log() {
|
|
local level="$1"
|
|
[ -n "$2" ] || {
|
|
shift
|
|
level=notice
|
|
}
|
|
logger -t firewall -p user.$level "$@"
|
|
}
|
|
|
|
|
|
fw_init() {
|
|
[ -z "$FW_INITIALIZED" ] || return 0
|
|
|
|
. $FW_LIBDIR/config.sh
|
|
|
|
scan_interfaces
|
|
fw_config_append firewall
|
|
|
|
local hooks="core stop defaults zone notrack synflood"
|
|
local file lib hk pp
|
|
for file in $FW_LIBDIR/core_*.sh; do
|
|
. $file
|
|
hk=$(basename $file .sh)
|
|
hk=${hk#core_}
|
|
append hooks $hk
|
|
done
|
|
for file in $FW_LIBDIR/*.sh; do
|
|
lib=$(basename $file .sh)
|
|
lib=${lib##[0-9][0-9]_}
|
|
case $lib in
|
|
core*|fw|config|uci_firewall) continue ;;
|
|
esac
|
|
. $file
|
|
for hk in $hooks; do
|
|
for pp in pre post; do
|
|
type ${lib}_${pp}_${hk}_cb >/dev/null &&
|
|
append FW_CB_${pp}_${hk} ${lib}
|
|
done
|
|
done
|
|
done
|
|
|
|
fw_callback post init
|
|
|
|
FW_INITIALIZED=1
|
|
return 0
|
|
}
|