firewall: implement disable_ipv6 uci option

SVN-Revision: 21503
14 years ago · 3ffd27f905
parent c6fdffd932
commit 3ffd27f905
2 changed files with 11 additions and 5 deletions
--- a/package/firewall/files/lib/core_init.sh
+++ b/package/firewall/files/lib/core_init.sh
@ -16,6 +16,9 @@ FW_DEFAULT_INPUT_POLICY=REJECT
 FW_DEFAULT_OUTPUT_POLICY=REJECT
 FW_DEFAULT_FORWARD_POLICY=REJECT

+FW_DISABLE_IPV4=0
+FW_DISABLE_IPV6=0
+

 fw_load_defaults() {
 	fw_config_get_section "$1" defaults { \
@ -34,6 +37,7 @@ fw_load_defaults() {
 		boolean accept_redirects 0 \
 		boolean accept_source_route 0 \
 		boolean custom_chains 1 \
+		boolean disable_ipv6 0 \
 	} || return
 	[ -n "$FW_DEFAULTS_APPLIED" ] && {
 		echo "Error: multiple defaults sections detected"
@ -50,6 +54,8 @@ fw_load_defaults() {
 	FW_ACCEPT_REDIRECTS=$defaults_accept_redirects
 	FW_ACCEPT_SRC_ROUTE=$defaults_accept_source_route

+	FW_DISABLE_IPV6=$defaults_disable_ipv6
+
 	fw_callback pre defaults

 	# Seems like there are only one sysctl for both IP versions.
@ -96,7 +102,7 @@ fw_load_defaults() {
 		fw add i f forwarding_rule
 		fw add i n prerouting_rule
 		fw add i n postrouting_rule
-			
+
 		fw add i f INPUT       input_rule
 		fw add i f OUTPUT      output_rule
 		fw add i f FORWARD     forwarding_rule
--- a/package/firewall/files/lib/fw.sh
+++ b/package/firewall/files/lib/fw.sh
@ -72,7 +72,7 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
 		if [ $tab == '-' ]; then
 			type $app > /dev/null 2> /dev/null
 			fw__rc $(($? & 1))
-			return 
+			return
 		fi
 		local mod
 		eval "mod=\$FW_${fam}_${tab}"
@ -85,7 +85,7 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
 			6) mod=ip6table_${tab} ;;
 			*) mod=. ;;
 		esac
-		grep "^${mod} " /proc/modules > /dev/null
+		grep -q "^${mod} " /proc/modules
 		mod=$?
 		export FW_${fam}_${tab}=$mod
 		fw__rc $mod
@ -100,8 +100,8 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
 	local app=
 	local pol=
 	case "$fam" in
-		4) app=iptables ;;
-		6) app=ip6tables ;;
+		4) [ $FW_DISABLE_IPV4 == 0 ] && app=iptables  || return ;;
+		6) [ $FW_DISABLE_IPV6 == 0 ] && app=ip6tables || return ;;
 		i) fw__dualip "$@"; return ;;
 		I) fw__autoip "$@"; return ;;
 		e) app=ebtables ;;