Shorewall: start and enable interfaces all in hotplug

Using shorewall-lite {en|dis}able instead of completely restarting
Shorewall is much more efficient.

But it also makes sense to move the starting of Shorewall from init
to an interface hotplug event.  The "lan" interface should be a good
indicator that networking it ready.  Besides, Shorewall won't start
until br-lan is available.

Signed-off-by: Brian J. Murrell <redacted>

diff --git a/net/shorewall-lite/files/hotplug_iface b/net/shorewall-lite/files/hotplug_iface
index 90ed80c8c5c2c8b2370db055f3934c2754a88cff..367cea6f48e000e96fb4624825b52b9d34980bd1 100644 (file)
--- a/net/shorewall-lite/files/hotplug_iface
+++ b/net/shorewall-lite/files/hotplug_iface
@@ -1,13 +1,19 @@
 #!/bin/sh
 
-# should restart shorewall when an interface comes up
+DEVICE=${DEVICE:-$(/sbin/uci -p /var/state get network."$INTERFACE".ifname)}
 
 case "$ACTION" in
     ifup)
-        /etc/init.d/shorewall-lite restart
+        if [ "$INTERFACE" = "lan" ]; then
+            /usr/sbin/shorewall -l start
+       elif [ "${INTERFACE:0:3}" = "wan" ] &&
+             [ "${INTERFACE:$((${#INTERFACE}-2)):2}" != "_6" ]; then
+           /etc/shorewall-lite/state/firewall enable "$DEVICE"
+       fi
         ;;
     ifdown)
-        # might need to restore some routing
-        /etc/init.d/shorewall-lite restart
+       if [ "${INTERFACE:0:3}" = "wan" ]; then
+           /etc/shorewall-lite/state/firewall disable "$DEVICE"
+       fi
         ;;
-esac
\ No newline at end of file
+esac

diff --git a/net/shorewall/files/hotplug_iface b/net/shorewall/files/hotplug_iface
index f787424c1946b4e45e62baf0447818082a2bb8f7..0071e4ff4074404c1765da40a6ce857944c9bd84 100644 (file)
--- a/net/shorewall/files/hotplug_iface
+++ b/net/shorewall/files/hotplug_iface
@@ -1,13 +1,19 @@
 #!/bin/sh
 
-# should restart shorewall when an interface comes up
+DEVICE=${DEVICE:-$(/sbin/uci -p /var/state get network."$INTERFACE".ifname)}
 
 case "$ACTION" in
     ifup)
-        /etc/init.d/shorewall restart
+        if [ "$INTERFACE" = "lan" ]; then
+            /usr/sbin/shorewall start
+       elif [ "${INTERFACE:0:3}" = "wan" ] &&
+             [ "${INTERFACE:$((${#INTERFACE}-2)):2}" != "_6" ]; then
+           /etc/shorewall/state/firewall enable "$DEVICE"
+       fi
         ;;
     ifdown)
-        # might need to restore some routing
-        /etc/init.d/shorewall restart
+       if [ "${INTERFACE:0:3}" = "wan" ]; then
+           /etc/shorewall/state/firewall disable "$DEVICE"
+       fi
         ;;
 esac

diff --git a/net/shorewall6-lite/files/hotplug_iface b/net/shorewall6-lite/files/hotplug_iface
index bb8973b7bfb0b8c48b6c36f7b90634793d2582d0..410266aae5808bb187e702fc30201f7fd3d1d4ea 100644 (file)
--- a/net/shorewall6-lite/files/hotplug_iface
+++ b/net/shorewall6-lite/files/hotplug_iface
@@ -1,13 +1,19 @@
 #!/bin/sh
 
-# should restart shorewall when an interface comes up
+DEVICE=${DEVICE:-$(/sbin/uci -p /var/state get network."$INTERFACE".ifname)}
 
 case "$ACTION" in
     ifup)
-        /etc/init.d/shorewall6-lite restart
+        if [ "$INTERFACE" = "lan" ]; then
+            /usr/sbin/shorewall -6 -l start
+       elif [ "${INTERFACE:0:3}" = "wan" ] &&
+             [ "${INTERFACE:$((${#INTERFACE}-2)):2}" != "_6" ]; then
+           /etc/shorewall6-lite/state/firewall enable "$DEVICE"
+       fi
         ;;
     ifdown)
-        # might need to restore some routing
-        /etc/init.d/shorewall6-lite restart
+       if [ "${INTERFACE:0:3}" = "wan" ]; then
+           /etc/shorewall6-lite/state/firewall disable "$DEVICE"
+       fi
         ;;
-esac
\ No newline at end of file
+esac

diff --git a/net/shorewall6/files/hotplug_iface b/net/shorewall6/files/hotplug_iface
index aaa03e8a92588ef93564e6725ef416fc2bb3556b..bfe2bf7b1a876d08cd988fe8b4be6dce45d8ae9b 100644 (file)
--- a/net/shorewall6/files/hotplug_iface
+++ b/net/shorewall6/files/hotplug_iface
@@ -1,13 +1,19 @@
 #!/bin/sh
 
-# should restart shorewall when an interface comes up
+DEVICE=${DEVICE:-$(/sbin/uci -p /var/state get network."$INTERFACE".ifname)}
 
 case "$ACTION" in
     ifup)
-        /etc/init.d/shorewall6 restart
+        if [ "$INTERFACE" = "lan" ]; then
+            /usr/sbin/shorewall -6 start
+       elif [ "${INTERFACE:0:3}" = "wan" ] &&
+             [ "${INTERFACE:$((${#INTERFACE}-2)):2}" != "_6" ]; then
+           /etc/shorewall6/state/firewall enable "$DEVICE"
+       fi
         ;;
     ifdown)
-        # might need to restore some routing
-        /etc/init.d/shorewall6 restart
+       if [ "${INTERFACE:0:3}" = "wan" ]; then
+           /etc/shorewall6/state/firewall disable "$DEVICE"
+       fi
         ;;
 esac