refactor lime/rc.d/apply-eb-ip-rules... into a /etc/init.d/firewall-lime

while at it, also stop mangling /etc/firewall.user:
create instead /etc/firewall.lime, and "include" it from /etc/config/firewall
in addition to standard /etc/firewall.user

packages/lime-proto-anygw/src/anygw.lua

@@ -52,9 +52,9 @@ function anygw.configure(args)
 
 	uci:save("network")
 
-	fs.mkdir("/etc/firewall.user.d")
+	fs.mkdir("/etc/firewall.lime.d")
 	fs.writefile(
-		"/etc/firewall.user.d/20-anygw-ebtables",
+		"/etc/firewall.lime.d/20-anygw-ebtables",
 		"\n" ..
 		"ebtables -D FORWARD -j DROP -d " .. anygw_mac .. "\n" ..
 		"ebtables -A FORWARD -j DROP -d " .. anygw_mac .. "\n" ..

packages/lime-proto-bmx6/src/bmx6.lua

@@ -96,10 +96,12 @@ function bmx6.configure(args)
 		uci:set("firewall", "bmxtun", "family", "ipv4")
 
 		uci:save("firewall")
+
+		fs.remove("/etc/firewall.lime.d/20-bmxtun-mtu_fix")
 	else
-		fs.mkdir("/etc/firewall.user.d")
+		fs.mkdir("/etc/firewall.lime.d")
 		fs.writefile(
-			"/etc/firewall.user.d/20-bmxtun-mtu_fix",
+			"/etc/firewall.lime.d/20-bmxtun-mtu_fix",
 			"\n" ..
 			"iptables -t mangle -D FORWARD -o bmx+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" ..
 			"iptables -t mangle -A FORWARD -o bmx+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"

packages/lime-proto-bmx7/src/bmx7.lua

@@ -96,10 +96,12 @@ function bmx7.configure(args)
 		uci:set("firewall", "bmxtun", "family", "ipv4")
 
 		uci:save("firewall")
+
+		fs.remove("/etc/firewall.lime.d/20-bmxtun-mtu_fix")
 	else
-		fs.mkdir("/etc/firewall.user.d")
+		fs.mkdir("/etc/firewall.lime.d")
 		fs.writefile(
-			"/etc/firewall.user.d/20-bmxtun-mtu_fix",
+			"/etc/firewall.lime.d/20-bmxtun-mtu_fix",
 			"\n" ..
 			"iptables -t mangle -D FORWARD -o bmx+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n" ..
 			"iptables -t mangle -A FORWARD -o bmx+ -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n"

packages/lime-system/Makefile

@@ -58,4 +58,9 @@ define Package/$(PKG_NAME)/install
 		$(1)/etc/uci-defaults/90_lime-banner
 endef
 
+define Package/$(PKG_NAME)/postinst
+#!/bin/sh
+[ -n "$${IPKG_INSTROOT}" ] || /etc/init.d/firewall-lime enable || true
+endef
+
 $(eval $(call BuildPackage,$(PKG_NAME)))

packages/lime-system/files/etc/firewall.lime

@@ -0,0 +1,7 @@
+# Essential LiMe eb/iptables rules are placed in /etc/firewall.lime.d/
+# they will be executed during each firewall (re-)start
+# or, if firewall package is not installed, just during boot.
+# They are interpreted as shell script.
+for hook in /etc/firewall.lime.d/* ; do
+        [ -s "$hook" ] && /bin/sh "$hook"
+done

packages/lime-system/files/etc/init.d/firewall-lime

@@ -0,0 +1,12 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2013-2014 OpenWrt.org
+
+START=99
+
+boot() {
+        if ! /etc/init.d/firewall enabled 2> /dev/null ; then
+          echo "$0: Firewall is not enabled. Executing /etc/firewall.lime script."
+          /bin/sh /etc/firewall.lime
+        fi
+}
+

packages/lime-system/files/usr/lib/lua/lime/firewall.lua

@@ -10,16 +10,6 @@ function firewall.clean()
 end
 
 function firewall.configure()
-	fs.writefile(
-		"/etc/firewall.user",
-		"# Put your custom iptables rules in a new file in /etc/firewall.user.d/\n" ..
-		"# they will be executed with each firewall (re-)start.\n" ..
-		"# They are interpreted as shell script.\n" ..
-		"for hook in /etc/firewall.user.d/* ; do\n" ..
-		"\t[ -s \"$hook\" ] && /bin/sh \"$hook\"\n" ..
-		"done\n"
-	)
-
     if opkg.installed("firewall") then
         local uci = libuci:cursor()
         uci:foreach("firewall", "defaults",
@@ -39,10 +29,10 @@ function firewall.configure()
                 end
             end
         )
+	uci:set("firewall", "include_firewall_lime", "include")
+	uci:set("firewall", "include_firewall_lime", "path", "/etc/firewall.lime")
+
         uci:save("firewall")
-    else
-        os.execute("ln -s /etc/firewall.user /etc/lime-rc.d/50-firewall.user 2>/dev/null")
-        os.execute("chmod +x /etc/firewall.user")
     end
 
 end