Skip to content
Permalink
Browse files

map: don't set default firewall zone to wan

Don't set the default firewall zone to wan if not specified to keep the
behavior aligned with other tunnel protocols like gre and 6rd.
If the interface zone is not specified try to get it from the firewall config
when constructing the procd firewall rule.
While at it only add procd inbound/outbound firewall rules if a zone is specified.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
  • Loading branch information...
dedeckeh committed Apr 29, 2019
1 parent 470f5b3 commit f54611b06d8867e4f17a0759b8c47f67cb3bc02c
Showing with 27 additions and 23 deletions.
  1. +1 −1 package/network/ipv6/map/Makefile
  2. +26 −22 package/network/ipv6/map/files/map.sh
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

PKG_NAME:=map
PKG_VERSION:=4
PKG_RELEASE:=12
PKG_RELEASE:=13
PKG_LICENSE:=GPL-2.0

include $(INCLUDE_DIR)/package.mk
@@ -33,7 +33,7 @@ proto_map_setup() {
json_get_vars type mtu ttl tunlink zone encaplimit
json_get_vars rule ipaddr ip4prefixlen ip6prefix ip6prefixlen peeraddr ealen psidlen psid offset

[ -z "$zone" ] && zone="wan"
[ "$zone" = "-" ] && zone=""
[ -z "$type" ] && type="map-e"
[ -z "$ip4prefixlen" ] && ip4prefixlen=32

@@ -129,7 +129,7 @@ proto_map_setup() {

proto_add_ipv4_route "0.0.0.0" 0
proto_add_data
[ "$zone" != "-" ] && json_add_string zone "$zone"
[ -n "$zone" ] && json_add_string zone "$zone"

json_add_array firewall
if [ -z "$(eval "echo \$RULE_${k}_PORTSETS")" ]; then
@@ -155,26 +155,30 @@ proto_map_setup() {
done
fi
if [ "$type" = "map-t" ]; then
json_add_object ""
json_add_string type rule
json_add_string family inet6
json_add_string proto all
json_add_string direction in
json_add_string dest "$zone"
json_add_string src "$zone"
json_add_string src_ip $(eval "echo \$RULE_${k}_IPV6ADDR")
json_add_string target ACCEPT
json_close_object
json_add_object ""
json_add_string type rule
json_add_string family inet6
json_add_string proto all
json_add_string direction out
json_add_string dest "$zone"
json_add_string src "$zone"
json_add_string dest_ip $(eval "echo \$RULE_${k}_IPV6ADDR")
json_add_string target ACCEPT
json_close_object
[ -z "$zone" ] && zone=$(fw3 -q network $iface 2>/dev/null)

[ -n "$zone" ] && {
json_add_object ""
json_add_string type rule
json_add_string family inet6
json_add_string proto all
json_add_string direction in
json_add_string dest "$zone"
json_add_string src "$zone"
json_add_string src_ip $(eval "echo \$RULE_${k}_IPV6ADDR")
json_add_string target ACCEPT
json_close_object
json_add_object ""
json_add_string type rule
json_add_string family inet6
json_add_string proto all
json_add_string direction out
json_add_string dest "$zone"
json_add_string src "$zone"
json_add_string dest_ip $(eval "echo \$RULE_${k}_IPV6ADDR")
json_add_string target ACCEPT
json_close_object
}
proto_add_ipv6_route $(eval "echo \$RULE_${k}_IPV6ADDR") 128
fi
json_close_array

0 comments on commit f54611b

Please sign in to comment.
You can’t perform that action at this time.