add new rc.common for standardized init scripts, convert existing init scripts

git-svn-id: svn://svn.openwrt.org/openwrt/branches/buildroot-ng/openwrt@4915 3c298f89-4303-0410-b956-a3cf2f4a3e73
author: nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> 2006-10-04 20:05:48 +0000
committer: nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73> 2006-10-04 20:05:48 +0000
commit: cf123d2a166d297712ab7b7221af999a62643f98 (patch)
tree: 424632c445fabddd7254926f9689e2353d7c5dd6 /package/iptables
parent: 3cf72ac0abc8f9867cc374a63994358786b073a5 (diff)
1 files changed, 109 insertions, 97 deletions
diff --git a/package/iptables/files/firewall.init b/package/iptables/files/firewall.init
index 4acd325a9..731485bcd 100755
--- a/package/iptables/files/firewall.init
+++ b/package/iptables/files/firewall.init
@@ -1,103 +1,115 @@
-#!/bin/sh
+#!/bin/sh /etc/rc.common
 # Copyright (C) 2006 OpenWrt.org
 
 ## Please make changes in /etc/firewall.user
 
-. /etc/functions.sh
-include /lib/network
-
-scan_interfaces
-config_get WAN wan ifname
-config_get LAN lan ifname
-
-## CLEAR TABLES
-for T in filter nat; do
-  iptables -t $T -F
-  iptables -t $T -X
-done
-
-iptables -N input_rule
-iptables -N output_rule
-iptables -N forwarding_rule
-
-iptables -t nat -N prerouting_rule
-iptables -t nat -N postrouting_rule
-
-iptables -N LAN_ACCEPT
-[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
-iptables -A LAN_ACCEPT -j ACCEPT
-
-### INPUT
-###  (connections with the router as destination)
-
-  # base case
-  iptables -P INPUT DROP
-  iptables -A INPUT -m state --state INVALID -j DROP
-  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-  iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
-
-  #
-  # insert accept rule or to jump to new accept-check table here
-  #
-  iptables -A INPUT -j input_rule
-
-  # allow
-  iptables -A INPUT -j LAN_ACCEPT	# allow from lan/wifi interfaces 
-  iptables -A INPUT -p icmp	-j ACCEPT	# allow ICMP
-  iptables -A INPUT -p gre	-j ACCEPT	# allow GRE
-
-  # reject (what to do with anything not allowed earlier)
-  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
-  iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
-
-### OUTPUT
-### (connections with the router as source)
-
-  # base case
-  iptables -P OUTPUT DROP
-  iptables -A OUTPUT -m state --state INVALID -j DROP
-  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-  #
-  # insert accept rule or to jump to new accept-check table here
-  #
-  iptables -A OUTPUT -j output_rule
-
-  # allow
-  iptables -A OUTPUT -j ACCEPT		#allow everything out
-
-  # reject (what to do with anything not allowed earlier)
-  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
-  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-
-### FORWARDING
-### (connections routed through the router)
-
-  # base case
-  iptables -P FORWARD DROP 
-  iptables -A FORWARD -m state --state INVALID -j DROP
-  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-
-  #
-  # insert accept rule or to jump to new accept-check table here
-  #
-  iptables -A FORWARD -j forwarding_rule
-
-  # allow
-  iptables -A FORWARD -i br0 -o br0 -j ACCEPT
-  [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
-
-  # reject (what to do with anything not allowed earlier)
-  # uses the default -P DROP
-
-### MASQ
-  iptables -t nat -A PREROUTING -j prerouting_rule
-  iptables -t nat -A POSTROUTING -j postrouting_rule
-  [ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
+start() {
+	include /lib/network
+	scan_interfaces
+	
+	config_get WAN wan ifname
+	config_get LAN lan ifname
+	
+	## CLEAR TABLES
+	for T in filter nat; do
+		iptables -t $T -F
+		iptables -t $T -X
+	done
+	
+	iptables -N input_rule
+	iptables -N output_rule
+	iptables -N forwarding_rule
+	
+	iptables -t nat -N prerouting_rule
+	iptables -t nat -N postrouting_rule
+	
+	iptables -N LAN_ACCEPT
+	[ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN
+	iptables -A LAN_ACCEPT -j ACCEPT
+	
+	### INPUT
+	###  (connections with the router as destination)
+	
+	# base case
+	iptables -P INPUT DROP
+	iptables -A INPUT -m state --state INVALID -j DROP
+	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+	iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP
+	
+	#
+	# insert accept rule or to jump to new accept-check table here
+	#
+	iptables -A INPUT -j input_rule
+	
+	# allow
+	iptables -A INPUT -j LAN_ACCEPT	# allow from lan/wifi interfaces 
+	iptables -A INPUT -p icmp	-j ACCEPT	# allow ICMP
+	iptables -A INPUT -p gre	-j ACCEPT	# allow GRE
+	
+	# reject (what to do with anything not allowed earlier)
+	iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
+	iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
+	
+	### OUTPUT
+	### (connections with the router as source)
+	
+	# base case
+	iptables -P OUTPUT DROP
+	iptables -A OUTPUT -m state --state INVALID -j DROP
+	iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+	
+	#
+	# insert accept rule or to jump to new accept-check table here
+	#
+	iptables -A OUTPUT -j output_rule
+	
+	# allow
+	iptables -A OUTPUT -j ACCEPT		#allow everything out
+	
+	# reject (what to do with anything not allowed earlier)
+	iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
+	iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
+	
+	### FORWARDING
+	### (connections routed through the router)
+	
+	# base case
+	iptables -P FORWARD DROP 
+	iptables -A FORWARD -m state --state INVALID -j DROP
+	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+	iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+	
+	#
+	# insert accept rule or to jump to new accept-check table here
+	#
+	iptables -A FORWARD -j forwarding_rule
+	
+	# allow
+	iptables -A FORWARD -i br0 -o br0 -j ACCEPT
+	[ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
+	
+	# reject (what to do with anything not allowed earlier)
+	# uses the default -P DROP
+	
+	### MASQ
+	iptables -t nat -A PREROUTING -j prerouting_rule
+	iptables -t nat -A POSTROUTING -j postrouting_rule
+	[ -z "$WAN" ] || iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
+	
+	## USER RULES
+	[ -f /etc/firewall.user ] && . /etc/firewall.user
+	[ -n "$WAN" -a -e /etc/config/firewall ] && {
+		awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
+	}
+}
 
-## USER RULES
-[ -f /etc/firewall.user ] && . /etc/firewall.user
-[ -n "$WAN" -a -e /etc/config/firewall ] && {
-	awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
+stop() {
+	iptables -P INPUT ACCEPT
+	iptables -P OUTPUT ACCEPT
+	iptables -P FORWARD ACCEPT
+	iptables -F
+	iptables -t nat -P PREROUTING ACCEPT
+	iptables -t nat -P POSTROUTING ACCEPT
+	iptables -t nat -P OUTPUT ACCEPT
+	iptables -t nat -F
 }
author	nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>	2006-10-04 20:05:48 +0000
committer	nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>	2006-10-04 20:05:48 +0000
commit	cf123d2a166d297712ab7b7221af999a62643f98 (patch)
tree	424632c445fabddd7254926f9689e2353d7c5dd6 /package/iptables
parent	3cf72ac0abc8f9867cc374a63994358786b073a5 (diff)