bugfix: On firewall reload some tunnel rules were not being inserted into the default chains which are flushed on both reload and restart of firewall by OpenWRT fw scripts.

2016-01-16 20:22:53 -08:00 · 2016-01-16 20:22:53 -08:00 · 5663741cb1
parent 2be20cbde2
commit 5663741cb1
1 changed files with 9 additions and 3 deletions
--- a/files/etc/local/mesh-firewall/01-tunnels
+++ b/files/etc/local/mesh-firewall/01-tunnels
@ -63,9 +63,6 @@ if [ $rules_exist -eq 0  ] ; then
        iptables -A zone_vpn_input -p tcp -m tcp --dport 1978 -j ACCEPT
        iptables -A zone_vpn_input -p tcp -m tcp --dport 23 -j ACCEPT
        iptables -A zone_vpn_input -p tcp -m tcp --dport 9090 -j ACCEPT
-        iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
-        iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
-        iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT
        iptables -I zone_vpn_forward 1 -j zone_vpn_ACCEPT
 	if [ "$MESHFW_MESHGW" -eq 1 ] ; then
        	iptables -I zone_vpn_forward -j zone_wan_dest_ACCEPT
@ -84,3 +81,12 @@ if [ $rules_exist -eq 0  ] ; then
        iptables -A zone_vpn_forward -j zone_wifi_dest_ACCEPT
        iptables -A zone_vpn_forward -j forwarding_vpn
 fi
+
+
+# Rules that modify core tables and as such always need to be executed as they are flushed on reload/restart
+iptables -I delegate_forward 3 -i tun+ -j zone_vpn_forward
+iptables -I delegate_input 3 -i tun+ -j zone_vpn_input
+iptables -I delegate_output 3 -j zone_vpn_ACCEPT
+iptables -I zone_dtdlink_forward 1 -j zone_vpn_ACCEPT
+iptables -I zone_lan_forward 1 -j zone_vpn_ACCEPT
+iptables -I zone_wifi_forward 1 -j zone_vpn_ACCEPT