gluon-ebtables: use Lua instead of sh for the rule DSL to increase flexibility

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/100-mcast-chain

-chain MULTICAST_OUT DROP
+chain('MULTICAST_OUT', 'DROP')

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-arp

-rule MULTICAST_OUT -p ARP -j RETURN
+rule 'MULTICAST_OUT -p ARP -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-babel

-rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 6696 -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-btlpd

-rule MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN
+rule 'MULTICAST_OUT -p IPv4 --ip-destination 239.192.152.143 --ip-protocol udp --ip-destination-port 6771 -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv4

-rule MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN
+rule 'MULTICAST_OUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-dhcpv6

-rule MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j RETURN
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmp

-rule MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN
+rule 'MULTICAST_OUT -p IPv4 --ip-protocol icmp -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-icmpv6

-rule MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ipv6-icmp -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-igmp

-rule MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN
+rule 'MULTICAST_OUT -p IPv4 --ip-protocol igmp -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/110-mcast-allow-ospf

-rule MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN
-rule MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN
+rule 'MULTICAST_OUT -p IPv4 --ip-protocol ospf -j RETURN'
+rule 'MULTICAST_OUT -p IPv6 --ip6-protocol ospf -j RETURN'

package/gluon-ebtables-filter-multicast/files/lib/gluon/ebtables/300-mcast

-rule FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT
-rule OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT
+rule 'FORWARD --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'
+rule 'OUTPUT --logical-out br-client -o bat0 -d Multicast -j MULTICAST_OUT'

package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv4

-rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
-rule OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY
+rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
+rule 'OUTPUT -p IPv4 --ip-protocol udp --ip-destination-port 67 -j OUT_ONLY'
 
-rule FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY
-rule INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY
+rule 'FORWARD -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'
+rule 'INPUT -p IPv4 --ip-protocol udp --ip-destination-port 68 -j IN_ONLY'

package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-dhcpv6

-rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
-rule OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY
+rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY'
+rule 'OUTPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 546 -j OUT_ONLY'
 
-rule FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY
-rule INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY
+rule 'FORWARD -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY'
+rule 'INPUT -p IPv6 --ip6-protocol udp --ip6-destination-port 547 -j IN_ONLY'

package/gluon-ebtables-filter-ra-dhcp/files/lib/gluon/ebtables/200-dir-radv

-rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
-rule OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY
+rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
+rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -j OUT_ONLY'
 
-rule FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
-rule INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY
+rule 'FORWARD -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'
+rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -j IN_ONLY'

package/gluon-ebtables/files/etc/init.d/gluon-ebtables

@@ -23,15 +23,14 @@ STOP=91
 exec_file() {
 	local file="$1"
 
-	sh -c "
-		eval 'rule() {
-			$EBTABLES_RULE
-		}'
-		eval 'chain() {
-			$EBTABLES_CHAIN
-		}'
-		source \"$1\"
-	" - "$file"
+	/usr/bin/lua -e "
+		function rule(command)
+			os.execute($EBTABLES_RULE)
+		end
+		function chain(name, policy)
+			os.execute($EBTABLES_CHAIN)
+		end
+	" "$file"
 }
 
 exec_all() {
@@ -49,8 +48,8 @@ exec_all() {
 
 start() {
 	(
-		export EBTABLES_RULE='ebtables -A "$@"'
-		export EBTABLES_CHAIN='ebtables -N "$1" -P "$2"'
+		export EBTABLES_RULE='"ebtables -A " .. command'
+		export EBTABLES_CHAIN='"ebtables -N " .. name .. " -P " .. policy'
 
 		if [ -z "$1" ]; then
 			exec_all ''
@@ -62,8 +61,8 @@ start() {
 
 stop() {
 	(
-		export EBTABLES_RULE='ebtables -D "$@"'
-		export EBTABLES_CHAIN='ebtables -X "$1"'
+		export EBTABLES_RULE='"ebtables -D " .. command'
+		export EBTABLES_CHAIN='"ebtables -X " .. name'
 
 		if [ -z "$1" ]; then
 			exec_all '-r'

package/gluon-ebtables/files/lib/gluon/ebtables/100-dir-chain

-chain IN_ONLY RETURN
-chain OUT_ONLY RETURN
+chain('IN_ONLY', 'RETURN')
+chain('OUT_ONLY', 'RETURN')

package/gluon-ebtables/files/lib/gluon/ebtables/101-dir-rules

-rule IN_ONLY --logical-in br-client -i ! bat0 -j DROP
-rule OUT_ONLY --logical-out br-client -o ! bat0 -j DROP
+rule 'IN_ONLY --logical-in br-client -i ! bat0 -j DROP'
+rule 'OUT_ONLY --logical-out br-client -o ! bat0 -j DROP'

package/gluon-next-node/generate/lib/gluon/ebtables/250-next-node

-rule FORWARD --logical-out br-client -o bat0 -d @next_node.mac@ -j DROP
-rule OUTPUT --logical-out br-client -o bat0 -d @next_node.mac@ -j DROP
-rule FORWARD --logical-out br-client -o bat0 -s @next_node.mac@ -j DROP
-rule OUTPUT --logical-out br-client -o bat0 -s @next_node.mac@ -j DROP
+rule 'FORWARD --logical-out br-client -o bat0 -d @next_node.mac@ -j DROP'
+rule 'OUTPUT --logical-out br-client -o bat0 -d @next_node.mac@ -j DROP'
+rule 'FORWARD --logical-out br-client -o bat0 -s @next_node.mac@ -j DROP'
+rule 'OUTPUT --logical-out br-client -o bat0 -s @next_node.mac@ -j DROP'
 
-rule FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-destination @next_node.ip4@ -j DROP
-rule OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-destination @next_node.ip4@ -j DROP
-rule FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-source @next_node.ip4@ -j DROP
-rule OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-source @next_node.ip4@ -j DROP
+rule 'FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-destination @next_node.ip4@ -j DROP'
+rule 'OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-destination @next_node.ip4@ -j DROP'
+rule 'FORWARD --logical-out br-client -o bat0 -p IPv4 --ip-source @next_node.ip4@ -j DROP'
+rule 'OUTPUT --logical-out br-client -o bat0 -p IPv4 --ip-source @next_node.ip4@ -j DROP'
 
-rule FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination @next_node.ip6@ -j DROP
-rule OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination @next_node.ip6@ -j DROP
-rule FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source @next_node.ip6@ -j DROP
-rule OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source @next_node.ip6@ -j DROP
+rule 'FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-destination @next_node.ip6@ -j DROP'
+rule 'OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-destination @next_node.ip6@ -j DROP'
+rule 'FORWARD --logical-out br-client -o bat0 -p IPv6 --ip6-source @next_node.ip6@ -j DROP'
+rule 'OUTPUT --logical-out br-client -o bat0 -p IPv6 --ip6-source @next_node.ip6@ -j DROP'

package/gluon-radvd/files/lib/gluon/ebtables/300-radv-input-output

-rule INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -i bat0 -j DROP
-rule OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -o bat0 -j DROP
+rule 'INPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-solicitation -i bat0 -j DROP'
+rule 'OUTPUT -p IPv6 --ip6-protocol ipv6-icmp --ip6-icmp-type router-advertisement -o bat0 -j DROP'