gluon-core, gluon-client-bridge: create local_client zone in core

As core defines basic rules for this zone, it makes sense to create it there.

gluon-core, gluon-client-bridge: create local_client zone in core
2b1ffb30 · Matthias Schiffer · 8ea5810b · 2b1ffb30 · 2b1ffb30
Unverified Commit 2b1ffb30 authored 7 years ago by Matthias Schiffer
--- a/package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network
+++ b/package/gluon-client-bridge/luasrc/lib/gluon/upgrade/300-gluon-client-bridge-network
@@ -51,14 +51,9 @@ uci:section('firewall', 'zone', 'drop', {
 	forward = 'DROP',
 })

-uci:section('firewall', 'zone', 'local_client', {
-	name = 'local_client',
-	network = {'local_node'},
-	input = 'REJECT',
-	output = 'ACCEPT',
-	forward = 'REJECT',
-})
-
+local networks = uci:get_list('firewall', 'local_client', 'network')
+util.add_to_set(networks, 'local_node')
+uci:set_list('firewall', 'local_client', 'network', networks)


 local dnsmasq = uci:get_first('dhcp', 'dnsmasq')

--- a/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
+++ b/package/gluon-core/luasrc/lib/gluon/upgrade/140-firewall-rules
@@ -14,40 +14,16 @@ end

 uci:foreach('firewall', 'zone', reject_input_on_wan)

-- the client zone is set up by gluon-client-bridge
--
-uci:section('firewall', 'zone', 'mesh', {
-	name = 'mesh',
-	network = {},
-	input = 'REJECT',
-	output = 'ACCEPT',
-	forward = 'REJECT',
-})
-
-- allow inbound ssh from anywhere
-for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
-	uci:section('firewall', 'rule', zone .. '_ssh', {
-		name =  zone .. '_ssh',
-		src = zone,
-		dest_port = '22',
-		proto = 'tcp',
-		target = 'ACCEPT',
+for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
+	-- Other packages assign interfaces to these zones
+	uci:section('firewall', 'zone', zone, {
+		name = zone,
+		network = {},
+		input = 'REJECT',
+		output = 'ACCEPT',
+		forward = 'REJECT',
 	})
-end
-

-- allow icmp in/out on all relevant zones
-uci:section('firewall', 'rule',  'local_client_ICMPv4_in', {
-	src = 'local_client',
-	proto = 'icmp',
-	icmp_type = {
-		'echo-request',
-	},
-	family = 'ipv4',
-	target = 'ACCEPT',
-})
-
 	uci:section('firewall', 'rule',  zone .. '_ICMPv6_in', {
 		src = zone,
 		proto = 'icmp',
@@ -77,4 +53,27 @@ for _, zone in ipairs ({ 'mesh', 'local_client' } ) do
 	uci:delete('firewall', zone .. '_ICMPv6_out')
 end

+uci:section('firewall', 'rule',  'local_client_ICMPv4_in', {
+	src = 'local_client',
+	proto = 'icmp',
+	icmp_type = {
+		'echo-request',
+	},
+	family = 'ipv4',
+	target = 'ACCEPT',
+})
+
+
+-- allow inbound SSH from anywhere
+for _, zone in ipairs({ 'wan', 'local_client', 'mesh' }) do
+	uci:section('firewall', 'rule', zone .. '_ssh', {
+		name =  zone .. '_ssh',
+		src = zone,
+		dest_port = '22',
+		proto = 'tcp',
+		target = 'ACCEPT',
+	})
+end
+
+
 uci:save('firewall')