1 files changed, 28 insertions, 26 deletions

diff --git a/inventory/host_vars/ele-router.yml b/inventory/host_vars/ele-router.yml
index da10e73c..2d5cb1b3 100644
--- a/inventory/host_vars/ele-router.yml
+++ b/inventory/host_vars/ele-router.yml
@@ -148,43 +148,45 @@ openwrt_mixin:
   /etc/htoprc:
     file: "{{ global_files_dir }}/common/htoprc"
 
-    ## TODO: this script needs to be activated ... probably using a symlink file?
+  /etc/rc.d/S22network-fw:
+    link: "../init.d/network-fw"
+
+  /etc/rc.d/K91network-fw:
+    link: "../init.d/network-fw"
+
   /etc/init.d/network-fw:
     mode: "0755"
     content: |
       #!/bin/sh /etc/rc.common
 
       START=22
-      STOP=90
+      STOP=91
 
-      source /lib/functions/network.sh
-
-      network_get_device WAN_IF "wan"
-      network_get_device MGMT_IF "mgmt"
+      WAN_IF=$(uci get network.wan.ifname)
+      MGMT_IF=$(uci get network.mgmt.ifname)
+      MGMT_IPADDR=$(uci get network.mgmt.ipaddr)
+      MGMT_NETMASK=$(uci get network.mgmt.netmask)
 
       start() {
+        iptables -A INPUT -p icmp -j ACCEPT
         iptables -A INPUT -i lo -j ACCEPT
-        iptables -A INPUT -i $MGMT_IF -j ACCEPT
-        iptables -A INPUT -i $WAN_IF -p icmp -j ACCEPT
-        iptables -A INPUT -i $WAN_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
-        iptables -A INPUT -i $WAN_IF -p tcp --dport 22000 -j ACCEPT
+        iptables -A INPUT -i "$MGMT_IF" -s "$MGMT_IPADDR/$MGMT_NETMASK" -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -p tcp --dport 22000 -j ACCEPT
+        iptables -A INPUT -i "$WAN_IF" -m state --state RELATED,ESTABLISHED -j ACCEPT
 
-        iptables -A FORWARD -i lo -j ACCEPT
         for zone in "{{ network_internal_zone_names | join('" "') }}"; do
-          network_get_device interface "$zone"
-          network_get_subnets subnets "$zone"
+          interface=$(uci get "network.$zone.ifname")
+          ipaddr=$(uci get "network.$zone.ipaddr")
+          netmask=$(uci get "network.$zone.netmask")
 
           ### todo: only do this if dhcp is defined in network_zone
-          iptables -A INPUT -i $interface -p udp --dport 67 --sport 68 -j ACCEPT
-          iptables -A INPUT -i $interface -p udp --dport 53 -j ACCEPT
-          iptables -A INPUT -i $interface -p tcp --dport 53 -j ACCEPT
-
-          iptables -A FORWARD -i $WAN_IF -o $interface -p icmp -j ACCEPT
-          iptables -A FORWARD -i $WAN_IF -o $interface -m state --state RELATED,ESTABLISHED -j ACCEPT
-          for subnet in $subnets; do
-            iptables -A FORWARD -i $interface -o $WAN_IF -s $subnet -j ACCEPT
-            iptables -t nat -A POSTROUTING -o $WAN_IF -s $subnet -j MASQUERADE
-          done
+          iptables -A INPUT -i "$interface" -p udp --dport 67 --sport 68 -j ACCEPT
+          iptables -A INPUT -i "$interface" -p udp --dport 53 -j ACCEPT
+          iptables -A INPUT -i "$interface" -p tcp --dport 53 -j ACCEPT
+
+          iptables -A FORWARD -i "$interface" -o "$WAN_IF" -s "$ipaddr/$netmask" -j ACCEPT
+          iptables -A FORWARD -i "$WAN_IF" -o "$interface" -m state --state RELATED,ESTABLISHED -j ACCEPT
+          iptables -t nat -A POSTROUTING -o "$WAN_IF" -s "$ipaddr/$netmask" -j MASQUERADE
         done
 
         iptables -P INPUT DROP
@@ -193,10 +195,10 @@ openwrt_mixin:
 
       stop() {
         iptables -P INPUT ACCEPT
-        iptables INPUT -F
+        iptables -F INPUT
         iptables -P FORWARD ACCEPT
-        iptables FORWARD -F
-        iptables -t nat POSTROUTING -F
+        iptables -F FORWARD
+        iptables -t nat -F POSTROUTING
       }