From c4b18c8e96e2a41196610600735d3cda7fbc44a0 Mon Sep 17 00:00:00 2001
From: "Brian J. Murrell" <brian@interlinx.bc.ca>
Date: Fri, 1 Mar 2019 06:27:44 -0500
Subject: [PATCH 1/2] Shorewall: start and enable interfaces all in hotplug

Using shorewall-lite {en|dis}able instead of completely restarting
Shorewall is much more efficient.

But it also makes sense to move the starting of Shorewall from init
to an interface hotplug event.  The "lan" interface should be a good
indicator that networking it ready.  Besides, Shorewall won't start
until br-lan is available.

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
---
 net/shorewall-lite/files/hotplug_iface  | 16 +++++++++++-----
 net/shorewall/files/hotplug_iface       | 14 ++++++++++----
 net/shorewall6-lite/files/hotplug_iface | 16 +++++++++++-----
 net/shorewall6/files/hotplug_iface      | 14 ++++++++++----
 4 files changed, 42 insertions(+), 18 deletions(-)

diff --git a/net/shorewall-lite/files/hotplug_iface b/net/shorewall-lite/files/hotplug_iface
index 90ed80c8c..367cea6f4 100644
--- a/net/shorewall-lite/files/hotplug_iface
+++ b/net/shorewall-lite/files/hotplug_iface
@@ -1,13 +1,19 @@
 #!/bin/sh
 
-# should restart shorewall when an interface comes up
+DEVICE=${DEVICE:-$(/sbin/uci -p /var/state get network."$INTERFACE".ifname)}
 
 case "$ACTION" in
     ifup)
-        /etc/init.d/shorewall-lite restart
+        if [ "$INTERFACE" = "lan" ]; then
+            /usr/sbin/shorewall -l start
+	elif [ "${INTERFACE:0:3}" = "wan" ] &&
+             [ "${INTERFACE:$((${#INTERFACE}-2)):2}" != "_6" ]; then
+	    /etc/shorewall-lite/state/firewall enable "$DEVICE"
+	fi
         ;;
     ifdown)
-        # might need to restore some routing
-        /etc/init.d/shorewall-lite restart
+	if [ "${INTERFACE:0:3}" = "wan" ]; then
+	    /etc/shorewall-lite/state/firewall disable "$DEVICE"
+	fi
         ;;
-esac
\ No newline at end of file
+esac
diff --git a/net/shorewall/files/hotplug_iface b/net/shorewall/files/hotplug_iface
index f787424c1..0071e4ff4 100644
--- a/net/shorewall/files/hotplug_iface
+++ b/net/shorewall/files/hotplug_iface
@@ -1,13 +1,19 @@
 #!/bin/sh
 
-# should restart shorewall when an interface comes up
+DEVICE=${DEVICE:-$(/sbin/uci -p /var/state get network."$INTERFACE".ifname)}
 
 case "$ACTION" in
     ifup)
-        /etc/init.d/shorewall restart
+        if [ "$INTERFACE" = "lan" ]; then
+            /usr/sbin/shorewall start
+	elif [ "${INTERFACE:0:3}" = "wan" ] &&
+             [ "${INTERFACE:$((${#INTERFACE}-2)):2}" != "_6" ]; then
+	    /etc/shorewall/state/firewall enable "$DEVICE"
+	fi
         ;;
     ifdown)
-        # might need to restore some routing
-        /etc/init.d/shorewall restart
+	if [ "${INTERFACE:0:3}" = "wan" ]; then
+	    /etc/shorewall/state/firewall disable "$DEVICE"
+	fi
         ;;
 esac
diff --git a/net/shorewall6-lite/files/hotplug_iface b/net/shorewall6-lite/files/hotplug_iface
index bb8973b7b..410266aae 100644
--- a/net/shorewall6-lite/files/hotplug_iface
+++ b/net/shorewall6-lite/files/hotplug_iface
@@ -1,13 +1,19 @@
 #!/bin/sh
 
-# should restart shorewall when an interface comes up
+DEVICE=${DEVICE:-$(/sbin/uci -p /var/state get network."$INTERFACE".ifname)}
 
 case "$ACTION" in
     ifup)
-        /etc/init.d/shorewall6-lite restart
+        if [ "$INTERFACE" = "lan" ]; then
+            /usr/sbin/shorewall -6 -l start
+	elif [ "${INTERFACE:0:3}" = "wan" ] &&
+             [ "${INTERFACE:$((${#INTERFACE}-2)):2}" != "_6" ]; then
+	    /etc/shorewall6-lite/state/firewall enable "$DEVICE"
+	fi
         ;;
     ifdown)
-        # might need to restore some routing
-        /etc/init.d/shorewall6-lite restart
+	if [ "${INTERFACE:0:3}" = "wan" ]; then
+	    /etc/shorewall6-lite/state/firewall disable "$DEVICE"
+	fi
         ;;
-esac
\ No newline at end of file
+esac
diff --git a/net/shorewall6/files/hotplug_iface b/net/shorewall6/files/hotplug_iface
index aaa03e8a9..bfe2bf7b1 100644
--- a/net/shorewall6/files/hotplug_iface
+++ b/net/shorewall6/files/hotplug_iface
@@ -1,13 +1,19 @@
 #!/bin/sh
 
-# should restart shorewall when an interface comes up
+DEVICE=${DEVICE:-$(/sbin/uci -p /var/state get network."$INTERFACE".ifname)}
 
 case "$ACTION" in
     ifup)
-        /etc/init.d/shorewall6 restart
+        if [ "$INTERFACE" = "lan" ]; then
+            /usr/sbin/shorewall -6 start
+	elif [ "${INTERFACE:0:3}" = "wan" ] &&
+             [ "${INTERFACE:$((${#INTERFACE}-2)):2}" != "_6" ]; then
+	    /etc/shorewall6/state/firewall enable "$DEVICE"
+	fi
         ;;
     ifdown)
-        # might need to restore some routing
-        /etc/init.d/shorewall6 restart
+	if [ "${INTERFACE:0:3}" = "wan" ]; then
+	    /etc/shorewall6/state/firewall disable "$DEVICE"
+	fi
         ;;
 esac

From 7646712f393210532e4de5d9ba10a66559284ba4 Mon Sep 17 00:00:00 2001
From: "Brian J. Murrell" <brian@interlinx.bc.ca>
Date: Wed, 20 Mar 2019 12:04:16 -0400
Subject: [PATCH 2/2] shorewall: Update PKG_RELEASE

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
---
 net/shorewall-lite/Makefile  | 2 +-
 net/shorewall/Makefile       | 2 +-
 net/shorewall6-lite/Makefile | 2 +-
 net/shorewall6/Makefile      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/net/shorewall-lite/Makefile b/net/shorewall-lite/Makefile
index e75e2803f..d5b2c83f8 100644
--- a/net/shorewall-lite/Makefile
+++ b/net/shorewall-lite/Makefile
@@ -14,7 +14,7 @@ PKG_BUGFIX_MAJOR_VERSION:=3
 PKG_BUGFIX_MINOR_VERSION:=.1
 PKG_VERSION:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)$(PKG_BUGFIX_MINOR_VERSION)
 PKG_DIRECTORY:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=http://www.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \
 	http://www1.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \
diff --git a/net/shorewall/Makefile b/net/shorewall/Makefile
index 51e2cb4f1..c4d90567a 100644
--- a/net/shorewall/Makefile
+++ b/net/shorewall/Makefile
@@ -14,7 +14,7 @@ PKG_BUGFIX_MAJOR_VERSION:=3
 PKG_BUGFIX_MINOR_VERSION:=.1
 PKG_VERSION:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)$(PKG_BUGFIX_MINOR_VERSION)
 PKG_DIRECTORY:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=http://www.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \
 	http://www1.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \
diff --git a/net/shorewall6-lite/Makefile b/net/shorewall6-lite/Makefile
index a95b969c8..bb2d2865e 100644
--- a/net/shorewall6-lite/Makefile
+++ b/net/shorewall6-lite/Makefile
@@ -14,7 +14,7 @@ PKG_BUGFIX_MAJOR_VERSION:=3
 PKG_BUGFIX_MINOR_VERSION:=.1
 PKG_VERSION:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)$(PKG_BUGFIX_MINOR_VERSION)
 PKG_DIRECTORY:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=http://www.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \
 	http://www1.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \
diff --git a/net/shorewall6/Makefile b/net/shorewall6/Makefile
index 1b3fdd348..da6cbd57e 100644
--- a/net/shorewall6/Makefile
+++ b/net/shorewall6/Makefile
@@ -14,7 +14,7 @@ PKG_BUGFIX_MAJOR_VERSION:=3
 PKG_BUGFIX_MINOR_VERSION:=.1
 PKG_VERSION:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)$(PKG_BUGFIX_MINOR_VERSION)
 PKG_DIRECTORY:=$(PKG_MAJOR_MINOR_VERSION).$(PKG_BUGFIX_MAJOR_VERSION)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=http://www.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \
 	http://www1.shorewall.net/pub/shorewall/$(PKG_MAJOR_MINOR_VERSION)/shorewall-$(PKG_DIRECTORY)/ \