hotplug: reliably handle interfaces with ubus zone hints

So far, the firewall hotplug did not initiate a reload for interfaces which
are not covered in the firewall configuration but provide a zone hint in
their ubus data section.

Extend the hotplug script to handle this case by checking whether a zone
hint is present and if the requested zone exists in the configuration if
a direct zone lookup fails.

Fixes: #9611
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

1 files changed, 7 insertions, 1 deletions

diff --git a/root/etc/hotplug.d/iface/20-firewall b/root/etc/hotplug.d/iface/20-firewall
index c2ed89a..d0f030b 100644
--- a/root/etc/hotplug.d/iface/20-firewall
+++ b/root/etc/hotplug.d/iface/20-firewall
@@ -1,11 +1,17 @@
 #!/bin/sh
 
+has_zone() {
+	fw4 -q network "$INTERFACE" >/dev/null && return 0
+	eval $(ubus call "network.interface.$INTERFACE" status | jsonfilter -e 'ZONE=@.data.zone')
+	fw4 -q zone "$ZONE" >/dev/null
+}
+
 [ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0
 [ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0
 
 /etc/init.d/firewall enabled || exit 0
 
-fw4 -q network "$INTERFACE" >/dev/null || exit 0
+has_zone || exit 0
 
 logger -t firewall "Reloading firewall due to $ACTION of $INTERFACE ($DEVICE)"
 fw4 -q reload