firewall.d: Check for unset IF_WAN

In some cases (mostly for one-port devices) IF_WAN was used
although not set, resulting in not obviously iptables error
messages like

- Bad argument `conntrack'

- Bad argument `REJECT'

Thus, check whether IF_WAN is set to something before using it.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reviewed-by: Robert Langhammer <rlanghammer@web.de>

src/packages/fff/fff-firewall/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-firewall
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
 

src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh

@@ -1,6 +1,8 @@
 # If an router has a direct internet connection simple attack act as DOS attack
-iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A INPUT -i $IF_WAN -j REJECT
+if [ -n "$IF_WAN" ]; then
+	iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+	iptables -A INPUT -i $IF_WAN -j REJECT
+fi
 
 # Limit ssh to 6 new connections per 60 seconds
 /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear

src/packages/fff/fff-gateway/Makefile

@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fff-gateway
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway
 

src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan

@@ -1,3 +1,5 @@
 # Ensure nothing is forwarded onto WAN interface
-iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
-ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
+if [ -n "$IF_WAN" ]; then
+	iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
+	ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
+fi