From cb07f325835f81f786f4e50813e9345afe22724a Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Sat, 12 Apr 2025 15:42:44 -0700
Subject: [PATCH] firewall: add firewall bridge IP for UI access

when firewall switched to bridge mode, we want to
have WebUI access to manage the firewall, allow user
setup IP address on the firewall bridge interface through
the UI.

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 config/cfgroot/optionsfw-settings |  2 ++
 html/cgi-bin/optionsfw.cgi        | 18 ++++++++++++++++++
 langs/en/cgi-bin/en.pl            |  2 ++
 src/initscripts/system/firewall   |  2 ++
 4 files changed, 24 insertions(+)

diff --git a/config/cfgroot/optionsfw-settings b/config/cfgroot/optionsfw-settings
index 418dd58d3..a22eaeda6 100644
--- a/config/cfgroot/optionsfw-settings
+++ b/config/cfgroot/optionsfw-settings
@@ -1,4 +1,6 @@
 FWBRIDGEMODE=off
+FWBRIDGEIP=0.0.0.0
+FWBRIDGEMASK=0.0.0.0
 BRIDGENETFILTER=off
 DROPNEWNOTSYN=on
 DROPINPUT=on
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 13cd182c7..36e592929 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -82,6 +82,12 @@ if ($errormessage) {
 if (!$settings{'FWBRIDGEMODE'}) {
 	$settings{'FWBRIDGEMODE'} = 'off';
 }
+if (!$settings{'FWBRIDGEIP'}) {
+	$settings{'FWBRIDGEIP'} = '0.0.0.0';
+}
+if (!$settings{'FWBRIDGEMASK'}) {
+	$settings{'FWBRIDGEMASK'} = '0.0.0.0';
+}
 if (!$settings{'MASQUERADE_GREEN'}) {
 	$settings{'MASQUERADE_GREEN'} = 'on';
 }
@@ -195,6 +201,18 @@ print <<END;
                                 </select>
                         </td>
                 </tr>
+                <tr>
+                        <td align='left' width='60%'>$Lang::tr{'fw bridge ip'}</td>
+                        <td>
+				<input type='text' name='FWBRIDGEIP' value='$settings{'FWBRIDGEIP'}'/>
+                        </td>
+                </tr>
+                <tr>
+                        <td align='left' width='60%'>$Lang::tr{'fw bridge mask'}</td>
+                        <td>
+				<input type='text' name='FWBRIDGEMASK' value='$settings{'FWBRIDGEMASK'}'/>
+                        </td>
+                </tr>
 	</table>
 
 	<br>
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 5d67c808d..c932c7414 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1164,6 +1164,8 @@
 'from warn email bad' => 'From e-mail address is not valid',
 'fw mode' => 'Firewall Mode',
 'fw bridge mode' => 'Firewall Bridge Mode',
+'fw bridge ip' => 'Firewall Bridge IP',
+'fw bridge mask' => 'Firewall Bridge Netmask',
 'fw bridge mode disabled' => 'disabled',
 'fw bridge mode enabled' => 'enabled',
 'fw blue' => 'Firewall options for BLUE interface',
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 7832501e1..faa19e492 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -456,6 +456,8 @@ iptables_init() {
 		ip link set $RED_DEV master $FWBRIDGE
 		ip link set $GREEN_DEV master $FWBRIDGE
 		ip link set $FWBRIDGE up
+		ip a add $FWBRIDGEIP/$FWBRIDGEMASK dev $FWBRIDGE
+		iptables -t filter -A GUIINPUT -i $FWBRIDGE -p tcp -m tcp --dport 444 -j ACCEPT
 	fi
 }