(Resend of a previous patch affected by gmail's editor line wrapping)
This is a git patch for the firewall3 git repo at git://nbd.name/firewall3.git.
Basically it prevents zone_wan_prerouting rules to affect traffic towards IP
addresses that are not used
for masquerading LAN private IP space and it does that by setting destination
IP address of the
delegate_prerouting rules for zone with masq enabled to whatever address(es)
that particular network
interface has.
The typical scenario this patch fixes involves 2 LAN network prefixes:
- the usual 192.168.1.0/24 which is masqueraded by the public IP address
configured on the WAN interface
- a public IP network prefix for those LAN devices that are supposed to be
excluded from NAT
Without this patch, port forwarding rules introduced for 192.168.1.x LAN
devices will also affect traffic
towards the 2nd prefix.
From 56820e2e3e09f68e4f9a74e6aff832fbcf2c5729 Mon Sep 17 00:00:00 2001
From: Alin Nastac<alin.nas...@gmail.com>
Date: Fri, 4 Sep 2015 13:54:10 +0200
Subject: [PATCH] Redirect incoming WAN traffic only when
destination IP address matches the IP address configured on the incoming
interface
---
zones.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/zones.c b/zones.c
index 2ddd7b4..8bd6673 100644
--- a/zones.c
+++ b/zones.c
@@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle,
struct fw3_state *state,
{
if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
{
- r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub,
NULL);
- fw3_ipt_rule_target(r, "zone_%s_prerouting",
zone->name);
- fw3_ipt_rule_extra(r, zone->extra_src);
- fw3_ipt_rule_replace(r, "delegate_prerouting");
+ struct list_head *addrs;
+ struct fw3_address *addr;
+
+ addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL;
+ if (addrs)
+ {
+ /* redirect only the traffic towards a locally
configured address */
+ INIT_LIST_HEAD(addrs);
+ fw3_ubus_address(addrs, dev->network);
+
+ list_for_each_entry(addr, addrs, list)
+ {
+ if (!fw3_is_family(addr,
handle->family))
+ continue;
+ /* reset mask to its maximum value */
+ memset(&addr->mask.v6, 0xFF,
sizeof(addr->mask.v6));
+
+ r = fw3_ipt_rule_create(handle, NULL,
dev, NULL, sub, addr);
+ fw3_ipt_rule_target(r,
"zone_%s_prerouting", zone->name);
+ fw3_ipt_rule_extra(r, zone->extra_src);
+ fw3_ipt_rule_replace(r,
"delegate_prerouting");
+ }
+
+ fw3_free_list(addrs);
+ }
+ else
+ {
+ r = fw3_ipt_rule_create(handle, NULL, dev,
NULL, sub, NULL);
+ fw3_ipt_rule_target(r, "zone_%s_prerouting",
zone->name);
+ fw3_ipt_rule_extra(r, zone->extra_src);
+ fw3_ipt_rule_replace(r, "delegate_prerouting");
+ }
}
if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
--
1.7.12.4
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
