[OpenWrt-Devel] [PATCH firewall] zones : Redirect incoming WAN traffic only when the destination IP address matches the IP masquerading address

Thu, 01 Oct 2015 09:39:52 -0700 

This patch fixes an issue when 2 LAN network prefixes are in use :
 - the usual 192.168.0.0/24 which is masqueraded by the public IP address on the
   WAN interface
 - a public IP network prefix for those LAN devices that are excluded from NAT

Port forwarding rules introduced for 192.168.1.x devices will currently also
translate traffic addressed to the public network addresses in use on the LAN
as the destination address in the delegate prerouting rule(s) is unset.
The patch sets the destination IP address(es) in the delegate prerouting rules
equal to the IP address(es) that particular network interface has as extra 
descriminator

Signed-off-by: Hans Dedecker <dedec...@gmail.com>
Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
 zones.c | 36 ++++++++++++++++++++++++++++++++----
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/zones.c b/zones.c
index 2ddd7b4..8bd6673 100644
--- a/zones.c
+++ b/zones.c
@@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle, 
struct fw3_state *state,
        {
                if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
                {
-                       r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, 
NULL);
-                       fw3_ipt_rule_target(r, "zone_%s_prerouting", 
zone->name);
-                       fw3_ipt_rule_extra(r, zone->extra_src);
-                       fw3_ipt_rule_replace(r, "delegate_prerouting");
+                       struct list_head *addrs;
+                       struct fw3_address *addr;
+
+                       addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL;
+                       if (addrs)
+                       {
+                               /* redirect only the traffic towards a locally 
configured address */
+                               INIT_LIST_HEAD(addrs);
+                               fw3_ubus_address(addrs, dev->network);
+
+                               list_for_each_entry(addr, addrs, list)
+                               {
+                                       if (!fw3_is_family(addr, 
handle->family))
+                                               continue;
+                                       /* reset mask to its maximum value */
+                                       memset(&addr->mask.v6, 0xFF, 
sizeof(addr->mask.v6));
+
+                                       r = fw3_ipt_rule_create(handle, NULL, 
dev, NULL, sub, addr);
+                                       fw3_ipt_rule_target(r, 
"zone_%s_prerouting", zone->name);
+                                       fw3_ipt_rule_extra(r, zone->extra_src);
+                                       fw3_ipt_rule_replace(r, 
"delegate_prerouting");
+                               }
+
+                               fw3_free_list(addrs);
+                       }
+                       else
+                       {
+                               r = fw3_ipt_rule_create(handle, NULL, dev, 
NULL, sub, NULL);
+                               fw3_ipt_rule_target(r, "zone_%s_prerouting", 
zone->name);
+                               fw3_ipt_rule_extra(r, zone->extra_src);
+                               fw3_ipt_rule_replace(r, "delegate_prerouting");
+                       }
                }
 
                if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
-- 
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Reply via email to