Hi, wouldn't this break port forwards to hosts not being within the range of the on-link lan subnet?
I also read the patch description three times and still am not sure what
that change attempts to achive.
Can you further explain the problem please and provide a before/after
"fw3 print" diff so that I better understand your proposed solution?
~ Jow
Am 01.10.2015 um 18:38 schrieb Hans Dedecker:
> This patch fixes an issue when 2 LAN network prefixes are in use :
> - the usual 192.168.0.0/24 which is masqueraded by the public IP address on
> the
> WAN interface
> - a public IP network prefix for those LAN devices that are excluded from NAT
>
> Port forwarding rules introduced for 192.168.1.x devices will currently also
> translate traffic addressed to the public network addresses in use on the LAN
> as the destination address in the delegate prerouting rule(s) is unset.
> The patch sets the destination IP address(es) in the delegate prerouting rules
> equal to the IP address(es) that particular network interface has as extra
> descriminator
>
> Signed-off-by: Hans Dedecker <dedec...@gmail.com>
> Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
> ---
> zones.c | 36 ++++++++++++++++++++++++++++++++----
> 1 file changed, 32 insertions(+), 4 deletions(-)
>
> diff --git a/zones.c b/zones.c
> index 2ddd7b4..8bd6673 100644
> --- a/zones.c
> +++ b/zones.c
> @@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle,
> struct fw3_state *state,
> {
> if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
> {
> - r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub,
> NULL);
> - fw3_ipt_rule_target(r, "zone_%s_prerouting",
> zone->name);
> - fw3_ipt_rule_extra(r, zone->extra_src);
> - fw3_ipt_rule_replace(r, "delegate_prerouting");
> + struct list_head *addrs;
> + struct fw3_address *addr;
> +
> + addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL;
> + if (addrs)
> + {
> + /* redirect only the traffic towards a locally
> configured address */
> + INIT_LIST_HEAD(addrs);
> + fw3_ubus_address(addrs, dev->network);
> +
> + list_for_each_entry(addr, addrs, list)
> + {
> + if (!fw3_is_family(addr,
> handle->family))
> + continue;
> + /* reset mask to its maximum value */
> + memset(&addr->mask.v6, 0xFF,
> sizeof(addr->mask.v6));
> +
> + r = fw3_ipt_rule_create(handle, NULL,
> dev, NULL, sub, addr);
> + fw3_ipt_rule_target(r,
> "zone_%s_prerouting", zone->name);
> + fw3_ipt_rule_extra(r, zone->extra_src);
> + fw3_ipt_rule_replace(r,
> "delegate_prerouting");
> + }
> +
> + fw3_free_list(addrs);
> + }
> + else
> + {
> + r = fw3_ipt_rule_create(handle, NULL, dev,
> NULL, sub, NULL);
> + fw3_ipt_rule_target(r, "zone_%s_prerouting",
> zone->name);
> + fw3_ipt_rule_extra(r, zone->extra_src);
> + fw3_ipt_rule_replace(r, "delegate_prerouting");
> + }
> }
>
> if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
