[OpenWrt-Devel] [PATCH firewall] zones : Redirect incoming WAN traffic only when the destination IP address matches the IP masquerading address

Hans Dedecker dedeckeh at gmail.com
Thu Oct 1 12:38:32 EDT 2015


This patch fixes an issue when 2 LAN network prefixes are in use :
 - the usual 192.168.0.0/24 which is masqueraded by the public IP address on the
   WAN interface
 - a public IP network prefix for those LAN devices that are excluded from NAT

Port forwarding rules introduced for 192.168.1.x devices will currently also
translate traffic addressed to the public network addresses in use on the LAN
as the destination address in the delegate prerouting rule(s) is unset.
The patch sets the destination IP address(es) in the delegate prerouting rules
equal to the IP address(es) that particular network interface has as extra descriminator

Signed-off-by: Hans Dedecker <dedeckeh at gmail.com>
Signed-off-by: Alin Nastac <alin.nastac at gmail.com>
---
 zones.c | 36 ++++++++++++++++++++++++++++++++----
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/zones.c b/zones.c
index 2ddd7b4..8bd6673 100644
--- a/zones.c
+++ b/zones.c
@@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 	{
 		if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
 		{
-			r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
-			fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
-			fw3_ipt_rule_extra(r, zone->extra_src);
-			fw3_ipt_rule_replace(r, "delegate_prerouting");
+			struct list_head *addrs;
+			struct fw3_address *addr;
+
+			addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL;
+			if (addrs)
+			{
+				/* redirect only the traffic towards a locally configured address */
+				INIT_LIST_HEAD(addrs);
+				fw3_ubus_address(addrs, dev->network);
+
+				list_for_each_entry(addr, addrs, list)
+				{
+					if (!fw3_is_family(addr, handle->family))
+						continue;
+					/* reset mask to its maximum value */
+					memset(&addr->mask.v6, 0xFF, sizeof(addr->mask.v6));
+
+					r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, addr);
+					fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
+					fw3_ipt_rule_extra(r, zone->extra_src);
+					fw3_ipt_rule_replace(r, "delegate_prerouting");
+				}
+
+				fw3_free_list(addrs);
+			}
+			else
+			{
+				r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
+				fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
+				fw3_ipt_rule_extra(r, zone->extra_src);
+				fw3_ipt_rule_replace(r, "delegate_prerouting");
+			}
 		}
 
 		if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
-- 
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list