[OpenWrt-Devel] [PATCH firewall] zones : Redirect incoming WAN traffic only when the destination IP address matches the IP masquerading address
Jo-Philipp Wich
jow at openwrt.org
Thu Oct 1 16:05:54 EDT 2015
Hi,
wouldn't this break port forwards to hosts not being within the range of
the on-link lan subnet?
I also read the patch description three times and still am not sure what
that change attempts to achive.
Can you further explain the problem please and provide a before/after
"fw3 print" diff so that I better understand your proposed solution?
~ Jow
Am 01.10.2015 um 18:38 schrieb Hans Dedecker:
> This patch fixes an issue when 2 LAN network prefixes are in use :
> - the usual 192.168.0.0/24 which is masqueraded by the public IP address on the
> WAN interface
> - a public IP network prefix for those LAN devices that are excluded from NAT
>
> Port forwarding rules introduced for 192.168.1.x devices will currently also
> translate traffic addressed to the public network addresses in use on the LAN
> as the destination address in the delegate prerouting rule(s) is unset.
> The patch sets the destination IP address(es) in the delegate prerouting rules
> equal to the IP address(es) that particular network interface has as extra descriminator
>
> Signed-off-by: Hans Dedecker <dedeckeh at gmail.com>
> Signed-off-by: Alin Nastac <alin.nastac at gmail.com>
> ---
> zones.c | 36 ++++++++++++++++++++++++++++++++----
> 1 file changed, 32 insertions(+), 4 deletions(-)
>
> diff --git a/zones.c b/zones.c
> index 2ddd7b4..8bd6673 100644
> --- a/zones.c
> +++ b/zones.c
> @@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
> {
> if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
> {
> - r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
> - fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
> - fw3_ipt_rule_extra(r, zone->extra_src);
> - fw3_ipt_rule_replace(r, "delegate_prerouting");
> + struct list_head *addrs;
> + struct fw3_address *addr;
> +
> + addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL;
> + if (addrs)
> + {
> + /* redirect only the traffic towards a locally configured address */
> + INIT_LIST_HEAD(addrs);
> + fw3_ubus_address(addrs, dev->network);
> +
> + list_for_each_entry(addr, addrs, list)
> + {
> + if (!fw3_is_family(addr, handle->family))
> + continue;
> + /* reset mask to its maximum value */
> + memset(&addr->mask.v6, 0xFF, sizeof(addr->mask.v6));
> +
> + r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, addr);
> + fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
> + fw3_ipt_rule_extra(r, zone->extra_src);
> + fw3_ipt_rule_replace(r, "delegate_prerouting");
> + }
> +
> + fw3_free_list(addrs);
> + }
> + else
> + {
> + r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
> + fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
> + fw3_ipt_rule_extra(r, zone->extra_src);
> + fw3_ipt_rule_replace(r, "delegate_prerouting");
> + }
> }
>
> if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151001/fed48fe8/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list