[OpenWrt-Devel] [PATCH firewall] zones : Redirect incoming WAN traffic only when the destination IP address matches the IP masquerading address

Alin Năstac alin.nastac at gmail.com
Mon Oct 5 03:52:55 EDT 2015


Here is the original description I gave to my patch (see
http://patchwork.ozlabs.org/patch/516167/):

Basically it prevents zone_wan_prerouting rules to affect traffic towards
IP addresses that are not used
for masquerading LAN private IP space and it does that by setting
destination IP address of the
delegate_prerouting rules for zone with masq enabled to whatever
address(es) that particular network
interface has.

The typical scenario this patch fixes involves 2 LAN network prefixes:
  - the usual 192.168.1.0/24 which is masqueraded by the public IP address
configured on the WAN interface
  - a public IP network prefix for those LAN devices that are supposed to
be excluded from NAT
Without this patch, port forwarding rules introduced for 192.168.1.x LAN
devices will also affect traffic
towards the 2nd prefix.


On Thu, Oct 1, 2015 at 10:05 PM, Jo-Philipp Wich <jow at openwrt.org> wrote:

> Hi,
>
> wouldn't this break port forwards to hosts not being within the range of
> the on-link lan subnet?
>
> I also read the patch description three times and still am not sure what
> that change attempts to achive.
>
> Can you further explain the problem please and provide a before/after
> "fw3 print" diff so that I better understand your proposed solution?
>
> ~ Jow
>
>
> Am 01.10.2015 um 18:38 schrieb Hans Dedecker:
> > This patch fixes an issue when 2 LAN network prefixes are in use :
> >  - the usual 192.168.0.0/24 which is masqueraded by the public IP
> address on the
> >    WAN interface
> >  - a public IP network prefix for those LAN devices that are excluded
> from NAT
> >
> > Port forwarding rules introduced for 192.168.1.x devices will currently
> also
> > translate traffic addressed to the public network addresses in use on
> the LAN
> > as the destination address in the delegate prerouting rule(s) is unset.
> > The patch sets the destination IP address(es) in the delegate prerouting
> rules
> > equal to the IP address(es) that particular network interface has as
> extra descriminator
> >
> > Signed-off-by: Hans Dedecker <dedeckeh at gmail.com>
> > Signed-off-by: Alin Nastac <alin.nastac at gmail.com>
> > ---
> >  zones.c | 36 ++++++++++++++++++++++++++++++++----
> >  1 file changed, 32 insertions(+), 4 deletions(-)
> >
> > diff --git a/zones.c b/zones.c
> > index 2ddd7b4..8bd6673 100644
> > --- a/zones.c
> > +++ b/zones.c
> > @@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle
> *handle, struct fw3_state *state,
> >       {
> >               if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
> >               {
> > -                     r = fw3_ipt_rule_create(handle, NULL, dev, NULL,
> sub, NULL);
> > -                     fw3_ipt_rule_target(r, "zone_%s_prerouting",
> zone->name);
> > -                     fw3_ipt_rule_extra(r, zone->extra_src);
> > -                     fw3_ipt_rule_replace(r, "delegate_prerouting");
> > +                     struct list_head *addrs;
> > +                     struct fw3_address *addr;
> > +
> > +                     addrs = zone->masq ? calloc(1, sizeof(*addrs)) :
> NULL;
> > +                     if (addrs)
> > +                     {
> > +                             /* redirect only the traffic towards a
> locally configured address */
> > +                             INIT_LIST_HEAD(addrs);
> > +                             fw3_ubus_address(addrs, dev->network);
> > +
> > +                             list_for_each_entry(addr, addrs, list)
> > +                             {
> > +                                     if (!fw3_is_family(addr,
> handle->family))
> > +                                             continue;
> > +                                     /* reset mask to its maximum value
> */
> > +                                     memset(&addr->mask.v6, 0xFF,
> sizeof(addr->mask.v6));
> > +
> > +                                     r = fw3_ipt_rule_create(handle,
> NULL, dev, NULL, sub, addr);
> > +                                     fw3_ipt_rule_target(r,
> "zone_%s_prerouting", zone->name);
> > +                                     fw3_ipt_rule_extra(r,
> zone->extra_src);
> > +                                     fw3_ipt_rule_replace(r,
> "delegate_prerouting");
> > +                             }
> > +
> > +                             fw3_free_list(addrs);
> > +                     }
> > +                     else
> > +                     {
> > +                             r = fw3_ipt_rule_create(handle, NULL, dev,
> NULL, sub, NULL);
> > +                             fw3_ipt_rule_target(r,
> "zone_%s_prerouting", zone->name);
> > +                             fw3_ipt_rule_extra(r, zone->extra_src);
> > +                             fw3_ipt_rule_replace(r,
> "delegate_prerouting");
> > +                     }
> >               }
> >
> >               if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151005/0f8a2a2e/attachment.htm>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list