[OpenWrt-Devel] [PATCH] [package] firewall: Redirect incoming WAN traffic only when destination IP address matches the IP address used for masquerading
Alin Nastac
alin.nastac at gmail.com
Thu Sep 10 04:22:31 EDT 2015
(Resend of a previous patch affected by gmail's editor line wrapping)
This is a git patch for the firewall3 git repo at git://nbd.name/firewall3.git.
Basically it prevents zone_wan_prerouting rules to affect traffic towards IP addresses that are not used
for masquerading LAN private IP space and it does that by setting destination IP address of the
delegate_prerouting rules for zone with masq enabled to whatever address(es) that particular network
interface has.
The typical scenario this patch fixes involves 2 LAN network prefixes:
- the usual 192.168.1.0/24 which is masqueraded by the public IP address configured on the WAN interface
- a public IP network prefix for those LAN devices that are supposed to be excluded from NAT
Without this patch, port forwarding rules introduced for 192.168.1.x LAN devices will also affect traffic
towards the 2nd prefix.
From 56820e2e3e09f68e4f9a74e6aff832fbcf2c5729 Mon Sep 17 00:00:00 2001
From: Alin Nastac<alin.nastac at gmail.com>
Date: Fri, 4 Sep 2015 13:54:10 +0200
Subject: [PATCH] Redirect incoming WAN traffic only when
destination IP address matches the IP address configured on the incoming interface
---
zones.c | 36 ++++++++++++++++++++++++++++++++----
1 file changed, 32 insertions(+), 4 deletions(-)
diff --git a/zones.c b/zones.c
index 2ddd7b4..8bd6673 100644
--- a/zones.c
+++ b/zones.c
@@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
{
if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
{
- r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
- fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
- fw3_ipt_rule_extra(r, zone->extra_src);
- fw3_ipt_rule_replace(r, "delegate_prerouting");
+ struct list_head *addrs;
+ struct fw3_address *addr;
+
+ addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL;
+ if (addrs)
+ {
+ /* redirect only the traffic towards a locally configured address */
+ INIT_LIST_HEAD(addrs);
+ fw3_ubus_address(addrs, dev->network);
+
+ list_for_each_entry(addr, addrs, list)
+ {
+ if (!fw3_is_family(addr, handle->family))
+ continue;
+ /* reset mask to its maximum value */
+ memset(&addr->mask.v6, 0xFF, sizeof(addr->mask.v6));
+
+ r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, addr);
+ fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
+ fw3_ipt_rule_extra(r, zone->extra_src);
+ fw3_ipt_rule_replace(r, "delegate_prerouting");
+ }
+
+ fw3_free_list(addrs);
+ }
+ else
+ {
+ r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
+ fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
+ fw3_ipt_rule_extra(r, zone->extra_src);
+ fw3_ipt_rule_replace(r, "delegate_prerouting");
+ }
}
if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
--
1.7.12.4
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list