[OpenWrt-Devel] [PATCH] zones: enforce forward policy with zone_NAME_src_POLICY
Yousong Zhou
yszhou4tech at gmail.com
Fri Dec 13 02:05:59 EST 2019
E.g. traffic entering zone_lan_forward must match "-i br-lan". That is,
forward policy of zone X applies to those traffics from zone X and to be
forwarded to other zones The iptables target for zone policy enforcement
should be zone_NAME_src_POLICY to match "-i br-lan", not
zone_NAME_dest_POLICY that matches "-o br-lan"
Fixes FS#2525
Signed-off-by: Yousong Zhou <yszhou4tech at gmail.com>
---
zones.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/zones.c b/zones.c
index 310583d..f268615 100644
--- a/zones.c
+++ b/zones.c
@@ -317,11 +317,11 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
resolve_cthelpers(state, e, zone);
fw3_setbit(zone->flags[0], fw3_to_src_target(zone->policy_input));
- fw3_setbit(zone->flags[0], zone->policy_forward);
+ fw3_setbit(zone->flags[0], fw3_to_src_target(zone->policy_forward));
fw3_setbit(zone->flags[0], zone->policy_output);
fw3_setbit(zone->flags[1], fw3_to_src_target(zone->policy_input));
- fw3_setbit(zone->flags[1], zone->policy_forward);
+ fw3_setbit(zone->flags[1], fw3_to_src_target(zone->policy_forward));
fw3_setbit(zone->flags[1], zone->policy_output);
list_add_tail(&zone->list, &state->zones);
@@ -659,7 +659,7 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
r = fw3_ipt_rule_new(handle);
- fw3_ipt_rule_target(r, "zone_%s_dest_%s", zone->name,
+ fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name,
fw3_flag_names[zone->policy_forward]);
fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list