1
0
mirror of git://projects.qi-hardware.com/openwrt-xburst.git synced 2024-11-17 21:57:10 +02:00

firewall: extend nat reflection support

- use comment match to keep track of per-network rules
	- setup reflection for any interface which is part of a masqueraded zone, not just "wan"
	- delete per-network reflection rules if network is brought down

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@34472 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
jow 2012-12-04 15:24:21 +00:00
parent c4a99b6ef6
commit 8e0547608f
2 changed files with 106 additions and 69 deletions

View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=firewall PKG_NAME:=firewall
PKG_VERSION:=2 PKG_VERSION:=2
PKG_RELEASE:=53 PKG_RELEASE:=54
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk

View File

@ -3,34 +3,59 @@
. /lib/functions.sh . /lib/functions.sh
. /lib/functions/network.sh . /lib/functions/network.sh
if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then if [ "$ACTION" = "remove" ]; then
local wanip
network_get_ipaddr wanip wan || return
iptables -t nat -F nat_reflection_in 2>/dev/null || { delete_rules_by_comment() {
iptables -t nat -N nat_reflection_in local table="$1"
local chain="$2"
local comment="$3"
iptables -t "$table" --line-numbers -nL "$chain" 2>/dev/null | \
sed -e '
1d;
1! {
\#^[0-9]\+ .* /\* '"$comment"' \*/.*$# {
s/ .*$//;
G; h;
}
};
$!d;
' | xargs -n1 iptables -t "$table" -D "$chain" 2>/dev/null
}
delete_rules_by_comment nat nat_reflection_in "$INTERFACE"
delete_rules_by_comment nat nat_reflection_out "$INTERFACE"
delete_rules_by_comment filter nat_reflection_fwd "$INTERFACE"
elif [ "$ACTION" = "add" ]; then
prepare_chains() {
iptables -t nat -N nat_reflection_in 2>/dev/null && {
iptables -t nat -A prerouting_rule -j nat_reflection_in iptables -t nat -A prerouting_rule -j nat_reflection_in
} }
iptables -t nat -F nat_reflection_out 2>/dev/null || { iptables -t nat -N nat_reflection_out 2>/dev/null && {
iptables -t nat -N nat_reflection_out
iptables -t nat -A postrouting_rule -j nat_reflection_out iptables -t nat -A postrouting_rule -j nat_reflection_out
} }
iptables -t filter -F nat_reflection_fwd 2>/dev/null || { iptables -t filter -N nat_reflection_fwd 2>/dev/null && {
iptables -t filter -N nat_reflection_fwd
iptables -t filter -A forwarding_rule -j nat_reflection_fwd iptables -t filter -A forwarding_rule -j nat_reflection_fwd
} }
}
find_networks() { find_networks() {
find_networks_cb() { find_networks_cb() {
local cfg="$1" local cfg="$1"
local zone="$2" local zone="$2"
local need_masq="${3:-0}"
local name local name
config_get name "$cfg" name config_get name "$cfg" name
[ "$name" = "$zone" ] && { local masq
config_get_bool masq "$cfg" masq 0
[ "$name" = "$zone" ] && [ "$masq" -ge "$need_masq" ] && {
local network local network
config_get network "$cfg" network config_get network "$cfg" network
@ -51,19 +76,22 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
local src local src
config_get src "$cfg" src config_get src "$cfg" src
[ "$src" == "$ZONE" ] || return
local dest
config_get dest "$cfg" dest
[ "$dest" != "*" ] || return
local target local target
config_get target "$cfg" target DNAT config_get target "$cfg" target DNAT
[ "$target" = DNAT ] || return
[ "$src" = wan ] && [ "$target" = DNAT ] && { prepare_chains
local dest
config_get dest "$cfg" dest "lan"
[ "$dest" != "*" ] || return
local net local net
for net in $(find_networks "$dest"); do for net in $(find_networks "$dest" 0); do
local lannet local intnet
network_get_subnet lannet "$net" || return network_get_subnet intnet "$net" || continue
local proto local proto
config_get proto "$cfg" proto config_get proto "$cfg" proto
@ -82,7 +110,7 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
[ "${ipmin#!}" != "$ipmax" ] || ipmax="" [ "${ipmin#!}" != "$ipmax" ] || ipmax=""
local exthost local exthost
config_get exthost "$cfg" src_dip "$wanip" config_get exthost "$cfg" src_dip "$extip"
local inthost local inthost
config_get inthost "$cfg" dest_ip config_get inthost "$cfg" dest_ip
@ -107,26 +135,35 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
case "$p" in case "$p" in
tcp|udp|6|17) tcp|udp|6|17)
iptables -t nat -A nat_reflection_in \ iptables -t nat -A nat_reflection_in \
-s $lannet -d $exthost \ -s $intnet -d $exthost \
-p $p $extport \ -p $p $extport \
-m comment --comment "$INTERFACE" \
-j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax}
iptables -t nat -A nat_reflection_out \ iptables -t nat -A nat_reflection_out \
-s $lannet -d $inthost \ -s $intnet -d $inthost \
-p $p $intport \ -p $p $intport \
-j SNAT --to-source ${lannet%%/*} -m comment --comment "$INTERFACE" \
-j SNAT --to-source ${intnet%%/*}
iptables -t filter -A nat_reflection_fwd \ iptables -t filter -A nat_reflection_fwd \
-s $lannet -d $inthost \ -s $intnet -d $inthost \
-p $p $intport \ -p $p $intport \
-m comment --comment "$INTERFACE" \
-j ACCEPT -j ACCEPT
;; ;;
esac esac
done done
done done
} }
}
config_load firewall config_load firewall
local is_masq_zone="$(find_networks "$ZONE" 1)"
[ -n "$is_masq_zone" ] || exit 0
local extip
network_get_ipaddr extip "$INTERFACE" || exit 0
config_foreach setup_fwd redirect config_foreach setup_fwd redirect
fi fi