mirror of
git://projects.qi-hardware.com/openwrt-xburst.git
synced 2024-11-23 22:34:04 +02:00
[backfire] firewall: backport SNAT support from trunk
git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@22939 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
jow
parent
45660167ee
commit
b8178fe409
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||
PKG_NAME:=firewall
|
||||
|
||||
PKG_VERSION:=1
|
||||
PKG_RELEASE:=14
|
||||
PKG_RELEASE:=15
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
|
||||
@ -41,7 +41,10 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
|
||||
local src
|
||||
config_get src "$cfg" src
|
||||
|
||||
[ "$src" = wan ] && {
|
||||
local target
|
||||
config_get target "$cfg" target
|
||||
|
||||
[ "$src" = wan ] && [ "${target:-DNAT}" = DNAT ] && {
|
||||
local dest
|
||||
config_get dest "$cfg" dest "lan"
|
||||
|
||||
|
||||
@ -372,6 +372,7 @@ fw_redirect() {
|
||||
local dest_ip
|
||||
local dest_port dest_port2
|
||||
local proto
|
||||
local target
|
||||
|
||||
config_get src $1 src
|
||||
config_get src_ip $1 src_ip
|
||||
@ -382,9 +383,25 @@ fw_redirect() {
|
||||
config_get dest_ip $1 dest_ip
|
||||
config_get dest_port $1 dest_port
|
||||
config_get proto $1 proto
|
||||
config_get target $1 target
|
||||
|
||||
[ -z "$src" -o -z "$dest_ip$dest_port" ] && { \
|
||||
echo "redirect needs src and dest_ip or dest_port"; return ; }
|
||||
|
||||
local chain destopt destaddr
|
||||
if [ "${target:-DNAT}" == "DNAT" ]; then
|
||||
chain="zone_${src}_prerouting"
|
||||
destopt="--to-destination"
|
||||
destaddr="$dest_ip"
|
||||
elif [ "$target" == "SNAT" ]; then
|
||||
chain="zone_${src}_nat"
|
||||
destopt="--to-source"
|
||||
destaddr="$src_dip"
|
||||
else
|
||||
echo "redirect target must be either DNAT or SNAT"
|
||||
return
|
||||
fi
|
||||
|
||||
find_item "$src" $CONNTRACK_ZONES || \
|
||||
append CONNTRACK_ZONES "$src"
|
||||
|
||||
@ -405,19 +422,19 @@ fw_redirect() {
|
||||
dest_port2="$dest_port_first:$dest_port_last"; }
|
||||
|
||||
add_rule() {
|
||||
$IPTABLES -A zone_${src}_prerouting -t nat \
|
||||
$IPTABLES -A $chain -t nat \
|
||||
${proto:+-p $proto} \
|
||||
${src_ip:+-s $src_ip} \
|
||||
${src_dip:+-d $src_dip} \
|
||||
${src_port:+--sport $src_port} \
|
||||
${src_dport:+--dport $src_dport} \
|
||||
${src_mac:+-m mac --mac-source $src_mac} \
|
||||
-j DNAT --to-destination $dest_ip${dest_port:+:$dest_port}
|
||||
-j ${target:-DNAT} $destopt $dest_ip${dest_port:+:$dest_port}
|
||||
|
||||
[ -n "$dest_ip" ] && \
|
||||
[ -n "$destaddr" ] && \
|
||||
$IPTABLES -I zone_${src}_forward 1 \
|
||||
${proto:+-p $proto} \
|
||||
-d $dest_ip \
|
||||
-d $destaddr \
|
||||
${src_ip:+-s $src_ip} \
|
||||
${src_port:+--sport $src_port} \
|
||||
${dest_port2:+--dport $dest_port2} \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user