qi-hardware/openwrt-xburst
1
0
Fork 0
mirror of git://projects.qi-hardware.com/openwrt-xburst.git synced 2025-02-17 16:24:43 +02:00
Code

[backfire] firewall: backport SNAT support from trunk

Browse Source 
git-svn-id: svn://svn.openwrt.org/openwrt/branches/backfire@22939 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
jow 2010-09-05 20:37:44 +00:00
parent 45660167ee
commit b8178fe409
3 changed files with 26 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
package/firewall/Makefile
View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=firewall PKG_NAME:=firewall
PKG_VERSION:=1 PKG_VERSION:=1
PKG_RELEASE:=14 PKG_RELEASE:=15
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk

5
package/firewall/files/reflection.hotplug
View File

@ -41,7 +41,10 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
local src local src
config_get src "$cfg" src config_get src "$cfg" src
[ "$src" = wan ] && { local target
config_get target "$cfg" target
[ "$src" = wan ] && [ "${target:-DNAT}" = DNAT ] && {
local dest local dest
config_get dest "$cfg" dest "lan" config_get dest "$cfg" dest "lan"

25
package/firewall/files/uci_firewall.sh
View File

@ -372,6 +372,7 @@ fw_redirect() {
local dest_ip local dest_ip
local dest_port dest_port2 local dest_port dest_port2
local proto local proto
local target
config_get src $1 src config_get src $1 src
config_get src_ip $1 src_ip config_get src_ip $1 src_ip
@ -382,9 +383,25 @@ fw_redirect() {
config_get dest_ip $1 dest_ip config_get dest_ip $1 dest_ip
config_get dest_port $1 dest_port config_get dest_port $1 dest_port
config_get proto $1 proto config_get proto $1 proto
config_get target $1 target
[ -z "$src" -o -z "$dest_ip$dest_port" ] && { \ [ -z "$src" -o -z "$dest_ip$dest_port" ] && { \
echo "redirect needs src and dest_ip or dest_port"; return ; } echo "redirect needs src and dest_ip or dest_port"; return ; }
local chain destopt destaddr
if [ "${target:-DNAT}" == "DNAT" ]; then
chain="zone_${src}_prerouting"
destopt="--to-destination"
destaddr="$dest_ip"
elif [ "$target" == "SNAT" ]; then
chain="zone_${src}_nat"
destopt="--to-source"
destaddr="$src_dip"
else
echo "redirect target must be either DNAT or SNAT"
return
fi
find_item "$src" $CONNTRACK_ZONES || \ find_item "$src" $CONNTRACK_ZONES || \
append CONNTRACK_ZONES "$src" append CONNTRACK_ZONES "$src"
@ -405,19 +422,19 @@ fw_redirect() {
dest_port2="$dest_port_first:$dest_port_last"; } dest_port2="$dest_port_first:$dest_port_last"; }
add_rule() { add_rule() {
$IPTABLES -A zone_${src}_prerouting -t nat \ $IPTABLES -A $chain -t nat \
${proto:+-p $proto} \ ${proto:+-p $proto} \
${src_ip:+-s $src_ip} \ ${src_ip:+-s $src_ip} \
${src_dip:+-d $src_dip} \ ${src_dip:+-d $src_dip} \
${src_port:+--sport $src_port} \ ${src_port:+--sport $src_port} \
${src_dport:+--dport $src_dport} \ ${src_dport:+--dport $src_dport} \
${src_mac:+-m mac --mac-source $src_mac} \ ${src_mac:+-m mac --mac-source $src_mac} \
-j DNAT --to-destination $dest_ip${dest_port:+:$dest_port} -j ${target:-DNAT} $destopt $dest_ip${dest_port:+:$dest_port}
[ -n "$dest_ip" ] && \ [ -n "$destaddr" ] && \
$IPTABLES -I zone_${src}_forward 1 \ $IPTABLES -I zone_${src}_forward 1 \
${proto:+-p $proto} \ ${proto:+-p $proto} \
-d $dest_ip \ -d $destaddr \
${src_ip:+-s $src_ip} \ ${src_ip:+-s $src_ip} \
${src_port:+--sport $src_port} \ ${src_port:+--sport $src_port} \
${dest_port2:+--dport $dest_port2} \ ${dest_port2:+--dport $dest_port2} \