[package] firewall:

- simplify masquerade rule setup - remove various subshell invocations - speedup fw() by not relying on xargs and pipes - rework SNAT support - attach to dest zone, use src_dip/src_dport as snat source git-svn-id: svn://svn.openwrt.org/openwrt/trunk@23024 3c298f89-4303-0410-b956-a3cf2f4a3e73
2025-04-21 12:27:27 +03:00 · 2010-09-11 20:04:34 +00:00
parent 7b3bd12cf8
commit c653713313
7 changed files with 114 additions and 94 deletions
--- a/package/firewall/files/lib/core_init.sh
+++ b/package/firewall/files/lib/core_init.sh
@@ -212,9 +212,6 @@ fw_load_zone() {

 	fw add $mode r ${chain}_notrack

-	[ $zone_masq == 1 ] && \
-		fw add $mode n POSTROUTING ${chain}_nat $
-
 	[ $zone_mtu_fix == 1 ] && \
 		fw add $mode f FORWARD ${chain}_MSSFIX ^

@@ -243,6 +240,18 @@ fw_load_zone() {
 		done
 	}

+	# NB: if MASQUERADING for IPv6 becomes available we'll need a family check here
+	if [ "$zone_masq" == 1 ]; then
+		local msrc mdst
+		for msrc in ${zone_masq_src:-0.0.0.0/0}; do
+			[ "${msrc#!}" != "$msrc" ] && msrc="! -s ${msrc#!}" || msrc="-s $msrc"
+			for mdst in ${zone_masq_dest:-0.0.0.0/0}; do
+				[ "${mdst#!}" != "$mdst" ] && mdst="! -d ${mdst#!}" || mdst="-d $mdst"
+				fw add $mode n ${chain}_nat MASQUERADE $ { $msrc $mdst }
+			done
+		done
+	fi
+
 	fw_callback post zone
 }