1
0
mirror of git://projects.qi-hardware.com/openwrt-xburst.git synced 2024-11-24 04:26:16 +02:00

[packages] firewall: fix nat reflection after netifd status format change

- use /lib/functions/network.sh
 - simplify nat reflection code

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@31936 3c298f89-4303-0410-b956-a3cf2f4a3e73
This commit is contained in:
jow 2012-05-28 03:15:05 +00:00
parent 41d413b29c
commit e1df4ecd68
2 changed files with 10 additions and 48 deletions

View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=firewall PKG_NAME:=firewall
PKG_VERSION:=2 PKG_VERSION:=2
PKG_RELEASE:=50 PKG_RELEASE:=51
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk

View File

@ -1,48 +1,11 @@
#!/bin/sh #!/bin/sh
. /etc/functions.sh . /lib/functions.sh
. /usr/share/libubox/jshn.sh . /lib/functions/network.sh
find_iface_address()
{
local iface="$1"
local ipaddr="$2"
local prefix="$3"
local idx=1
local tmp="$(ubus call network.interface."$iface" status 2>/dev/null)"
json_load "${tmp:-{}}"
json_get_type tmp address
if [ "$tmp" = array ]; then
json_select address
while true; do
json_get_type tmp $idx
[ "$tmp" = object ] || break
json_select $((idx++))
json_get_var tmp address
case "$tmp" in
*:*) json_select .. ;;
*)
[ -n "$ipaddr" ] && json_get_var $ipaddr address
[ -n "$prefix" ] && json_get_var $prefix mask
return 0
;;
esac
done
fi
return 1
}
if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
local wanip local wanip
find_iface_address wan wanip network_get_ipaddr wanip wan || return
[ -n "$wanip" ] || return
iptables -t nat -F nat_reflection_in 2>/dev/null || { iptables -t nat -F nat_reflection_in 2>/dev/null || {
iptables -t nat -N nat_reflection_in iptables -t nat -N nat_reflection_in
@ -99,9 +62,8 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
local net local net
for net in $(find_networks "$dest"); do for net in $(find_networks "$dest"); do
local lanip lanmk local lannet
find_iface_address "$net" lanip lanmk network_get_subnet lannet "$net" || return
[ -n "$lanip" ] || return
local proto local proto
config_get proto "$cfg" proto config_get proto "$cfg" proto
@ -144,17 +106,17 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
case "$p" in case "$p" in
tcp|udp|6|17) tcp|udp|6|17)
iptables -t nat -A nat_reflection_in \ iptables -t nat -A nat_reflection_in \
-s $lanip/$lanmk -d $exthost \ -s $lannet -d $exthost \
-p $p $extport \ -p $p $extport \
-j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax}
iptables -t nat -A nat_reflection_out \ iptables -t nat -A nat_reflection_out \
-s $lanip/$lanmk -d $inthost \ -s $lannet -d $inthost \
-p $p $intport \ -p $p $intport \
-j SNAT --to-source $lanip -j SNAT --to-source ${lannet%%/*}
iptables -t filter -A nat_reflection_fwd \ iptables -t filter -A nat_reflection_fwd \
-s $lanip/$lanmk -d $inthost \ -s $lannet -d $inthost \
-p $p $intport \ -p $p $intport \
-j ACCEPT -j ACCEPT
;; ;;