#!/bin/sh . /etc/functions.sh if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then local wanip=$(uci -P/var/state get network.wan.ipaddr) iptables -t nat -F nat_reflection_in 2>/dev/null || { iptables -t nat -N nat_reflection_in iptables -t nat -A prerouting_rule -j nat_reflection_in } iptables -t nat -F nat_reflection_out 2>/dev/null || { iptables -t nat -N nat_reflection_out iptables -t nat -A postrouting_rule -j nat_reflection_out } iptables -t filter -F nat_reflection_fwd 2>/dev/null || { iptables -t filter -N nat_reflection_fwd iptables -t filter -A forwarding_rule -j nat_reflection_fwd } find_networks() { find_networks_cb() { local cfg="$1" local zone="$2" local name config_get name "$cfg" name [ "$name" = "$zone" ] && { local network config_get network "$cfg" network echo ${network:-$zone} return 1 } } config_foreach find_networks_cb zone "$1" } setup_fwd() { local cfg="$1" local reflection config_get_bool reflection "$cfg" reflection 1 [ "$reflection" == 1 ] || return local src config_get src "$cfg" src local target config_get target "$cfg" target [ "$src" = wan ] && [ "${target:-DNAT}" = DNAT ] && { local dest config_get dest "$cfg" dest "lan" local net for net in $(find_networks "$dest"); do local lanip=$(uci -P/var/state get network.$net.ipaddr) local lanmk=$(uci -P/var/state get network.$net.netmask) local proto config_get proto "$cfg" proto local epmin epmax extport config_get extport "$cfg" src_dport [ -n "$extport" ] || return epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" [ "$epmin" != "$epmax" ] || epmax="" local ipmin ipmax intport config_get intport "$cfg" dest_port "$extport" ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" [ "$ipmin" != "$ipmax" ] || ipmax="" local exthost config_get exthost "$cfg" src_dip "$wanip" local inthost config_get inthost "$cfg" dest_ip [ -n "$inthost" ] || return [ "$proto" = tcpudp ] && proto="tcp udp" [ "${inthost#!}" = "$inthost" ] || return 0 [ "${exthost#!}" = "$exthost" ] || return 0 local p for p in ${proto:-tcp udp}; do case "$p" in tcp|udp) iptables -t nat -A nat_reflection_in \ -s $lanip/$lanmk -d $exthost \ -p $p --dport $epmin${epmax:+:$epmax} \ -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax} iptables -t nat -A nat_reflection_out \ -s $lanip/$lanmk -d $inthost \ -p $p --dport $ipmin${ipmax:+:$ipmax} \ -j SNAT --to-source $lanip iptables -t filter -A nat_reflection_fwd \ -s $lanip/$lanmk -d $inthost \ -p $p --dport $ipmin${ipmax:+:$ipmax} \ -j ACCEPT ;; esac done done } } config_load firewall config_foreach setup_fwd redirect fi