aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2010-07-15 22:01:48 +0000
committerJo-Philipp Wich <jow@openwrt.org>2010-07-15 22:01:48 +0000
commitf8fa598bf461ccdbd0fc6ddb5a61561b9197fed9 (patch)
tree95d659c7a91a27f078c3377ced629ccfb13965ff
parent1ca67cba7f84855f06b41541c21ff6ab8eaf5246 (diff)
downloadupstream-f8fa598bf461ccdbd0fc6ddb5a61561b9197fed9.tar.gz
upstream-f8fa598bf461ccdbd0fc6ddb5a61561b9197fed9.tar.bz2
upstream-f8fa598bf461ccdbd0fc6ddb5a61561b9197fed9.zip
firewall: - notrack support was broken in multiple ways, fix it - also consider a zone conntracked if any redirect references it (#7196)
SVN-Revision: 22215
-rw-r--r--package/firewall/Makefile2
-rw-r--r--package/firewall/files/lib/core.sh2
-rw-r--r--package/firewall/files/lib/core_forwarding.sh8
-rw-r--r--package/firewall/files/lib/core_init.sh5
-rw-r--r--package/firewall/files/lib/core_redirect.sh3
5 files changed, 11 insertions, 9 deletions
diff --git a/package/firewall/Makefile b/package/firewall/Makefile
index b81531bdf2..b1969d9abd 100644
--- a/package/firewall/Makefile
+++ b/package/firewall/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=firewall
PKG_VERSION:=2
-PKG_RELEASE:=6
+PKG_RELEASE:=7
include $(INCLUDE_DIR)/package.mk
diff --git a/package/firewall/files/lib/core.sh b/package/firewall/files/lib/core.sh
index 5880cd3acc..03a80c6f6c 100644
--- a/package/firewall/files/lib/core.sh
+++ b/package/firewall/files/lib/core.sh
@@ -39,7 +39,7 @@ fw_start() {
echo "Loading includes"
config_foreach fw_load_include include
- [ -n "$FW_NOTRACK_DISABLED" ] && {
+ [ -z "$FW_NOTRACK_DISABLED" ] && {
echo "Optimizing conntrack"
config_foreach fw_load_notrack_zone zone
}
diff --git a/package/firewall/files/lib/core_forwarding.sh b/package/firewall/files/lib/core_forwarding.sh
index 689e2628c2..b62e18a76e 100644
--- a/package/firewall/files/lib/core_forwarding.sh
+++ b/package/firewall/files/lib/core_forwarding.sh
@@ -32,11 +32,11 @@ fw_load_forwarding() {
fw add $mode f $chain $target ^
# propagate masq zone flag
- [ -n "$forwarding_src" ] && list_contains CONNTRACK_ZONES $forwarding_src && {
- append CONNTRACK_ZONES $forwarding_dest
+ [ -n "$forwarding_src" ] && list_contains FW_CONNTRACK_ZONES $forwarding_src && {
+ append FW_CONNTRACK_ZONES $forwarding_dest
}
- [ -n "$forwarding_dest" ] && list_contains CONNTRACK_ZONES $forwarding_dest && {
- append CONNTRACK_ZONES $forwarding_src
+ [ -n "$forwarding_dest" ] && list_contains FW_CONNTRACK_ZONES $forwarding_dest && {
+ append FW_CONNTRACK_ZONES $forwarding_src
}
fw_callback post forwarding
diff --git a/package/firewall/files/lib/core_init.sh b/package/firewall/files/lib/core_init.sh
index 92d117160f..a55ace17c1 100644
--- a/package/firewall/files/lib/core_init.sh
+++ b/package/firewall/files/lib/core_init.sh
@@ -228,13 +228,12 @@ fw_load_zone() {
}
fw_load_notrack_zone() {
- list_contains FW_CONNTRACK_ZONES "$1" && return
-
fw_config_get_zone "$1"
+ list_contains FW_CONNTRACK_ZONES "${zone_name}" && return
fw_callback pre notrack
- fw add i f zone_${zone_name}_notrack NOTRACK $
+ fw add i r zone_${zone_name}_notrack NOTRACK $
fw_callback post notrack
}
diff --git a/package/firewall/files/lib/core_redirect.sh b/package/firewall/files/lib/core_redirect.sh
index 87f584e37b..b51f79390a 100644
--- a/package/firewall/files/lib/core_redirect.sh
+++ b/package/firewall/files/lib/core_redirect.sh
@@ -30,6 +30,9 @@ fw_load_redirect() {
fw_die "redirect ${redirect_name}: needs src and dest_ip"
}
+ list_contains FW_CONNTRACK_ZONES $redirect_src || \
+ append FW_CONNTRACK_ZONES $redirect_src
+
local mode=$(fw_get_family_mode ${redirect_family:-x} $redirect_src I)
local nat_dest_port=$redirect_dest_port