diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2013-02-04 14:38:33 +0000 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2013-02-04 14:38:33 +0000 |
commit | e106f25ee74804478470a075cf7181bd995b9c33 (patch) | |
tree | d9160d4a882b4eae2cc6533f5ff0b5727942c450 /package/network/config/firewall/files/lib/core_redirect.sh | |
parent | 8506964e6d6f89ae67951d0eafe4717b63b1f610 (diff) | |
download | upstream-e106f25ee74804478470a075cf7181bd995b9c33.tar.gz upstream-e106f25ee74804478470a075cf7181bd995b9c33.tar.bz2 upstream-e106f25ee74804478470a075cf7181bd995b9c33.zip |
firewall: various enhancements
- reduce mssfix related log spam (#10681)
- separate src and dest terminal chains (#11453, #12945)
- disable per-zone custom chains by default, they're rarely used
Additionally introduce options "device", "subnet", "extra", "extra_src" and "extra_dest"
to allow defining zones not related to uci interfaces, e.g. to match "ppp+" or any tcp
traffic to and from a specific port.
SVN-Revision: 35484
Diffstat (limited to 'package/network/config/firewall/files/lib/core_redirect.sh')
-rw-r--r-- | package/network/config/firewall/files/lib/core_redirect.sh | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/package/network/config/firewall/files/lib/core_redirect.sh b/package/network/config/firewall/files/lib/core_redirect.sh index fe396c1c12..9493bc6ae0 100644 --- a/package/network/config/firewall/files/lib/core_redirect.sh +++ b/package/network/config/firewall/files/lib/core_redirect.sh @@ -41,7 +41,7 @@ fw_load_redirect() { # in this case match only DNATed traffic and allow it on input, not forward if [ -z "$redirect_dest_ip" ] || /sbin/ifconfig | grep -qE "addr:${redirect_dest_ip//./\\.}\b"; then fwdopt="-m conntrack --ctstate DNAT" - fwdchain="zone_${redirect_src}" + fwdchain="zone_${redirect_src}_input" else fwdchain="zone_${redirect_src}_forward" fi @@ -114,7 +114,7 @@ fw_load_redirect() { $redirect_options \ } - fw add $mode f ${fwdchain:-forward} ACCEPT + \ + fw add $mode f ${fwdchain:-delegate_forward} ACCEPT + \ { $redirect_src_ip $redirect_dest_ip } { \ $srcaddr $destaddr \ $pr \ |