firewall: various enhancements

	- reduce mssfix related log spam (#10681)
	- separate src and dest terminal chains (#11453, #12945)
	- disable per-zone custom chains by default, they're rarely used

Additionally introduce options "device", "subnet", "extra", "extra_src" and "extra_dest"
to allow defining zones not related to uci interfaces, e.g. to match "ppp+" or any tcp
traffic to and from a specific port.

SVN-Revision: 35484

1 files changed, 2 insertions, 2 deletions

diff --git a/package/network/config/firewall/files/lib/core_redirect.sh b/package/network/config/firewall/files/lib/core_redirect.sh
index fe396c1c12..9493bc6ae0 100644
--- a/package/network/config/firewall/files/lib/core_redirect.sh
+++ b/package/network/config/firewall/files/lib/core_redirect.sh
@@ -41,7 +41,7 @@ fw_load_redirect() {
 		# in this case match only DNATed traffic and allow it on input, not forward
 		if [ -z "$redirect_dest_ip" ] || /sbin/ifconfig | grep -qE "addr:${redirect_dest_ip//./\\.}\b"; then
 			fwdopt="-m conntrack --ctstate DNAT"
-			fwdchain="zone_${redirect_src}"
+			fwdchain="zone_${redirect_src}_input"
 		else
 			fwdchain="zone_${redirect_src}_forward"
 		fi
@@ -114,7 +114,7 @@ fw_load_redirect() {
 				$redirect_options \
 			}
 
-			fw add $mode f ${fwdchain:-forward} ACCEPT + \
+			fw add $mode f ${fwdchain:-delegate_forward} ACCEPT + \
 				{ $redirect_src_ip $redirect_dest_ip } { \
 				$srcaddr $destaddr \
 				$pr \