diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2010-07-31 13:25:56 +0000 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2010-07-31 13:25:56 +0000 |
commit | e6131cac2b9459e99bc324e6036c5b26db1b6ee3 (patch) | |
tree | 4f758605bc1d87dfdc33bf4e08bed2d20fb18b88 /package/firewall/files/reflection.hotplug | |
parent | abf8fea6c902f6760722c17337b915547734108e (diff) | |
download | master-187ad058-e6131cac2b9459e99bc324e6036c5b26db1b6ee3.tar.gz master-187ad058-e6131cac2b9459e99bc324e6036c5b26db1b6ee3.tar.bz2 master-187ad058-e6131cac2b9459e99bc324e6036c5b26db1b6ee3.zip |
[package] firwall: fix nat reflection for zones covering multiple networks
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22442 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/firewall/files/reflection.hotplug')
-rw-r--r-- | package/firewall/files/reflection.hotplug | 90 |
1 files changed, 56 insertions, 34 deletions
diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug index 605ac7c991..af88fe0243 100644 --- a/package/firewall/files/reflection.hotplug +++ b/package/firewall/files/reflection.hotplug @@ -1,5 +1,4 @@ #!/bin/sh -# Setup NAT reflection rules . /etc/functions.sh @@ -16,6 +15,26 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then iptables -t nat -A postrouting_rule -j nat_reflection_out } + find_networks() { + find_networks_cb() { + local cfg="$1" + local zone="$2" + + local name + config_get name "$cfg" name + + [ "$name" = "$zone" ] && { + local network + config_get network "$cfg" network + + echo ${network:-$zone} + return 1 + } + } + + config_foreach find_networks_cb zone "$1" + } + setup_fwd() { local cfg="$1" @@ -26,49 +45,52 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then local dest config_get dest "$cfg" dest "lan" - local lanip=$(uci -P/var/state get network.$dest.ipaddr) - local lanmk=$(uci -P/var/state get network.$dest.netmask) + local net + for net in $(find_networks "$dest"); do + local lanip=$(uci -P/var/state get network.$net.ipaddr) + local lanmk=$(uci -P/var/state get network.$net.netmask) - local proto - config_get proto "$cfg" proto + local proto + config_get proto "$cfg" proto - local epmin epmax extport - config_get extport "$cfg" src_dport - [ -n "$extport" ] || return + local epmin epmax extport + config_get extport "$cfg" src_dport + [ -n "$extport" ] || return - epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" - [ "$epmin" != "$epmax" ] || epmax="" + epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" + [ "$epmin" != "$epmax" ] || epmax="" - local ipmin ipmax intport - config_get intport "$cfg" dest_port "$extport" + local ipmin ipmax intport + config_get intport "$cfg" dest_port "$extport" - ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" - [ "$ipmin" != "$ipmax" ] || ipmax="" + ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" + [ "$ipmin" != "$ipmax" ] || ipmax="" - local exthost - config_get exthost "$cfg" src_dip "$wanip" + local exthost + config_get exthost "$cfg" src_dip "$wanip" - local inthost - config_get inthost "$cfg" dest_ip - [ -n "$inthost" ] || return + local inthost + config_get inthost "$cfg" dest_ip + [ -n "$inthost" ] || return - [ "$proto" = tcpudp ] && proto="tcp udp" + [ "$proto" = tcpudp ] && proto="tcp udp" - local p - for p in ${proto:-tcp udp}; do - case "$p" in - tcp|udp) - iptables -t nat -A nat_reflection_in \ - -s $lanip/$lanmk -d $exthost \ - -p $p --dport $epmin${epmax:+:$epmax} \ - -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax} + local p + for p in ${proto:-tcp udp}; do + case "$p" in + tcp|udp) + iptables -t nat -A nat_reflection_in \ + -s $lanip/$lanmk -d $exthost \ + -p $p --dport $epmin${epmax:+:$epmax} \ + -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax} - iptables -t nat -A nat_reflection_out \ - -s $lanip/$lanmk -d $inthost \ - -p $p --dport $ipmin${ipmax:+:$ipmax} \ - -j SNAT --to-source $lanip - ;; - esac + iptables -t nat -A nat_reflection_out \ + -s $lanip/$lanmk -d $inthost \ + -p $p --dport $ipmin${ipmax:+:$ipmax} \ + -j SNAT --to-source $lanip + ;; + esac + done done } } |