diff options
| author | jow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2010-07-31 13:06:14 +0000 |
|---|---|---|
| committer | jow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73> | 2010-07-31 13:06:14 +0000 |
| commit | da83ad5b95688ad117be7f41618ed247030ca5c0 (patch) | |
| tree | 77122678e589e38e8a3129b735912574631f4926 | |
| parent | cfbe1dd522ba4bb8d4272a8f1ea28feb8108ce6d (diff) | |
[package] firewall: add basic NAT reflection/NAT loopback support
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22441 3c298f89-4303-0410-b956-a3cf2f4a3e73
| -rw-r--r-- | package/firewall/Makefile | 3 | ||||
| -rw-r--r-- | package/firewall/files/reflection.hotplug | 79 |
2 files changed, 81 insertions, 1 deletions
diff --git a/package/firewall/Makefile b/package/firewall/Makefile index c1f3f6eb2..b489d9387 100644 --- a/package/firewall/Makefile +++ b/package/firewall/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall PKG_VERSION:=2 -PKG_RELEASE:=8 +PKG_RELEASE:=9 include $(INCLUDE_DIR)/package.mk @@ -45,6 +45,7 @@ define Package/firewall/install $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall $(INSTALL_DIR) $(1)/etc/hotplug.d/iface $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall + $(INSTALL_DATA) ./files/reflection.hotplug $(1)/etc/hotplug.d/iface/30-nat-reflection $(INSTALL_DIR) $(1)/etc $(INSTALL_DATA) ./files/firewall.user $(1)/etc endef diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug new file mode 100644 index 000000000..605ac7c99 --- /dev/null +++ b/package/firewall/files/reflection.hotplug @@ -0,0 +1,79 @@ +#!/bin/sh +# Setup NAT reflection rules + +. /etc/functions.sh + +if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then + local wanip=$(uci -P/var/state get network.wan.ipaddr) + + iptables -t nat -F nat_reflection_in 2>/dev/null || { + iptables -t nat -N nat_reflection_in + iptables -t nat -A prerouting_rule -j nat_reflection_in + } + + iptables -t nat -F nat_reflection_out 2>/dev/null || { + iptables -t nat -N nat_reflection_out + iptables -t nat -A postrouting_rule -j nat_reflection_out + } + + setup_fwd() { + local cfg="$1" + + local src + config_get src "$cfg" src + + [ "$src" = wan ] && { + local dest + config_get dest "$cfg" dest "lan" + + local lanip=$(uci -P/var/state get network.$dest.ipaddr) + local lanmk=$(uci -P/var/state get network.$dest.netmask) + + local proto + config_get proto "$cfg" proto + + local epmin epmax extport + config_get extport "$cfg" src_dport + [ -n "$extport" ] || return + + epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" + [ "$epmin" != "$epmax" ] || epmax="" + + local ipmin ipmax intport + config_get intport "$cfg" dest_port "$extport" + + ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" + [ "$ipmin" != "$ipmax" ] || ipmax="" + + local exthost + config_get exthost "$cfg" src_dip "$wanip" + + local inthost + config_get inthost "$cfg" dest_ip + [ -n "$inthost" ] || return + + [ "$proto" = tcpudp ] && proto="tcp udp" + + local p + for p in ${proto:-tcp udp}; do + case "$p" in + tcp|udp) + iptables -t nat -A nat_reflection_in \ + -s $lanip/$lanmk -d $exthost \ + -p $p --dport $epmin${epmax:+:$epmax} \ + -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax} + + iptables -t nat -A nat_reflection_out \ + -s $lanip/$lanmk -d $inthost \ + -p $p --dport $ipmin${ipmax:+:$ipmax} \ + -j SNAT --to-source $lanip + ;; + esac + done + } + } + + config_load firewall + config_foreach setup_fwd redirect +fi + |