From 4fbc2d59b99ae0f94ee595c209fb157e7425f7e8 Mon Sep 17 00:00:00 2001
From: jow <jow@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Sat, 31 Jul 2010 13:25:56 +0000
Subject: [package] firwall: fix nat reflection for zones covering multiple
networks
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22442 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
package/firewall/files/reflection.hotplug | 90 +++++++++++++++++++------------
1 file changed, 56 insertions(+), 34 deletions(-)
diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug
index 605ac7c99..af88fe024 100644
--- a/package/firewall/files/reflection.hotplug
+++ b/package/firewall/files/reflection.hotplug
@@ -1,5 +1,4 @@
#!/bin/sh
-# Setup NAT reflection rules
. /etc/functions.sh
@@ -16,6 +15,26 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then
iptables -t nat -A postrouting_rule -j nat_reflection_out
}
+ find_networks() {
+ find_networks_cb() {
+ local cfg="$1"
+ local zone="$2"
+
+ local name
+ config_get name "$cfg" name
+
+ [ "$name" = "$zone" ] && {
+ local network
+ config_get network "$cfg" network
+
+ echo ${network:-$zone}
+ return 1
+ }
+ }
+
+ config_foreach find_networks_cb zone "$1"
+ }
+
setup_fwd() {
local cfg="$1"
@@ -26,49 +45,52 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then
local dest
config_get dest "$cfg" dest "lan"
- local lanip=$(uci -P/var/state get network.$dest.ipaddr)
- local lanmk=$(uci -P/var/state get network.$dest.netmask)
+ local net
+ for net in $(find_networks "$dest"); do
+ local lanip=$(uci -P/var/state get network.$net.ipaddr)
+ local lanmk=$(uci -P/var/state get network.$net.netmask)
- local proto
- config_get proto "$cfg" proto
+ local proto
+ config_get proto "$cfg" proto
- local epmin epmax extport
- config_get extport "$cfg" src_dport
- [ -n "$extport" ] || return
+ local epmin epmax extport
+ config_get extport "$cfg" src_dport
+ [ -n "$extport" ] || return
- epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
- [ "$epmin" != "$epmax" ] || epmax=""
+ epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
+ [ "$epmin" != "$epmax" ] || epmax=""
- local ipmin ipmax intport
- config_get intport "$cfg" dest_port "$extport"
+ local ipmin ipmax intport
+ config_get intport "$cfg" dest_port "$extport"
- ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
- [ "$ipmin" != "$ipmax" ] || ipmax=""
+ ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
+ [ "$ipmin" != "$ipmax" ] || ipmax=""
- local exthost
- config_get exthost "$cfg" src_dip "$wanip"
+ local exthost
+ config_get exthost "$cfg" src_dip "$wanip"
- local inthost
- config_get inthost "$cfg" dest_ip
- [ -n "$inthost" ] || return
+ local inthost
+ config_get inthost "$cfg" dest_ip
+ [ -n "$inthost" ] || return
- [ "$proto" = tcpudp ] && proto="tcp udp"
+ [ "$proto" = tcpudp ] && proto="tcp udp"
- local p
- for p in ${proto:-tcp udp}; do
- case "$p" in
- tcp|udp)
- iptables -t nat -A nat_reflection_in \
- -s $lanip/$lanmk -d $exthost \
- -p $p --dport $epmin${epmax:+:$epmax} \
- -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax}
+ local p
+ for p in ${proto:-tcp udp}; do
+ case "$p" in
+ tcp|udp)
+ iptables -t nat -A nat_reflection_in \
+ -s $lanip/$lanmk -d $exthost \
+ -p $p --dport $epmin${epmax:+:$epmax} \
+ -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax}
- iptables -t nat -A nat_reflection_out \
- -s $lanip/$lanmk -d $inthost \
- -p $p --dport $ipmin${ipmax:+:$ipmax} \
- -j SNAT --to-source $lanip
- ;;
- esac
+ iptables -t nat -A nat_reflection_out \
+ -s $lanip/$lanmk -d $inthost \
+ -p $p --dport $ipmin${ipmax:+:$ipmax} \
+ -j SNAT --to-source $lanip
+ ;;
+ esac
+ done
done
}
}
--
cgit v1.2.3