openwrtv3/package
Jo-Philipp Wich a9977eca91 firewall: allow local redirection of ports
Allow a redirect like:

config redirect
        option src 'wan'
        option dest 'lan'
        option src_dport '22001'
        option dest_port '22'
        option proto 'tcp'

note the absence of the "dest_ip" field, meaning to terminate the connection on the firewall itself.

This patch makes three changes:

(1) moves the conntrack module into the conntrack package (but not any of the conntrack_* helpers).
(2) fixes a bug where the wrong table is used when the "dest_ip" field is absent.
(3) accepts incoming connections on the destination port on the input_ZONE table, but only for DNATted
    connections.

In the above example,

ssh -p 22 root@myrouter

would fail from the outside, but:

ssh -p 22001 root@myrouter

would succeed.  This is handy if:

(1) you want to avoid ssh probes on your router, or
(2) you want to redirect incoming connections on port 22 to some machine inside your firewall, but
    still want to allow firewall access from outside.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26617
2011-04-12 20:03:59 +00:00
..
6in4 6in4: re-establish tunnel also if no credentials are used (static setup) 2011-02-20 18:27:19 +00:00
6to4 6to4: support multiple internal networks, use state vars for radvd config 2010-12-02 22:41:03 +00:00
acx acx: Major rework of acx.sh script 2011-03-17 07:23:28 +00:00
acx-mac80211 acx-mac80211 needs some header files from compat-wireless to build 2011-04-09 23:44:03 +00:00
admswconfig admswconfig: reset interface after applying config 2011-01-27 21:49:50 +00:00
apex only support EABI on ARM targets 2011-03-07 12:59:19 +00:00
ar7-atm add support for 2.6.37, thanks Wipster! 2011-02-18 12:52:04 +00:00
arptables artables ebtables iptables: Moved *tables to Firewall submenu of the Network package group because that's where all the feeds packages for firewalls now are. 2011-03-12 01:24:18 +00:00
avila-wdt massive: replace occurences of .$(LINUX_KMOD_SUFFIX) with .ko after r21950 2010-07-12 14:06:13 +00:00
base-files base-files: Use -h instead of deprecated -L for symlink check 2011-04-05 15:09:43 +00:00
block-mount block-mount: Reverting 26503. Was already fixed in a better way in commit 26474. 2011-04-07 01:00:14 +00:00
bridge-utils remove linux 2.4 support from several packages 2010-06-26 20:43:41 +00:00
broadcom-diag brcm47xx: add Netgear WNR834BV1 2011-04-08 19:22:09 +00:00
broadcom-wl broadcom-wl: remove pcmcia support 2010-11-06 18:28:45 +00:00
busybox busybox: get rid of the useless extra menu 2011-04-05 19:04:02 +00:00
button-hotplug package/button-hotplug: use brodcast_uevent 2010-08-31 20:06:30 +00:00
comgt comgt: handle ttyHS* devices in usb hotplug, fix typo (#9046) 2011-03-15 09:09:05 +00:00
compcache package/compcache: revert r22458 as there are some issues with the mainline code 2010-08-06 15:46:13 +00:00
crda crda: update to version 1.1.1 and update regulatory database to most recent official version. 2011-01-01 16:10:15 +00:00
cyassl package/cyassl: sync with latest libtool2 changes 2010-12-08 12:59:16 +00:00
dnsmasq dnsmasq: use -ffunction-sections, -fdata-sections and --gc-sections, saves 8k uncompressed 2011-03-02 12:47:57 +00:00
dropbear r25831 reduced the size of the dropbear executable by, among other things, 2011-04-01 10:55:23 +00:00
e2fsprogs e2fsprogs: revert r24848 as well 2011-01-01 16:03:53 +00:00
ead ead: fixup some AC_DEFINE() invocations that will make recent automak bail 2010-12-13 01:47:35 +00:00
ebtables artables ebtables iptables: Moved *tables to Firewall submenu of the Network package group because that's where all the feeds packages for firewalls now are. 2011-03-12 01:24:18 +00:00
ep80579-drivers ep80579 depend on their corresponding subtarget 2010-10-30 22:35:46 +00:00
fconfig Various Makefile cleanup. 2009-06-13 16:47:22 +00:00
firewall firewall: allow local redirection of ports 2011-04-12 20:03:59 +00:00
fuse package/fuse: update to version 2.8.5, refresh patches 2010-12-08 20:15:10 +00:00
gdb gdb: There are dep issues with cconfig.h. Disable parallel build for now. 2010-10-26 22:45:41 +00:00
goldfish-qemu cleanup Makefiles (#7212) 2010-04-23 11:27:29 +00:00
gpioctl get rid of $Id$ - it has never helped us and it has broken too many patches ;) 2009-04-17 14:09:46 +00:00
grub add ext4 support 2010-11-22 11:27:47 +00:00
hostap-driver hostap-driver: Remove newline at start of config (cosmetic) 2011-03-17 07:23:32 +00:00
hostap-utils get rid of $Id$ - it has never helped us and it has broken too many patches ;) 2009-04-17 14:09:46 +00:00
hostapd hostapd: properly mark random data as ready if initialization succeeds without reassociation (#9222) 2011-04-12 17:30:16 +00:00
hotplug2 hotplug2: Added zaptel subsystem to /etc/hotplugs2.rules so that the zaptel kernel module package only needs to had a script to create the correct device nodes (default names differ from what all apps that use zaptel actually use, so a script is necessary). 2011-03-21 05:53:17 +00:00
i2c-gpio-custom massive: replace occurences of .$(LINUX_KMOD_SUFFIX) with .ko after r21950 2010-07-12 14:06:13 +00:00
ifenslave remove obsolete kernel dependencies and version checks 2010-06-26 20:44:28 +00:00
iproute2 iproute2 relayd: Moved iproute2 and relayd to Routing and Redirection submenu of the Network package group so that they appear with the packages feed packages that are related. 2011-03-12 07:27:57 +00:00
ipset ipset: do not use -static-libgcc 2011-03-01 15:41:28 +00:00
iptables iptables: libiptc.so is only a compatibility stub, split the package into libip4tc and libip6tc and adjust dependencies 2011-03-25 18:02:51 +00:00
iw iw: add support for showing the rx bitrate 2011-02-10 03:37:35 +00:00
ixp4xx-microcode Various Makefile cleanup. 2009-06-13 16:47:22 +00:00
jshn jshn: add build dependency on libubox, it needs the list.h header from it 2011-02-21 19:49:48 +00:00
kernel package/kernel: add module for the gpio_keys_polled driver 2011-04-12 09:29:14 +00:00
kexec-tools change PKG_FIXUP:=libtool to PKG_FIXUP:=autoreconf 2011-03-06 21:42:48 +00:00
libipfix ipfix: sync changes from openimp 2009-12-19 22:19:42 +00:00
libjson-c change PKG_FIXUP:=libtool to PKG_FIXUP:=autoreconf 2011-03-06 21:42:48 +00:00
libnl libnl: update to version 2.0 (patch by Philip Prindeville) 2011-02-13 03:56:12 +00:00
libnl-tiny libnl-tiny: remove some more functions to reduce binary size 2011-02-13 17:05:34 +00:00
libpcap package/libpcap: move configuration to submenu 2010-04-16 10:03:53 +00:00
libreadline libreadline: install *.so symlinks as well (#4872) 2010-08-27 20:13:17 +00:00
librpc librpc: use MDEPENDS instead of DEPENDS for @USE_UCLIBC to fix recursive busybox dependencies 2011-04-05 19:03:55 +00:00
libtool libtool: remove patches, they don't apply to libltdl 2010-12-18 18:13:12 +00:00
libubox libubox: update to 2011-03-27 (includes some minor fixes), add PKG_MIRROR_MD5SUM 2011-03-27 18:21:40 +00:00
linux-atm linux-atm: package atm-diagnostics with atmdump, atmdiag, etc. 2011-04-09 13:05:48 +00:00
lqtapi should depend on lantiq and not ifxmips 2011-02-01 14:33:40 +00:00
ltq-dsl * fixes .unlocked_ioctl functions 2011-03-14 07:34:08 +00:00
ltq-dsl-app * rename lqdsl packages to ltq-dsl * small rework of packages * make it work with latest kernel 2011-02-01 14:30:38 +00:00
ltq-ifxos ltq-ifxos: only attempt to build if the lantiq target is selected (fixes #9035) 2011-03-13 18:45:27 +00:00
ltq-kpi2udp * adss in-kernel udp redirect plugin for lantiq voice optimisation 2011-02-07 21:48:55 +00:00
ltq-tapi * several updates to the voice packages 2011-03-29 05:17:10 +00:00
ltq-tapidemo * rename voice package * sync with lantiqs release * make it work on lantiq kernel 2011-02-01 14:32:25 +00:00
ltq-vmmc The makefile was missing the coef source filename, so it would install a directory instead of the coefficients file, breaking voice applications. 2011-04-04 07:37:32 +00:00
lua lua: switch to double precision for floats 2010-10-07 11:03:18 +00:00
mac80211 mac80211: fix WPA auth on WDS station interfaces (#9227) 2011-04-12 17:17:56 +00:00
madwifi madwifi: typo(s) in /lib/wifi/madwifi.sh 2011-04-06 20:50:14 +00:00
mmc_over_gpio mmc_over_gpio: mark /etc/config/mmc_over_gpio as conffile 2010-10-05 17:21:03 +00:00
mountd mountd: Rename uci_add_history to uci_add_delta (#8084) 2010-10-16 13:57:55 +00:00
mtd package/mtd: make fixtrx available on ar71xx as well 2011-01-05 19:27:55 +00:00
ncurses ncurses: install ncurses5-config and ncursesw5-config (#9044) 2011-03-21 06:45:20 +00:00
nvram add maintainer information 2010-09-30 10:48:37 +00:00
ocf-crypto-headers cleanup Makefiles (#7212) 2010-04-23 11:27:29 +00:00
openssl openssl: update to 1.0.0d - includes important bug and security fixes (patch by tripolar) 2011-02-08 22:52:21 +00:00
opkg opkg: update to r618 2011-04-11 22:08:43 +00:00
pjsip pjsip: make pjsip-ltq-tapi dependencies conditional to make the build dependencies conditional as well 2011-03-13 23:02:52 +00:00
ppp pppd: support the nomp option if multilink support is disabled 2011-04-12 18:29:28 +00:00
pptp pptp: mark /etc/ppp/options.pptp as conffile 2010-10-05 17:27:21 +00:00
ps3-utils change PKG_FIXUP:=libtool to PKG_FIXUP:=autoreconf 2011-03-06 21:42:48 +00:00
pwm-gpio-custom pwm-gpio-custom: fix compile on linux 2.6.31 2010-08-19 12:49:42 +00:00
px5g add maintainer information 2010-09-30 10:48:37 +00:00
qos-scripts qos-scripts: remove the layer7 based classifiers from the default configuration - they are unreliable and prone to memory leaks 2011-03-30 10:44:27 +00:00
redboot-ar231x redboot-ar231x: mark as broken, the ecos host tool crap needs some rework for tcl on some systems 2011-03-25 00:55:25 +00:00
relayd iproute2 relayd: Moved iproute2 and relayd to Routing and Redirection submenu of the Network package group so that they appear with the packages feed packages that are related. 2011-03-12 07:27:57 +00:00
robocfg get rid of $Id$ - it has never helped us and it has broken too many patches ;) 2009-04-17 14:09:46 +00:00
rotary-gpio-custom Add package rotary-gpio-custom 2010-07-22 11:32:27 +00:00
rtc-rv5c386a rtc-rv5c386a: make driver compile with kernel 2.6.36. 2010-11-10 19:02:09 +00:00
siit massive: replace occurences of .$(LINUX_KMOD_SUFFIX) with .ko after r21950 2010-07-12 14:06:13 +00:00
soloscli soloscli: allow user to apply settings to solos h/w before bringing up network (patch by Philip Prindeville) 2011-02-13 02:52:49 +00:00
spi-ks8995 massive: replace occurences of .$(LINUX_KMOD_SUFFIX) with .ko after r21950 2010-07-12 14:06:13 +00:00
spidev_test remove obsolete kernel dependencies and version checks 2010-06-26 20:44:28 +00:00
swconfig swconfig: add -lnl-genl (patch by Philip Prindeville) - purely cosmetic, swconfig uses libnl-tiny anyway 2011-02-13 02:52:44 +00:00
switch switch: fix switch-robo device reference counting 2011-02-20 17:24:15 +00:00
uboot-ar71xx uboot-ar71xx: fix compilation on FreeBSD 2011-04-02 13:20:11 +00:00
uboot-envtools remove obsolete kernel dependencies and version checks 2010-06-26 20:44:28 +00:00
uboot-kirkwood Fixed support for Iomega 2010-10-27 21:24:06 +00:00
uboot-lantiq * add some compile flags 2011-03-11 08:22:47 +00:00
uboot-omap35xx Modify environment variables for altered filesystem layout 2011-04-12 14:24:20 +00:00
uboot-xburst uboot-{kirkwood,xburst}: Fix typo in U-Boot image name, thanks framer99 (#8112) 2010-10-21 08:54:36 +00:00
ubsec_ssb ubsec_ssb: fix build of ubsec_ssb with new ssb patches 2010-07-22 18:50:32 +00:00
ubus ubus: update to 2011-03-27 (includes an API simplification for object signatures), use PKG_MIRROR_MD5SUM 2011-03-27 18:21:45 +00:00
uci uci: mark uci as unsafe for parallel building 2011-04-04 12:06:37 +00:00
udev udev: install development libraries in staging dir (#8370) 2011-01-29 22:06:26 +00:00
uhttpd uhttpd: Moved uhttpd to Network|Web Servers/Proxies submenu, just like all the other web serves and proxies from the packages feed 2011-03-12 04:47:02 +00:00
util-linux-ng util-linux-ng: make build depend on libncurses, cfdisk is compiled unconditionally and will fail with missing input files if ncurses was not detected during configure 2010-09-08 06:35:23 +00:00
vsc73x5-ucode vsc73x5-ucode: use the mirrored ucode files from my server to replace an 127 MB download with a 14k one 2010-04-30 16:11:31 +00:00
w1-gpio-custom massive: replace occurences of .$(LINUX_KMOD_SUFFIX) with .ko after r21950 2010-07-12 14:06:13 +00:00
wireless-tools wireless-tools: remove some more unnecessary stuff from iwconfig 2011-03-18 03:41:22 +00:00
wprobe package/wprobe: fix for kernels >= 2.6.38 2011-02-24 15:51:28 +00:00
wrt55agv2-spidevs massive: replace occurences of .$(LINUX_KMOD_SUFFIX) with .ko after r21950 2010-07-12 14:06:13 +00:00
xfsprogs change PKG_FIXUP:=libtool to PKG_FIXUP:=autoreconf 2011-03-06 21:42:48 +00:00
yamonenv package/yamonenv: refresh patches 2010-03-26 14:29:32 +00:00
zlib package/zlib: fix Darwin compile failure (closes #7963) 2010-09-19 05:33:18 +00:00
Makefile remove postinst files for preinstalled packages 2011-03-25 23:47:08 +00:00