firewall: fix nat reflection after netifd status format change - use /lib/functions/network.sh - simplify nat reflection code
SVN-Revision: 31936
This commit is contained in:
Jo-Philipp Wich
parent
f1d04190c5
commit
963a0cd98b
2 changed files with 10 additions and 48 deletions
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
PKG_NAME:=firewall
|
||||
|
||||
PKG_VERSION:=2
|
||||
PKG_RELEASE:=50
|
||||
PKG_RELEASE:=51
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
|
|
|
|||
|
|
@ -1,48 +1,11 @@
|
|||
#!/bin/sh
|
||||
|
||||
. /etc/functions.sh
|
||||
. /usr/share/libubox/jshn.sh
|
||||
|
||||
find_iface_address()
|
||||
{
|
||||
local iface="$1"
|
||||
local ipaddr="$2"
|
||||
local prefix="$3"
|
||||
|
||||
local idx=1
|
||||
local tmp="$(ubus call network.interface."$iface" status 2>/dev/null)"
|
||||
|
||||
json_load "${tmp:-{}}"
|
||||
json_get_type tmp address
|
||||
|
||||
if [ "$tmp" = array ]; then
|
||||
json_select address
|
||||
|
||||
while true; do
|
||||
json_get_type tmp $idx
|
||||
[ "$tmp" = object ] || break
|
||||
|
||||
json_select $((idx++))
|
||||
json_get_var tmp address
|
||||
|
||||
case "$tmp" in
|
||||
*:*) json_select .. ;;
|
||||
*)
|
||||
[ -n "$ipaddr" ] && json_get_var $ipaddr address
|
||||
[ -n "$prefix" ] && json_get_var $prefix mask
|
||||
return 0
|
||||
;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
|
||||
return 1
|
||||
}
|
||||
. /lib/functions.sh
|
||||
. /lib/functions/network.sh
|
||||
|
||||
if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
|
||||
local wanip
|
||||
find_iface_address wan wanip
|
||||
[ -n "$wanip" ] || return
|
||||
network_get_ipaddr wanip wan || return
|
||||
|
||||
iptables -t nat -F nat_reflection_in 2>/dev/null || {
|
||||
iptables -t nat -N nat_reflection_in
|
||||
|
|
@ -99,9 +62,8 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
|
|||
|
||||
local net
|
||||
for net in $(find_networks "$dest"); do
|
||||
local lanip lanmk
|
||||
find_iface_address "$net" lanip lanmk
|
||||
[ -n "$lanip" ] || return
|
||||
local lannet
|
||||
network_get_subnet lannet "$net" || return
|
||||
|
||||
local proto
|
||||
config_get proto "$cfg" proto
|
||||
|
|
@ -144,17 +106,17 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
|
|||
case "$p" in
|
||||
tcp|udp|6|17)
|
||||
iptables -t nat -A nat_reflection_in \
|
||||
-s $lanip/$lanmk -d $exthost \
|
||||
-s $lannet -d $exthost \
|
||||
-p $p $extport \
|
||||
-j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax}
|
||||
|
||||
iptables -t nat -A nat_reflection_out \
|
||||
-s $lanip/$lanmk -d $inthost \
|
||||
-s $lannet -d $inthost \
|
||||
-p $p $intport \
|
||||
-j SNAT --to-source $lanip
|
||||
-j SNAT --to-source ${lannet%%/*}
|
||||
|
||||
iptables -t filter -A nat_reflection_fwd \
|
||||
-s $lanip/$lanmk -d $inthost \
|
||||
-s $lannet -d $inthost \
|
||||
-p $p $intport \
|
||||
-j ACCEPT
|
||||
;;
|
||||
|
|
|
|||
Loading…
Reference in a new issue