Changeset 34472
- Timestamp:
- 2012-12-04T16:24:21+01:00 (5 years ago)
- Location:
- trunk/package/network/config/firewall
- Files:
-
- 2 edited
-
Makefile (modified) (1 diff)
-
files/reflection.hotplug (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/package/network/config/firewall/Makefile
r32652 r34472 10 10 11 11 PKG_VERSION:=2 12 PKG_RELEASE:=5 312 PKG_RELEASE:=54 13 13 14 14 include $(INCLUDE_DIR)/package.mk -
trunk/package/network/config/firewall/files/reflection.hotplug
r32652 r34472 4 4 . /lib/functions/network.sh 5 5 6 if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then 7 local wanip 8 network_get_ipaddr wanip wan || return 6 if [ "$ACTION" = "remove" ]; then 9 7 10 iptables -t nat -F nat_reflection_in 2>/dev/null || { 11 iptables -t nat -N nat_reflection_in 12 iptables -t nat -A prerouting_rule -j nat_reflection_in 8 delete_rules_by_comment() { 9 local table="$1" 10 local chain="$2" 11 local comment="$3" 12 13 iptables -t "$table" --line-numbers -nL "$chain" 2>/dev/null | \ 14 sed -e ' 15 1d; 16 1! { 17 \#^[0-9]\+ .* /\* '"$comment"' \*/.*$# { 18 s/ .*$//; 19 G; h; 20 } 21 }; 22 $!d; 23 ' | xargs -n1 iptables -t "$table" -D "$chain" 2>/dev/null 13 24 } 14 25 15 iptables -t nat -F nat_reflection_out 2>/dev/null || { 16 iptables -t nat -N nat_reflection_out 17 iptables -t nat -A postrouting_rule -j nat_reflection_out 18 } 26 delete_rules_by_comment nat nat_reflection_in "$INTERFACE" 27 delete_rules_by_comment nat nat_reflection_out "$INTERFACE" 28 delete_rules_by_comment filter nat_reflection_fwd "$INTERFACE" 19 29 20 iptables -t filter -F nat_reflection_fwd 2>/dev/null || { 21 iptables -t filter -N nat_reflection_fwd 22 iptables -t filter -A forwarding_rule -j nat_reflection_fwd 30 elif [ "$ACTION" = "add" ]; then 31 32 prepare_chains() { 33 iptables -t nat -N nat_reflection_in 2>/dev/null && { 34 iptables -t nat -A prerouting_rule -j nat_reflection_in 35 } 36 37 iptables -t nat -N nat_reflection_out 2>/dev/null && { 38 iptables -t nat -A postrouting_rule -j nat_reflection_out 39 } 40 41 iptables -t filter -N nat_reflection_fwd 2>/dev/null && { 42 iptables -t filter -A forwarding_rule -j nat_reflection_fwd 43 } 23 44 } 24 45 … … 27 48 local cfg="$1" 28 49 local zone="$2" 50 local need_masq="${3:-0}" 29 51 30 52 local name 31 53 config_get name "$cfg" name 32 54 33 [ "$name" = "$zone" ] && { 55 local masq 56 config_get_bool masq "$cfg" masq 0 57 58 [ "$name" = "$zone" ] && [ "$masq" -ge "$need_masq" ] && { 34 59 local network 35 60 config_get network "$cfg" network … … 52 77 local src 53 78 config_get src "$cfg" src 79 [ "$src" == "$ZONE" ] || return 80 81 local dest 82 config_get dest "$cfg" dest 83 [ "$dest" != "*" ] || return 54 84 55 85 local target 56 86 config_get target "$cfg" target DNAT 87 [ "$target" = DNAT ] || return 57 88 58 [ "$src" = wan ] && [ "$target" = DNAT ] && { 59 local dest 60 config_get dest "$cfg" dest "lan" 61 [ "$dest" != "*" ] || return 89 prepare_chains 62 90 63 64 for net in $(find_networks "$dest"); do65 local lannet66 network_get_subnet lannet "$net" || return91 local net 92 for net in $(find_networks "$dest" 0); do 93 local intnet 94 network_get_subnet intnet "$net" || continue 67 95 68 69 96 local proto 97 config_get proto "$cfg" proto 70 98 71 72 73 99 local epmin epmax extport 100 config_get extport "$cfg" src_dport "1-65535" 101 [ -n "$extport" ] || return 74 102 75 76 103 epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" 104 [ "${epmin#!}" != "$epmax" ] || epmax="" 77 105 78 79 106 local ipmin ipmax intport 107 config_get intport "$cfg" dest_port "$extport" 80 108 81 82 109 ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" 110 [ "${ipmin#!}" != "$ipmax" ] || ipmax="" 83 111 84 85 config_get exthost "$cfg" src_dip "$wanip"112 local exthost 113 config_get exthost "$cfg" src_dip "$extip" 86 114 87 88 89 115 local inthost 116 config_get inthost "$cfg" dest_ip 117 [ -n "$inthost" ] || return 90 118 91 92 119 [ "$proto" = all ] && proto="tcp udp" 120 [ "$proto" = tcpudp ] && proto="tcp udp" 93 121 94 95 122 [ "${inthost#!}" = "$inthost" ] || return 0 123 [ "${exthost#!}" = "$exthost" ] || return 0 96 124 97 98 99 125 [ "${epmin#!}" != "$epmin" ] && \ 126 extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \ 127 extport="--dport $epmin${epmax:+:$epmax}" 100 128 101 102 103 129 [ "${ipmin#!}" != "$ipmin" ] && \ 130 intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \ 131 intport="--dport $ipmin${ipmax:+:$ipmax}" 104 132 105 local p 106 for p in ${proto:-tcp udp}; do 107 case "$p" in 108 tcp|udp|6|17) 109 iptables -t nat -A nat_reflection_in \ 110 -s $lannet -d $exthost \ 111 -p $p $extport \ 112 -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} 133 local p 134 for p in ${proto:-tcp udp}; do 135 case "$p" in 136 tcp|udp|6|17) 137 iptables -t nat -A nat_reflection_in \ 138 -s $intnet -d $exthost \ 139 -p $p $extport \ 140 -m comment --comment "$INTERFACE" \ 141 -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} 113 142 114 iptables -t nat -A nat_reflection_out \ 115 -s $lannet -d $inthost \ 116 -p $p $intport \ 117 -j SNAT --to-source ${lannet%%/*} 143 iptables -t nat -A nat_reflection_out \ 144 -s $intnet -d $inthost \ 145 -p $p $intport \ 146 -m comment --comment "$INTERFACE" \ 147 -j SNAT --to-source ${intnet%%/*} 118 148 119 120 -s $lannet -d $inthost \121 122 -j ACCEPT123 ;;124 esac125 done149 iptables -t filter -A nat_reflection_fwd \ 150 -s $intnet -d $inthost \ 151 -p $p $intport \ 152 -m comment --comment "$INTERFACE" \ 153 -j ACCEPT 154 ;; 155 esac 126 156 done 127 }157 done 128 158 } 129 159 130 160 config_load firewall 161 162 local is_masq_zone="$(find_networks "$ZONE" 1)" 163 [ -n "$is_masq_zone" ] || exit 0 164 165 local extip 166 network_get_ipaddr extip "$INTERFACE" || exit 0 167 131 168 config_foreach setup_fwd redirect 132 169 fi
Note: See TracChangeset
for help on using the changeset viewer.
