Modify

Opened 7 years ago

Closed 7 years ago

#7909 closed defect (fixed)

Bug chains SNAT with uci_firewall.sh

Reported by: rpc@… Owned by: developers
Priority: high Milestone: Backfire 10.03.1
Component: packages Version: Trunk
Keywords: Cc:

Description

Bad break the chains MASQUERADE. If we use the SNAT target.
The problem described in the post

https://forum.openwrt.org/viewtopic.php?pid=116806#p11680606

Take for example

config 'redirect'
        option 'src' 'lan'
        option 'src_ip' '192.168.1.104'
        option 'dest' 'wan'
        option 'dest_ip' '178.36.7.175'
        option 'target' 'SNAT'

In this context, it looks like the following:

Chain zone_lan_nat (0 references)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
SNAT       tcp  --  192.168.1.104        anywhere            to:178.36.7.175
SNAT       udp  --  192.168.1.104        anywhere            to:178.36.7.175

So SNAT chains are placed for MASQUERADE
So these two SNAT entries will never be executed.

It is proposed to modify the file
/lib/firewall/uci_firewall.sh
on line MASQUERADE. Patch: uci_firewall.sh.diff

Index: package/firewall/files/uci_firewall.sh
===================================================================
--- package/firewall/files/uci_firewall.sh    (wersja 22996)
+++ package/firewall/files/uci_firewall.sh    (kopia robocza)
@@ -101,7 +101,7 @@
         [ "${msrc#!}" != "$msrc" ] && msrc="! -s ${msrc#!}" || msrc="-s $msrc"
         for mdst in ${masq_dest:-0.0.0.0/0}; do
             [ "${mdst#!}" != "$mdst" ] && mdst="! -d ${mdst#!}" || mdst="-d $mdst"
-            $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" $msrc $mdst -j MASQUERADE
+            $IPTABLES -A zone_${zone}_nat -t nat -o "$ifname" $msrc $mdst -j MASQUERADE
         done
     done

After this change, everything looks correct

Chain zone_lan_nat (1 references)
target     prot opt source               destination
SNAT       tcp  --  192.168.1.0/24       192.168.1.1         tcp dpt:5555 to:192.168.1.10
SNAT       udp  --  192.168.1.0/24       192.168.1.1         udp dpt:5555 to:192.168.1.10
SNAT       tcp  --  192.168.1.104        anywhere            to:178.36.7.175
SNAT       udp  --  192.168.1.104        anywhere            to:178.36.7.175
MASQUERADE  all  --  anywhere             anywhere

Attachments (1)

uci_firewall.sh.diff (621 bytes) - added by rpc@… 7 years ago.
Patch correcting the insertion of rows SNAT before MASQUERADE

Download all attachments as: .zip

Change History (3)

Changed 7 years ago by rpc@…

Patch correcting the insertion of rows SNAT before MASQUERADE

comment:1 Changed 7 years ago by rpc@…

fixed bug of jow

/changeset/23025.html

comment:2 Changed 7 years ago by jow

  • Resolution set to fixed
  • Status changed from new to closed

See r23025.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.