projects / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[package] libpcap: explicitely disable libnl support to prevent different build resul...
[openwrt.git] / package / firewall / files / reflection.hotplug
1 #!/bin/sh
2
3 . /etc/functions.sh
4
5 if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
6 local wanip=$(uci -P/var/state get network.wan.ipaddr)
7
8 iptables -t nat -F nat_reflection_in 2>/dev/null || {
9 iptables -t nat -N nat_reflection_in
10 iptables -t nat -A prerouting_rule -j nat_reflection_in
11 }
12
13 iptables -t nat -F nat_reflection_out 2>/dev/null || {
14 iptables -t nat -N nat_reflection_out
15 iptables -t nat -A postrouting_rule -j nat_reflection_out
16 }
17
18 iptables -t filter -F nat_reflection_fwd 2>/dev/null || {
19 iptables -t filter -N nat_reflection_fwd
20 iptables -t filter -A forwarding_rule -j nat_reflection_fwd
21 }
22
23 find_networks() {
24 find_networks_cb() {
25 local cfg="$1"
26 local zone="$2"
27
28 local name
29 config_get name "$cfg" name
30
31 [ "$name" = "$zone" ] && {
32 local network
33 config_get network "$cfg" network
34
35 echo ${network:-$zone}
36 return 1
37 }
38 }
39
40 config_foreach find_networks_cb zone "$1"
41 }
42
43 setup_fwd() {
44 local cfg="$1"
45
46 local reflection
47 config_get_bool reflection "$cfg" reflection 1
48 [ "$reflection" == 1 ] || return
49
50 local src
51 config_get src "$cfg" src
52
53 local target
54 config_get target "$cfg" target DNAT
55
56 [ "$src" = wan ] && [ "$target" = DNAT ] && {
57 local dest
58 config_get dest "$cfg" dest "lan"
59 [ "$dest" != "*" ] || return
60
61 local net
62 for net in $(find_networks "$dest"); do
63 local lanip=$(uci -P/var/state get network.$net.ipaddr)
64 local lanmk=$(uci -P/var/state get network.$net.netmask)
65
66 local proto
67 config_get proto "$cfg" proto
68
69 local epmin epmax extport
70 config_get extport "$cfg" src_dport
71 [ -n "$extport" ] || return
72
73 epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
74 [ "${epmin#!}" != "$epmax" ] || epmax=""
75
76 local ipmin ipmax intport
77 config_get intport "$cfg" dest_port "$extport"
78
79 ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
80 [ "${ipmin#!}" != "$ipmax" ] || ipmax=""
81
82 local exthost
83 config_get exthost "$cfg" src_dip "$wanip"
84
85 local inthost
86 config_get inthost "$cfg" dest_ip
87 [ -n "$inthost" ] || return
88
89 [ "$proto" = tcpudp ] && proto="tcp udp"
90
91 [ "${inthost#!}" = "$inthost" ] || return 0
92 [ "${exthost#!}" = "$exthost" ] || return 0
93
94 [ "${epmin#!}" != "$epmin" ] && \
95 extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \
96 extport="--dport $epmin${epmax:+:$epmax}"
97
98 [ "${ipmin#!}" != "$ipmin" ] && \
99 intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \
100 intport="--dport $ipmin${ipmax:+:$ipmax}"
101
102 local p
103 for p in ${proto:-tcp udp}; do
104 case "$p" in
105 tcp|udp|6|17)
106 iptables -t nat -A nat_reflection_in \
107 -s $lanip/$lanmk -d $exthost \
108 -p $p $extport \
109 -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax}
110
111 iptables -t nat -A nat_reflection_out \
112 -s $lanip/$lanmk -d $inthost \
113 -p $p $intport \
114 -j SNAT --to-source $lanip
115
116 iptables -t filter -A nat_reflection_fwd \
117 -s $lanip/$lanmk -d $inthost \
118 -p $p $intport \
119 -j ACCEPT
120 ;;
121 esac
122 done
123 done
124 }
125 }
126
127 config_load firewall
128 config_foreach setup_fwd redirect
129 fi
Personal OpenWRT clone
This page took 0.054678 seconds and 5 git commands to generate.