X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/291f78f21ab699d2650a7f308ac8c58ccf85275e..6c0f1d31579139732e9cf5cfb59da1e8ecacd683:/package/firewall/files/lib/core_init.sh

diff --git a/package/firewall/files/lib/core_init.sh b/package/firewall/files/lib/core_init.sh
index bce94afe0..185fffb98 100644
--- a/package/firewall/files/lib/core_init.sh
+++ b/package/firewall/files/lib/core_init.sh
@@ -42,7 +42,7 @@ fw_load_defaults() {
 		boolean disable_ipv6 0 \
 	} || return
 	[ -n "$FW_DEFAULTS_APPLIED" ] && {
-		echo "Error: multiple defaults sections detected"
+		fw_log error "duplicate defaults section detected, skipping"
 		return 1
 	}
 	FW_DEFAULTS_APPLIED=1
@@ -159,7 +159,8 @@ fw_load_zone() {
 	fw_config_get_zone "$1"
 
 	list_contains FW_ZONES $zone_name && {
-		fw_die "zone ${zone_name}: duplicated zone"
+		fw_log error "zone ${zone_name}: duplicated zone, skipping"
+		return 0
 	}
 	append FW_ZONES $zone_name
 
@@ -212,9 +213,6 @@ fw_load_zone() {
 
 	fw add $mode r ${chain}_notrack
 
-	[ $zone_masq == 1 ] && \
-		fw add $mode n POSTROUTING ${chain}_nat $
-
 	[ $zone_mtu_fix == 1 ] && \
 		fw add $mode f FORWARD ${chain}_MSSFIX ^
 
@@ -243,6 +241,26 @@ fw_load_zone() {
 		done
 	}
 
+	# NB: if MASQUERADING for IPv6 becomes available we'll need a family check here
+	if [ "$zone_masq" == 1 ]; then
+		local msrc mdst
+		for msrc in ${zone_masq_src:-0.0.0.0/0}; do
+			case "$msrc" in
+				*.*) fw_get_negation msrc '-s' "$msrc" ;;
+				*)   fw_get_subnet4 msrc '-s' "$msrc" ;;
+			esac
+
+			for mdst in ${zone_masq_dest:-0.0.0.0/0}; do
+				case "$mdst" in
+					*.*) fw_get_negation mdst '-d' "$mdst" ;;
+					*)   fw_get_subnet4 mdst '-d' "$mdst" ;;
+				esac
+
+				fw add $mode n ${chain}_nat MASQUERADE $ { $msrc $mdst }
+			done
+		done
+	fi
+
 	fw_callback post zone
 }
 
@@ -261,8 +279,10 @@ fw_load_notrack_zone() {
 fw_load_include() {
 	local name="$1"
 
-	local path; config_get path ${name} path
-	[ -e $path ] && . $path
+	local path
+	config_get path ${name} path
+
+	[ -e $path ] && ( . $path )
 }