X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/da83ad5b95688ad117be7f41618ed247030ca5c0..9179216cd8776544534ef866e221e575a5a2c8c1:/package/firewall/files/reflection.hotplug diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug index 605ac7c99..7ab4c5fe8 100644 --- a/package/firewall/files/reflection.hotplug +++ b/package/firewall/files/reflection.hotplug @@ -1,9 +1,8 @@ #!/bin/sh -# Setup NAT reflection rules . /etc/functions.sh -if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then +if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then local wanip=$(uci -P/var/state get network.wan.ipaddr) iptables -t nat -F nat_reflection_in 2>/dev/null || { @@ -16,59 +15,111 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then iptables -t nat -A postrouting_rule -j nat_reflection_out } - setup_fwd() { - local cfg="$1" - - local src - config_get src "$cfg" src - - [ "$src" = wan ] && { - local dest - config_get dest "$cfg" dest "lan" - - local lanip=$(uci -P/var/state get network.$dest.ipaddr) - local lanmk=$(uci -P/var/state get network.$dest.netmask) + iptables -t filter -F nat_reflection_fwd 2>/dev/null || { + iptables -t filter -N nat_reflection_fwd + iptables -t filter -A forwarding_rule -j nat_reflection_fwd + } - local proto - config_get proto "$cfg" proto + find_networks() { + find_networks_cb() { + local cfg="$1" + local zone="$2" - local epmin epmax extport - config_get extport "$cfg" src_dport - [ -n "$extport" ] || return + local name + config_get name "$cfg" name - epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" - [ "$epmin" != "$epmax" ] || epmax="" + [ "$name" = "$zone" ] && { + local network + config_get network "$cfg" network - local ipmin ipmax intport - config_get intport "$cfg" dest_port "$extport" + echo ${network:-$zone} + return 1 + } + } - ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" - [ "$ipmin" != "$ipmax" ] || ipmax="" + config_foreach find_networks_cb zone "$1" + } - local exthost - config_get exthost "$cfg" src_dip "$wanip" + setup_fwd() { + local cfg="$1" - local inthost - config_get inthost "$cfg" dest_ip - [ -n "$inthost" ] || return + local reflection + config_get_bool reflection "$cfg" reflection 1 + [ "$reflection" == 1 ] || return - [ "$proto" = tcpudp ] && proto="tcp udp" + local src + config_get src "$cfg" src - local p - for p in ${proto:-tcp udp}; do - case "$p" in - tcp|udp) - iptables -t nat -A nat_reflection_in \ - -s $lanip/$lanmk -d $exthost \ - -p $p --dport $epmin${epmax:+:$epmax} \ - -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax} + local target + config_get target "$cfg" target DNAT - iptables -t nat -A nat_reflection_out \ - -s $lanip/$lanmk -d $inthost \ - -p $p --dport $ipmin${ipmax:+:$ipmax} \ - -j SNAT --to-source $lanip - ;; - esac + [ "$src" = wan ] && [ "$target" = DNAT ] && { + local dest + config_get dest "$cfg" dest "lan" + [ "$dest" != "*" ] || return + + local net + for net in $(find_networks "$dest"); do + local lanip=$(uci -P/var/state get network.$net.ipaddr) + local lanmk=$(uci -P/var/state get network.$net.netmask) + + local proto + config_get proto "$cfg" proto + + local epmin epmax extport + config_get extport "$cfg" src_dport + [ -n "$extport" ] || return + + epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" + [ "$epmin" != "$epmax" ] || epmax="" + + local ipmin ipmax intport + config_get intport "$cfg" dest_port "$extport" + + ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" + [ "$ipmin" != "$ipmax" ] || ipmax="" + + local exthost + config_get exthost "$cfg" src_dip "$wanip" + + local inthost + config_get inthost "$cfg" dest_ip + [ -n "$inthost" ] || return + + [ "$proto" = tcpudp ] && proto="tcp udp" + + [ "${inthost#!}" = "$inthost" ] || return 0 + [ "${exthost#!}" = "$exthost" ] || return 0 + + [ "${epmin#!}" != "$epmin" ] && \ + extport="! --dport ${epmin#!}${epmax:+:$epmax}" || \ + extport="--dport $epmin${epmax:+:$epmax}" + + [ "${ipmin#!}" != "$ipmin" ] && \ + intport="! --dport ${ipmin#!}${ipmax:+:$ipmax}" || \ + intport="--dport $ipmin${ipmax:+:$ipmax}" + + local p + for p in ${proto:-tcp udp}; do + case "$p" in + tcp|udp) + iptables -t nat -A nat_reflection_in \ + -s $lanip/$lanmk -d $exthost \ + -p $p $extport \ + -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} + + iptables -t nat -A nat_reflection_out \ + -s $lanip/$lanmk -d $inthost \ + -p $p $intport \ + -j SNAT --to-source $lanip + + iptables -t filter -A nat_reflection_fwd \ + -s $lanip/$lanmk -d $inthost \ + -p $p $intport \ + -j ACCEPT + ;; + esac + done done } } @@ -76,4 +127,3 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then config_load firewall config_foreach setup_fwd redirect fi -