X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/da83ad5b95688ad117be7f41618ed247030ca5c0..cbe52027620c51cb36475fb042069862a35c95c3:/package/firewall/files/reflection.hotplug diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug index 605ac7c99..33d121cec 100644 --- a/package/firewall/files/reflection.hotplug +++ b/package/firewall/files/reflection.hotplug @@ -1,9 +1,8 @@ #!/bin/sh -# Setup NAT reflection rules . /etc/functions.sh -if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then +if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then local wanip=$(uci -P/var/state get network.wan.ipaddr) iptables -t nat -F nat_reflection_in 2>/dev/null || { @@ -16,59 +15,102 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then iptables -t nat -A postrouting_rule -j nat_reflection_out } + iptables -t filter -F nat_reflection_fwd 2>/dev/null || { + iptables -t filter -N nat_reflection_fwd + iptables -t filter -A forwarding_rule -j nat_reflection_fwd + } + + find_networks() { + find_networks_cb() { + local cfg="$1" + local zone="$2" + + local name + config_get name "$cfg" name + + [ "$name" = "$zone" ] && { + local network + config_get network "$cfg" network + + echo ${network:-$zone} + return 1 + } + } + + config_foreach find_networks_cb zone "$1" + } + setup_fwd() { local cfg="$1" + local reflection + config_get_bool reflection "$cfg" reflection 1 + [ "$reflection" == 1 ] || return + local src config_get src "$cfg" src - [ "$src" = wan ] && { + local target + config_get target "$cfg" target DNAT + + [ "$src" = wan ] && [ "$target" = DNAT ] && { local dest config_get dest "$cfg" dest "lan" - local lanip=$(uci -P/var/state get network.$dest.ipaddr) - local lanmk=$(uci -P/var/state get network.$dest.netmask) + local net + for net in $(find_networks "$dest"); do + local lanip=$(uci -P/var/state get network.$net.ipaddr) + local lanmk=$(uci -P/var/state get network.$net.netmask) - local proto - config_get proto "$cfg" proto + local proto + config_get proto "$cfg" proto - local epmin epmax extport - config_get extport "$cfg" src_dport - [ -n "$extport" ] || return + local epmin epmax extport + config_get extport "$cfg" src_dport + [ -n "$extport" ] || return - epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" - [ "$epmin" != "$epmax" ] || epmax="" + epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" + [ "$epmin" != "$epmax" ] || epmax="" - local ipmin ipmax intport - config_get intport "$cfg" dest_port "$extport" + local ipmin ipmax intport + config_get intport "$cfg" dest_port "$extport" - ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" - [ "$ipmin" != "$ipmax" ] || ipmax="" + ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" + [ "$ipmin" != "$ipmax" ] || ipmax="" - local exthost - config_get exthost "$cfg" src_dip "$wanip" + local exthost + config_get exthost "$cfg" src_dip "$wanip" - local inthost - config_get inthost "$cfg" dest_ip - [ -n "$inthost" ] || return + local inthost + config_get inthost "$cfg" dest_ip + [ -n "$inthost" ] || return - [ "$proto" = tcpudp ] && proto="tcp udp" + [ "$proto" = tcpudp ] && proto="tcp udp" - local p - for p in ${proto:-tcp udp}; do - case "$p" in - tcp|udp) - iptables -t nat -A nat_reflection_in \ - -s $lanip/$lanmk -d $exthost \ - -p $p --dport $epmin${epmax:+:$epmax} \ - -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax} + [ "${inthost#!}" = "$inthost" ] || return 0 + [ "${exthost#!}" = "$exthost" ] || return 0 - iptables -t nat -A nat_reflection_out \ - -s $lanip/$lanmk -d $inthost \ - -p $p --dport $ipmin${ipmax:+:$ipmax} \ - -j SNAT --to-source $lanip - ;; - esac + local p + for p in ${proto:-tcp udp}; do + case "$p" in + tcp|udp) + iptables -t nat -A nat_reflection_in \ + -s $lanip/$lanmk -d $exthost \ + -p $p --dport $epmin${epmax:+:$epmax} \ + -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax} + + iptables -t nat -A nat_reflection_out \ + -s $lanip/$lanmk -d $inthost \ + -p $p --dport $ipmin${ipmax:+:$ipmax} \ + -j SNAT --to-source $lanip + + iptables -t filter -A nat_reflection_fwd \ + -s $lanip/$lanmk -d $inthost \ + -p $p --dport $ipmin${ipmax:+:$ipmax} \ + -j ACCEPT + ;; + esac + done done } } @@ -76,4 +118,3 @@ if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then config_load firewall config_foreach setup_fwd redirect fi -