aboutsummaryrefslogtreecommitdiffstats
path: root/package/firewall/files
diff options
context:
space:
mode:
authorJo-Philipp Wich <jow@openwrt.org>2010-09-05 19:03:17 +0000
committerJo-Philipp Wich <jow@openwrt.org>2010-09-05 19:03:17 +0000
commiteb79296cc10f6168892278b4aa921566178b1f20 (patch)
treed0c316a221006e53285d7abc638e848e263febbb /package/firewall/files
parent0c6653c6e2f5c122afee186d69cef106bae69d66 (diff)
downloadupstream-eb79296cc10f6168892278b4aa921566178b1f20.tar.gz
upstream-eb79296cc10f6168892278b4aa921566178b1f20.tar.bz2
upstream-eb79296cc10f6168892278b4aa921566178b1f20.zip
firewall: introduce SNAT support for redirect sections
SVN-Revision: 22937
Diffstat (limited to 'package/firewall/files')
-rw-r--r--package/firewall/files/lib/core_redirect.sh16
-rw-r--r--package/firewall/files/reflection.hotplug5
2 files changed, 18 insertions, 3 deletions
diff --git a/package/firewall/files/lib/core_redirect.sh b/package/firewall/files/lib/core_redirect.sh
index 15d01b0a75..913f963562 100644
--- a/package/firewall/files/lib/core_redirect.sh
+++ b/package/firewall/files/lib/core_redirect.sh
@@ -17,6 +17,7 @@ fw_config_get_redirect() {
string dest_port "" \
string proto "tcpudp" \
string family "" \
+ string target "DNAT" \
} || return
[ -n "$redirect_name" ] || redirect_name=$redirect__name
}
@@ -30,6 +31,17 @@ fw_load_redirect() {
fw_die "redirect ${redirect_name}: needs src and dest_ip or dest_port"
}
+ local chain destopt
+ if [ "$redirect_target" == "DNAT" ]; then
+ chain="zone_${redirect_src}_prerouting"
+ destopt="--to-destination"
+ elif [ "$redirect_target" == "SNAT" ]; then
+ chain="zone_${redirect_src}_nat"
+ destopt="--to-source"
+ else
+ fw_die "redirect ${redirect_name}: target must be either DNAT or SNAT"
+ fi
+
list_contains FW_CONNTRACK_ZONES $redirect_src || \
append FW_CONNTRACK_ZONES $redirect_src
@@ -43,14 +55,14 @@ fw_load_redirect() {
[ "$redirect_proto" == "tcpudp" ] && redirect_proto="tcp udp"
for redirect_proto in $redirect_proto; do
- fw add $mode n zone_${redirect_src}_prerouting DNAT $ { $redirect_src_ip $redirect_dest_ip } { \
+ fw add $mode n $chain $redirect_target $ { $redirect_src_ip $redirect_dest_ip } { \
${redirect_proto:+-p $redirect_proto} \
${redirect_src_ip:+-s $redirect_src_ip/$redirect_src_ip_prefixlen} \
${redirect_src_dip:+-d $redirect_src_dip/$redirect_src_dip_prefixlen} \
${redirect_src_port:+--sport $redirect_src_port} \
${redirect_src_dport:+--dport $redirect_src_dport} \
${redirect_src_mac:+-m mac --mac-source $redirect_src_mac} \
- --to-destination ${redirect_dest_ip}${redirect_dest_port:+:$nat_dest_port} \
+ $destopt ${redirect_dest_ip}${redirect_dest_port:+:$nat_dest_port} \
}
[ -n "$redirect_dest_ip" ] && \
diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug
index 6b1cd60f28..027d2ed8b1 100644
--- a/package/firewall/files/reflection.hotplug
+++ b/package/firewall/files/reflection.hotplug
@@ -41,7 +41,10 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
local src
config_get src "$cfg" src
- [ "$src" = wan ] && {
+ local target
+ config_get target "$cfg" target DNAT
+
+ [ "$src" = wan ] && [ "$target" = DNAT ] && {
local dest
config_get dest "$cfg" dest "lan"