| Message ID | 20181206170306.19060-1-dedeckeh@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [OpenWrt-Devel,firewall3] redirects: properly handle src_dport in SNAT rules | expand |
Hi, On 12/6/18 6:03 PM, Hans Dedecker wrote: > In case of SNAT rules the src_dport parameter is used both as a rewrite > parameter as well as a matching parameter which is not the expected > behavior. > The latter is caused by port_redir being set to src_dport in case dest_port > parameter is not. > As this logic is in place to mimic the old shell script based firewall > behavior for DNAT only set port_redir in case the redirect rule is > a DNAT rule. > > Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Acked-by: Jo-Philipp Wich <jo@mein.io> > --- > redirects.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/redirects.c b/redirects.c > index 6cd09f1..ab95395 100644 > --- a/redirects.c > +++ b/redirects.c > @@ -350,7 +350,7 @@ check_redirect(struct fw3_state *state, struct fw3_redirect *redir, struct uci_e > if (!valid) > return false; > > - if (!redir->port_redir.set) > + if (redir->target == FW3_FLAG_DNAT && !redir->port_redir.set) > redir->port_redir = redir->port_dest; > > return true; >
diff --git a/redirects.c b/redirects.c index 6cd09f1..ab95395 100644 --- a/redirects.c +++ b/redirects.c @@ -350,7 +350,7 @@ check_redirect(struct fw3_state *state, struct fw3_redirect *redir, struct uci_e if (!valid) return false; - if (!redir->port_redir.set) + if (redir->target == FW3_FLAG_DNAT && !redir->port_redir.set) redir->port_redir = redir->port_dest; return true;
In case of SNAT rules the src_dport parameter is used both as a rewrite parameter as well as a matching parameter which is not the expected behavior. The latter is caused by port_redir being set to src_dport in case dest_port parameter is not. As this logic is in place to mimic the old shell script based firewall behavior for DNAT only set port_redir in case the redirect rule is a DNAT rule. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> --- redirects.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)