From patchwork Thu Oct 1 16:38:32 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans Dedecker X-Patchwork-Id: 525180 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id C1FBB140D6B for ; Fri, 2 Oct 2015 02:38:47 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=lBQxPoRM; dkim-atps=neutral Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id A398828C7BD; Thu, 1 Oct 2015 18:37:19 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 30FE728C756 for ; Thu, 1 Oct 2015 18:37:16 +0200 (CEST) X-policyd-weight: using cached result; rate:hard: -8.5 Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com [209.85.212.179]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Thu, 1 Oct 2015 18:37:16 +0200 (CEST) Received: by wicfx3 with SMTP id fx3so41966573wic.1 for ; Thu, 01 Oct 2015 09:38:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=9Ghg0LN/R9IBKhvuDQD0Ho0nxFKvR1jjseFkttOPTQU=; b=lBQxPoRMNBY69hTnp2oeUOkk/a4y1pXgzB5fpPxMAaA5mmMxoV+BlWd97H+puPUNi3 Fqys2U/CA0mwur/q6ipesZd+PlhHVOrukUWFwdl7CsE7ib0TMxz1dN6Q+mVfffsF36NJ BGhIkTBPALRZrvb+6GbqrXqMTfhFaGLg/00R49yOEz2OxkYZ69JdLWopX42rkAy4xkaC sdDdojxh05crm0ZJeUHaTkp+Ff0V9vu2SRBwFPI1algugzi6HbuXLiX0USu7RJH2ZoAM HHvHyqxjfDCuF39xuS/wf/fV9gnS0X+PIeoKyoXdWuAw88738kZaKkb45G3qC7p5L2kj Q0zw== X-Received: by 10.180.182.84 with SMTP id ec20mr4549281wic.42.1443717518399; Thu, 01 Oct 2015 09:38:38 -0700 (PDT) Received: from cplx43.eu.thmulti.com ([141.11.62.7]) by smtp.gmail.com with ESMTPSA id jq10sm6937351wjc.40.2015.10.01.09.38.37 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 01 Oct 2015 09:38:37 -0700 (PDT) From: Hans Dedecker To: openwrt-devel@lists.openwrt.org Date: Thu, 1 Oct 2015 18:38:32 +0200 Message-Id: <1443717512-15116-1-git-send-email-dedeckeh@gmail.com> X-Mailer: git-send-email 1.9.1 Cc: Hans Dedecker , Alin Nastac , cyrus@openwrt.org Subject: [OpenWrt-Devel] [PATCH firewall] zones : Redirect incoming WAN traffic only when the destination IP address matches the IP masquerading address X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" This patch fixes an issue when 2 LAN network prefixes are in use : - the usual 192.168.0.0/24 which is masqueraded by the public IP address on the WAN interface - a public IP network prefix for those LAN devices that are excluded from NAT Port forwarding rules introduced for 192.168.1.x devices will currently also translate traffic addressed to the public network addresses in use on the LAN as the destination address in the delegate prerouting rule(s) is unset. The patch sets the destination IP address(es) in the delegate prerouting rules equal to the IP address(es) that particular network interface has as extra descriminator Signed-off-by: Hans Dedecker Signed-off-by: Alin Nastac --- zones.c | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/zones.c b/zones.c index 2ddd7b4..8bd6673 100644 --- a/zones.c +++ b/zones.c @@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, { if (has(zone->flags, handle->family, FW3_FLAG_DNAT)) { - r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL); - fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name); - fw3_ipt_rule_extra(r, zone->extra_src); - fw3_ipt_rule_replace(r, "delegate_prerouting"); + struct list_head *addrs; + struct fw3_address *addr; + + addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL; + if (addrs) + { + /* redirect only the traffic towards a locally configured address */ + INIT_LIST_HEAD(addrs); + fw3_ubus_address(addrs, dev->network); + + list_for_each_entry(addr, addrs, list) + { + if (!fw3_is_family(addr, handle->family)) + continue; + /* reset mask to its maximum value */ + memset(&addr->mask.v6, 0xFF, sizeof(addr->mask.v6)); + + r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, addr); + fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name); + fw3_ipt_rule_extra(r, zone->extra_src); + fw3_ipt_rule_replace(r, "delegate_prerouting"); + } + + fw3_free_list(addrs); + } + else + { + r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL); + fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name); + fw3_ipt_rule_extra(r, zone->extra_src); + fw3_ipt_rule_replace(r, "delegate_prerouting"); + } } if (has(zone->flags, handle->family, FW3_FLAG_SNAT))