From patchwork Thu Sep 10 08:22:31 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Alin_N=C4=83stac?= X-Patchwork-Id: 516167 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id CE76414010F for ; Thu, 10 Sep 2015 18:22:54 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=LRp7ZQGN; dkim-atps=neutral Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 6B63C28B738; Thu, 10 Sep 2015 10:21:39 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id BB56428B738 for ; Thu, 10 Sep 2015 10:21:29 +0200 (CEST) X-policyd-weight: using cached result; rate: -8.5 Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com [209.85.212.171]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Thu, 10 Sep 2015 10:21:29 +0200 (CEST) Received: by wicfx3 with SMTP id fx3so13602808wic.0 for ; Thu, 10 Sep 2015 01:22:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :content-type:content-transfer-encoding; bh=c3d4I6/3AVXFIGZYdkk57mF00TvBhG52gibWlgLMRTQ=; b=LRp7ZQGNvfEOC8X7hZg4+hnhNGOrFyprtwX9uuvv2MFIGtiAnUGD1/9dGuyJuDrJAh yFSgFH4FecwxZFBs+1eefnGiKeExBsJb6OPFpN4THtIK+Pd+pFDRfCNvsPVFfXP3koic l5qrir7PtasbH+b6t0wdxQPLgbDhA5Ukd7PWDBqsBwXZ1naUpi1+nhnxrdo9Svj5q3Pv Fztt+W6rUFnV7BR7pl5iz1fGw9pdZFS+ywR0lf1TUBGQZPiGF5JBAkTVQ9+IAVYeApIL 7dErZyLJ8NzcS/vMdrjIeDz8sYtkhFwtChIPy6pLRSsuASIDwG5vhoH0+UVMegIuJtyu 7Y5Q== X-Received: by 10.180.84.99 with SMTP id x3mr3969029wiy.16.1441873353088; Thu, 10 Sep 2015 01:22:33 -0700 (PDT) Received: from cplx250.edegem.eu.thmulti.com (14.125.146.82.ipv4.evonet.be. [82.146.125.14]) by smtp.gmail.com with ESMTPSA id mz12sm7963901wic.4.2015.09.10.01.22.32 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 10 Sep 2015 01:22:32 -0700 (PDT) Message-ID: <55F13DC7.6030305@gmail.com> Date: Thu, 10 Sep 2015 10:22:31 +0200 From: Alin Nastac User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110419 Red Hat/3.1.10-1.el6_0 Thunderbird/3.1.10 MIME-Version: 1.0 To: Jo-Philipp Wich Cc: openwrt-devel@lists.openwrt.org Subject: [OpenWrt-Devel] [PATCH] [package] firewall: Redirect incoming WAN traffic only when destination IP address matches the IP address used for masquerading X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" (Resend of a previous patch affected by gmail's editor line wrapping) This is a git patch for the firewall3 git repo at git://nbd.name/firewall3.git. Basically it prevents zone_wan_prerouting rules to affect traffic towards IP addresses that are not used for masquerading LAN private IP space and it does that by setting destination IP address of the delegate_prerouting rules for zone with masq enabled to whatever address(es) that particular network interface has. The typical scenario this patch fixes involves 2 LAN network prefixes: - the usual 192.168.1.0/24 which is masqueraded by the public IP address configured on the WAN interface - a public IP network prefix for those LAN devices that are supposed to be excluded from NAT Without this patch, port forwarding rules introduced for 192.168.1.x LAN devices will also affect traffic towards the 2nd prefix. From 56820e2e3e09f68e4f9a74e6aff832fbcf2c5729 Mon Sep 17 00:00:00 2001 From: Alin Nastac Date: Fri, 4 Sep 2015 13:54:10 +0200 Subject: [PATCH] Redirect incoming WAN traffic only when destination IP address matches the IP address configured on the incoming interface --- zones.c | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) -- 1.7.12.4 diff --git a/zones.c b/zones.c index 2ddd7b4..8bd6673 100644 --- a/zones.c +++ b/zones.c @@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, { if (has(zone->flags, handle->family, FW3_FLAG_DNAT)) { - r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL); - fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name); - fw3_ipt_rule_extra(r, zone->extra_src); - fw3_ipt_rule_replace(r, "delegate_prerouting"); + struct list_head *addrs; + struct fw3_address *addr; + + addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL; + if (addrs) + { + /* redirect only the traffic towards a locally configured address */ + INIT_LIST_HEAD(addrs); + fw3_ubus_address(addrs, dev->network); + + list_for_each_entry(addr, addrs, list) + { + if (!fw3_is_family(addr, handle->family)) + continue; + /* reset mask to its maximum value */ + memset(&addr->mask.v6, 0xFF, sizeof(addr->mask.v6)); + + r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, addr); + fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name); + fw3_ipt_rule_extra(r, zone->extra_src); + fw3_ipt_rule_replace(r, "delegate_prerouting"); + } + + fw3_free_list(addrs); + } + else + { + r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL); + fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name); + fw3_ipt_rule_extra(r, zone->extra_src); + fw3_ipt_rule_replace(r, "delegate_prerouting"); + } } if (has(zone->flags, handle->family, FW3_FLAG_SNAT))