diff mbox

[OpenWrt-Devel,package] firewall: Redirect incoming WAN traffic only when destination IP address matches the IP address used for masquerading

Message ID CAF1oqRCWqHovjDByoOm9G=9rz5cQkxFwRmHT3rsCYjg54VFkmA@mail.gmail.com
State Superseded
Headers show

Commit Message

Alin Năstac Sept. 9, 2015, 9:18 a.m. UTC 
This is a git patch for the firewall3 git repo at git://nbd.name/firewall3.git

Basically it prevents zone_wan_prerouting rules to affect traffic
towards IP addresses that are not used for masquerading LAN private IP
space and it does that by setting destination IP address of the
delegate_prerouting rules for zone with masq enabled to whatever
address(es) that particular network interface has.

The typical scenario this patch fixes involves 2 LAN network prefixes:
  - the usual 192.168.1.0/24 which is masqueraded by the public IP
address configured on the WAN interface
  - a public IP network prefix for those LAN devices that are supposed
to be excluded from NAT
Without this patch, port forwarding rules introduced for 192.168.1.x
LAN devices will also affect traffic towards the 2nd prefix.

From 56820e2e3e09f68e4f9a74e6aff832fbcf2c5729 Mon Sep 17 00:00:00 2001
From: Alin Nastac <alin.nastac@gmail.com>
Date: Fri, 4 Sep 2015 13:54:10 +0200
Subject: [PATCH] Redirect incoming WAN traffic only when
 destination IP address matches the IP address configured on the
incoming interface

---
 zones.c | 36 ++++++++++++++++++++++++++++++++----
 1 file changed, 32 insertions(+), 4 deletions(-)

+                       {
+                               r = fw3_ipt_rule_create(handle, NULL,
dev, NULL, sub, NULL);
+                               fw3_ipt_rule_target(r,
"zone_%s_prerouting", zone->name);
+                               fw3_ipt_rule_extra(r, zone->extra_src);
+                               fw3_ipt_rule_replace(r, "delegate_prerouting");
+                       }
                }

                if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
--
1.7.12.4
diff mbox

Patch

diff --git a/zones.c b/zones.c
index 2ddd7b4..8bd6673 100644
--- a/zones.c
+++ b/zones.c
@@ -383,10 +383,38 @@  print_interface_rule(struct fw3_ipt_handle
*handle, struct fw3_state *state,
        {
                if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
                {
-                       r = fw3_ipt_rule_create(handle, NULL, dev,
NULL, sub, NULL);
-                       fw3_ipt_rule_target(r, "zone_%s_prerouting",
zone->name);
-                       fw3_ipt_rule_extra(r, zone->extra_src);
-                       fw3_ipt_rule_replace(r, "delegate_prerouting");
+                       struct list_head *addrs;
+                       struct fw3_address *addr;
+
+                       addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL;
+                       if (addrs)
+                       {
+                               /* redirect only the traffic towards a
locally configured address */
+                               INIT_LIST_HEAD(addrs);
+                               fw3_ubus_address(addrs, dev->network);
+
+                               list_for_each_entry(addr, addrs, list)
+                               {
+                                       if (!fw3_is_family(addr,
handle->family))
+                                               continue;
+                                       /* reset mask to its maximum value */
+                                       memset(&addr->mask.v6, 0xFF,
sizeof(addr->mask.v6));
+
+                                       r =
fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, addr);
+                                       fw3_ipt_rule_target(r,
"zone_%s_prerouting", zone->name);
+                                       fw3_ipt_rule_extra(r, zone->extra_src);
+                                       fw3_ipt_rule_replace(r,
"delegate_prerouting");
+                               }
+
+                               fw3_free_list(addrs);
+                       }
+                       else