Date:2010-07-31 15:06:14 (13 years 7 months ago)
Author:jow
Commit:da83ad5b95688ad117be7f41618ed247030ca5c0
Message:[package] firewall: add basic NAT reflection/NAT loopback support

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22441 3c298f89-4303-0410-b956-a3cf2f4a3e73
Files: package/firewall/Makefile (2 diffs)
package/firewall/files/reflection.hotplug (1 diff)

Change Details

package/firewall/Makefile
99PKG_NAME:=firewall
1010
1111PKG_VERSION:=2
12PKG_RELEASE:=8
12PKG_RELEASE:=9
1313
1414include $(INCLUDE_DIR)/package.mk
1515
...... 
4545    $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
4646    $(INSTALL_DIR) $(1)/etc/hotplug.d/iface
4747    $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall
48    $(INSTALL_DATA) ./files/reflection.hotplug $(1)/etc/hotplug.d/iface/30-nat-reflection
4849    $(INSTALL_DIR) $(1)/etc
4950    $(INSTALL_DATA) ./files/firewall.user $(1)/etc
5051endef
package/firewall/files/reflection.hotplug
1#!/bin/sh
2# Setup NAT reflection rules
3
4. /etc/functions.sh
5
6if [ "$ACTION" = "ifup" ] && [ "$INTERFACE" = "wan" ]; then
7    local wanip=$(uci -P/var/state get network.wan.ipaddr)
8
9    iptables -t nat -F nat_reflection_in 2>/dev/null || {
10        iptables -t nat -N nat_reflection_in
11        iptables -t nat -A prerouting_rule -j nat_reflection_in
12    }
13
14    iptables -t nat -F nat_reflection_out 2>/dev/null || {
15        iptables -t nat -N nat_reflection_out
16        iptables -t nat -A postrouting_rule -j nat_reflection_out
17    }
18
19    setup_fwd() {
20        local cfg="$1"
21
22        local src
23        config_get src "$cfg" src
24
25        [ "$src" = wan ] && {
26            local dest
27            config_get dest "$cfg" dest "lan"
28
29            local lanip=$(uci -P/var/state get network.$dest.ipaddr)
30            local lanmk=$(uci -P/var/state get network.$dest.netmask)
31
32            local proto
33            config_get proto "$cfg" proto
34
35            local epmin epmax extport
36            config_get extport "$cfg" src_dport
37            [ -n "$extport" ] || return
38
39            epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}"
40            [ "$epmin" != "$epmax" ] || epmax=""
41
42            local ipmin ipmax intport
43            config_get intport "$cfg" dest_port "$extport"
44
45            ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}"
46            [ "$ipmin" != "$ipmax" ] || ipmax=""
47
48            local exthost
49            config_get exthost "$cfg" src_dip "$wanip"
50
51            local inthost
52            config_get inthost "$cfg" dest_ip
53            [ -n "$inthost" ] || return
54
55            [ "$proto" = tcpudp ] && proto="tcp udp"
56
57            local p
58            for p in ${proto:-tcp udp}; do
59                case "$p" in
60                    tcp|udp)
61                        iptables -t nat -A nat_reflection_in \
62                            -s $lanip/$lanmk -d $exthost \
63                            -p $p --dport $epmin${epmax:+:$epmax} \
64                            -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax}
65
66                        iptables -t nat -A nat_reflection_out \
67                            -s $lanip/$lanmk -d $inthost \
68                            -p $p --dport $ipmin${ipmax:+:$ipmax} \
69                            -j SNAT --to-source $lanip
70                    ;;
71                esac
72            done
73        }
74    }
75
76    config_load firewall
77    config_foreach setup_fwd redirect
78fi
79

Archive Download the corresponding diff file



interactive