| package/firewall/files/reflection.hotplug |
|---|
| 1 | 1 | #!/bin/sh |
| 2 | | # Setup NAT reflection rules |
| 3 | 2 | |
| 4 | 3 | . /etc/functions.sh |
| 5 | 4 | |
| ... | ... | |
| 16 | 15 | iptables -t nat -A postrouting_rule -j nat_reflection_out |
| 17 | 16 | } |
| 18 | 17 | |
| 18 | find_networks() { |
| 19 | find_networks_cb() { |
| 20 | local cfg="$1" |
| 21 | local zone="$2" |
| 22 | |
| 23 | local name |
| 24 | config_get name "$cfg" name |
| 25 | |
| 26 | [ "$name" = "$zone" ] && { |
| 27 | local network |
| 28 | config_get network "$cfg" network |
| 29 | |
| 30 | echo ${network:-$zone} |
| 31 | return 1 |
| 32 | } |
| 33 | } |
| 34 | |
| 35 | config_foreach find_networks_cb zone "$1" |
| 36 | } |
| 37 | |
| 19 | 38 | setup_fwd() { |
| 20 | 39 | local cfg="$1" |
| 21 | 40 | |
| ... | ... | |
| 26 | 45 | local dest |
| 27 | 46 | config_get dest "$cfg" dest "lan" |
| 28 | 47 | |
| 29 | | local lanip=$(uci -P/var/state get network.$dest.ipaddr) |
| 30 | | local lanmk=$(uci -P/var/state get network.$dest.netmask) |
| 48 | local net |
| 49 | for net in $(find_networks "$dest"); do |
| 50 | local lanip=$(uci -P/var/state get network.$net.ipaddr) |
| 51 | local lanmk=$(uci -P/var/state get network.$net.netmask) |
| 31 | 52 | |
| 32 | | local proto |
| 33 | | config_get proto "$cfg" proto |
| 53 | local proto |
| 54 | config_get proto "$cfg" proto |
| 34 | 55 | |
| 35 | | local epmin epmax extport |
| 36 | | config_get extport "$cfg" src_dport |
| 37 | | [ -n "$extport" ] || return |
| 56 | local epmin epmax extport |
| 57 | config_get extport "$cfg" src_dport |
| 58 | [ -n "$extport" ] || return |
| 38 | 59 | |
| 39 | | epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" |
| 40 | | [ "$epmin" != "$epmax" ] || epmax="" |
| 60 | epmin="${extport%[-:]*}"; epmax="${extport#*[-:]}" |
| 61 | [ "$epmin" != "$epmax" ] || epmax="" |
| 41 | 62 | |
| 42 | | local ipmin ipmax intport |
| 43 | | config_get intport "$cfg" dest_port "$extport" |
| 63 | local ipmin ipmax intport |
| 64 | config_get intport "$cfg" dest_port "$extport" |
| 44 | 65 | |
| 45 | | ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" |
| 46 | | [ "$ipmin" != "$ipmax" ] || ipmax="" |
| 66 | ipmin="${intport%[-:]*}"; ipmax="${intport#*[-:]}" |
| 67 | [ "$ipmin" != "$ipmax" ] || ipmax="" |
| 47 | 68 | |
| 48 | | local exthost |
| 49 | | config_get exthost "$cfg" src_dip "$wanip" |
| 69 | local exthost |
| 70 | config_get exthost "$cfg" src_dip "$wanip" |
| 50 | 71 | |
| 51 | | local inthost |
| 52 | | config_get inthost "$cfg" dest_ip |
| 53 | | [ -n "$inthost" ] || return |
| 72 | local inthost |
| 73 | config_get inthost "$cfg" dest_ip |
| 74 | [ -n "$inthost" ] || return |
| 54 | 75 | |
| 55 | | [ "$proto" = tcpudp ] && proto="tcp udp" |
| 76 | [ "$proto" = tcpudp ] && proto="tcp udp" |
| 56 | 77 | |
| 57 | | local p |
| 58 | | for p in ${proto:-tcp udp}; do |
| 59 | | case "$p" in |
| 60 | | tcp|udp) |
| 61 | | iptables -t nat -A nat_reflection_in \ |
| 62 | | -s $lanip/$lanmk -d $exthost \ |
| 63 | | -p $p --dport $epmin${epmax:+:$epmax} \ |
| 64 | | -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax} |
| 78 | local p |
| 79 | for p in ${proto:-tcp udp}; do |
| 80 | case "$p" in |
| 81 | tcp|udp) |
| 82 | iptables -t nat -A nat_reflection_in \ |
| 83 | -s $lanip/$lanmk -d $exthost \ |
| 84 | -p $p --dport $epmin${epmax:+:$epmax} \ |
| 85 | -j DNAT --to $inthost:$ipmin${ipmax:+-$ipmax} |
| 65 | 86 | |
| 66 | | iptables -t nat -A nat_reflection_out \ |
| 67 | | -s $lanip/$lanmk -d $inthost \ |
| 68 | | -p $p --dport $ipmin${ipmax:+:$ipmax} \ |
| 69 | | -j SNAT --to-source $lanip |
| 70 | | ;; |
| 71 | | esac |
| 87 | iptables -t nat -A nat_reflection_out \ |
| 88 | -s $lanip/$lanmk -d $inthost \ |
| 89 | -p $p --dport $ipmin${ipmax:+:$ipmax} \ |
| 90 | -j SNAT --to-source $lanip |
| 91 | ;; |
| 92 | esac |
| 93 | done |
| 72 | 94 | done |
| 73 | 95 | } |
| 74 | 96 | } |
