miniupnpd: De-maintainering myself.

[feed/routing.git] / miniupnpd / files / firewall.include

diff --git a/miniupnpd/files/firewall.include b/miniupnpd/files/firewall.include
index 9a42e0613f4ce11a11bca468fc5247af306c463f..0eb96d7cce31edc05a53a7916cad46085935edc9 100644 (file)
--- a/miniupnpd/files/firewall.include
+++ b/miniupnpd/files/firewall.include
@@ -5,6 +5,7 @@ IP6TABLES=/usr/sbin/ip6tables
 
 iptables -t filter -N MINIUPNPD 2>/dev/null
 iptables -t nat -N MINIUPNPD 2>/dev/null
+iptables -t nat -N MINIUPNPD-POSTROUTING 2>/dev/null
 
 [ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null
 
@@ -20,6 +21,7 @@ add_extzone_rules() {
     # IPv4 - due to NAT, need to add both to nat and filter table
     iptables -t filter -I zone_${ext_zone}_forward -j MINIUPNPD
     iptables -t nat -I zone_${ext_zone}_prerouting -j MINIUPNPD
+    iptables -t nat -I zone_${ext_zone}_postrouting -j MINIUPNPD-POSTROUTING
 
     # IPv6 if available - filter only
     [ -x $IP6TABLES ] && {
@@ -34,11 +36,17 @@ for ext_iface in $(uci -q get upnpd.config.external_iface); do
     add_extzone_rules $(fw3 -q network "$ext_iface")
 done
 
+add_extzone_rules $(uci -q get upnpd.config.external_zone)
+
 [ ! $ADDED = 0 ] && exit 0
 
-# If it's not available, resort to network_find_wan{,6} and
+
+# If really nothing is available, resort to network_find_wan{,6} and
 # assume external interfaces all have same firewall zone.
 
+# (This heuristic may fail horribly, in case of e.g. multihoming, so
+# please set external_zone in that case!)
+
 network_find_wan wan_iface
 network_find_wan6 wan6_iface