From 963a0cd98beabbf748ec766939696f82221af044 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Mon, 28 May 2012 03:15:05 +0000 Subject: [PATCH] firewall: fix nat reflection after netifd status format change - use /lib/functions/network.sh - simplify nat reflection code SVN-Revision: 31936 --- package/firewall/Makefile | 2 +- package/firewall/files/reflection.hotplug | 56 ++++------------------- 2 files changed, 10 insertions(+), 48 deletions(-) diff --git a/package/firewall/Makefile b/package/firewall/Makefile index e7a308f3c5..6d1e2950a1 100644 --- a/package/firewall/Makefile +++ b/package/firewall/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall PKG_VERSION:=2 -PKG_RELEASE:=50 +PKG_RELEASE:=51 include $(INCLUDE_DIR)/package.mk diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug index 62f5097291..2da0be9a05 100644 --- a/package/firewall/files/reflection.hotplug +++ b/package/firewall/files/reflection.hotplug @@ -1,48 +1,11 @@ #!/bin/sh -. /etc/functions.sh -. /usr/share/libubox/jshn.sh - -find_iface_address() -{ - local iface="$1" - local ipaddr="$2" - local prefix="$3" - - local idx=1 - local tmp="$(ubus call network.interface."$iface" status 2>/dev/null)" - - json_load "${tmp:-{}}" - json_get_type tmp address - - if [ "$tmp" = array ]; then - json_select address - - while true; do - json_get_type tmp $idx - [ "$tmp" = object ] || break - - json_select $((idx++)) - json_get_var tmp address - - case "$tmp" in - *:*) json_select .. ;; - *) - [ -n "$ipaddr" ] && json_get_var $ipaddr address - [ -n "$prefix" ] && json_get_var $prefix mask - return 0 - ;; - esac - done - fi - - return 1 -} +. /lib/functions.sh +. /lib/functions/network.sh if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then local wanip - find_iface_address wan wanip - [ -n "$wanip" ] || return + network_get_ipaddr wanip wan || return iptables -t nat -F nat_reflection_in 2>/dev/null || { iptables -t nat -N nat_reflection_in @@ -99,9 +62,8 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then local net for net in $(find_networks "$dest"); do - local lanip lanmk - find_iface_address "$net" lanip lanmk - [ -n "$lanip" ] || return + local lannet + network_get_subnet lannet "$net" || return local proto config_get proto "$cfg" proto @@ -144,17 +106,17 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then case "$p" in tcp|udp|6|17) iptables -t nat -A nat_reflection_in \ - -s $lanip/$lanmk -d $exthost \ + -s $lannet -d $exthost \ -p $p $extport \ -j DNAT --to $inthost:${ipmin#!}${ipmax:+-$ipmax} iptables -t nat -A nat_reflection_out \ - -s $lanip/$lanmk -d $inthost \ + -s $lannet -d $inthost \ -p $p $intport \ - -j SNAT --to-source $lanip + -j SNAT --to-source ${lannet%%/*} iptables -t filter -A nat_reflection_fwd \ - -s $lanip/$lanmk -d $inthost \ + -s $lannet -d $inthost \ -p $p $intport \ -j ACCEPT ;; -- 2.30.2