[backfire] firewall: backport SNAT support from trunk

SVN-Revision: 22939

diff --git a/package/firewall/Makefile b/package/firewall/Makefile
index b0255556a6f5136b03548c595b672e1863e9c6a8..1c063048b0799e900119e714b53bc4115143004c 100644 (file)
--- a/package/firewall/Makefile
+++ b/package/firewall/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=firewall
 
 PKG_VERSION:=1
-PKG_RELEASE:=14
+PKG_RELEASE:=15
 
 include $(INCLUDE_DIR)/package.mk
 

diff --git a/package/firewall/files/reflection.hotplug b/package/firewall/files/reflection.hotplug
index 6b1cd60f2857b6f97ff9b32c6d8dc9b5e6fc1082..76ef6e7a99ffbe8dcd4cc28d62d593610755eef9 100644 (file)
--- a/package/firewall/files/reflection.hotplug
+++ b/package/firewall/files/reflection.hotplug
@@ -41,7 +41,10 @@ if [ "$ACTION" = "add" ] && [ "$INTERFACE" = "wan" ]; then
                local src
                config_get src "$cfg" src
 
-               [ "$src" = wan ] && {
+               local target
+               config_get target "$cfg" target
+
+               [ "$src" = wan ] && [ "${target:-DNAT}" = DNAT ] && {
                        local dest
                        config_get dest "$cfg" dest "lan"
 

diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index b9f61bca8533cb4f6476a0a189dc147952528b8f..35f743401ce6781a108643c1952ed640e96149e9 100755 (executable)
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -372,6 +372,7 @@ fw_redirect() {
        local dest_ip
        local dest_port dest_port2
        local proto
+       local target
 
        config_get src $1 src
        config_get src_ip $1 src_ip
@@ -382,9 +383,25 @@ fw_redirect() {
        config_get dest_ip $1 dest_ip
        config_get dest_port $1 dest_port
        config_get proto $1 proto
+       config_get target $1 target
+
        [ -z "$src" -o -z "$dest_ip$dest_port" ] && { \
                echo "redirect needs src and dest_ip or dest_port"; return ; }
 
+       local chain destopt destaddr
+       if [ "${target:-DNAT}" == "DNAT" ]; then
+               chain="zone_${src}_prerouting"
+               destopt="--to-destination"
+               destaddr="$dest_ip"
+       elif [ "$target" == "SNAT" ]; then
+               chain="zone_${src}_nat"
+               destopt="--to-source"
+               destaddr="$src_dip"
+       else
+               echo "redirect target must be either DNAT or SNAT"
+               return
+       fi
+
        find_item "$src" $CONNTRACK_ZONES || \
                append CONNTRACK_ZONES "$src"
 
@@ -405,19 +422,19 @@ fw_redirect() {
                dest_port2="$dest_port_first:$dest_port_last"; }
 
        add_rule() {
-               $IPTABLES -A zone_${src}_prerouting -t nat \
+               $IPTABLES -A $chain -t nat \
                        ${proto:+-p $proto} \
                        ${src_ip:+-s $src_ip} \
                        ${src_dip:+-d $src_dip} \
                        ${src_port:+--sport $src_port} \
                        ${src_dport:+--dport $src_dport} \
                        ${src_mac:+-m mac --mac-source $src_mac} \
-                       -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port}
+                       -j ${target:-DNAT} $destopt $dest_ip${dest_port:+:$dest_port}
 
-               [ -n "$dest_ip" ] && \
+               [ -n "$destaddr" ] && \
                $IPTABLES -I zone_${src}_forward 1 \
                        ${proto:+-p $proto} \
-                       -d $dest_ip \
+                       -d $destaddr \
                        ${src_ip:+-s $src_ip} \
                        ${src_port:+--sport $src_port} \
                        ${dest_port2:+--dport $dest_port2} \