webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 19:23:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'amarx/firewall-dnat' into next

Browse Source 
Conflicts:
	config/firewall/rules.pl
This commit is contained in:
Michael Tremer
2014-09-26 12:55:55 +02:00
parent b30890aa06 48f07c1957
commit df6649b0fe
4 changed files with 61 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
config/firewall/rules.pl
View File

@@ -295,22 +295,26 @@ sub buildrules {
next unless ($src);
# Sanitize source.
my $source = $src;
my $source = @$src[0];
if ($source ~~ @ANY_ADDRESSES) {
$source = "";
}
my $source_intf = @$src[1];
foreach my $dst (@destinations) {
# Skip invalid rules.
next unless (defined $dst);
next if (!$dst || ($dst eq "none"));
# Sanitize destination.
my $destination = $dst;
my $destination = @$dst[0];
if ($destination ~~ @ANY_ADDRESSES) {
$destination = "";
}
my $destination_intf = @$dst[1];
# Array with iptables arguments.
my @options = ();
@@ -327,12 +331,20 @@ sub buildrules {
push(@source_options, ("-s", $source));
}
if ($source_intf) {
push(@source_options, ("-i", $source_intf));
}
# Prepare destination options.
my @destination_options = ();
if ($destination) {
push(@destination_options, ("-d", $destination));
}
if ($destination_intf) {
push(@destination_options, ("-o", $destination_intf));
}
# Add time constraint options.
push(@options, @time_options);
@@ -366,7 +378,7 @@ sub buildrules {
# Make port-forwardings useable from the internal networks.
my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
unless ($nat_address ~~ @internal_addresses) {
&add_dnat_mangle_rules($nat_address, @nat_options);
&add_dnat_mangle_rules($nat_address, $source_intf, @nat_options);
}
push(@nat_options, @source_options);
@@ -683,6 +695,7 @@ sub get_dnat_target_port {
sub add_dnat_mangle_rules {
my $nat_address = shift;
my $interface = shift;
my @options = @_;
my $mark = 0;
@@ -693,6 +706,8 @@ sub add_dnat_mangle_rules {
next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
next unless (exists $defaultNetworks{$zone . "_NETMASK"});
next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"});
my @mangle_options = @options;
my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"};