fish/immortalwrt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

firewall4: restrict fullcone nat with masquerade

Browse Source
This commit is contained in:
arimitx 2023-03-19 02:34:14 +08:00 committed by ZiMing Mo
parent be533b0db9
commit 19bc0c3fc3
No known key found for this signature in database
GPG Key ID: 1BED2E3A77AE5ECF
1 changed files with 13 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch
View File

@ -16,8 +16,8 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org>
root/etc/config/firewall | 2 ++
root/usr/share/firewall4/templates/ruleset.uc | 16 ++++++++++++++--
.../firewall4/templates/zone-fullcone.uc | 4 ++++
root/usr/share/ucode/fw4.uc | 70 ++++++++++++++++++-
4 files changed, 89 insertions(+), 3 deletions(-)
root/usr/share/ucode/fw4.uc | 69 ++++++++++++++++++-
4 files changed, 89 insertions(+), 4 deletions(-)
create mode 100644 root/usr/share/firewall4/templates/zone-fullcone.uc
--- a/root/etc/config/firewall
@ -38,10 +38,10 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org>
{% for (let redirect in fw4.redirects(`dstnat_${zone.name}`)): %}
{%+ include("redirect.uc", { fw4, redirect }) %}
{% endfor %}
+{% if (fw4.default_option("fullcone")): %}
+{% if (zone.masq && fw4.default_option("fullcone")): %}
+ {%+ include("zone-fullcone.uc", { fw4, zone, family: 4, direction: "dstnat" }) %}
+{% endif %}
+{% if (fw4.default_option("fullcone6")): %}
+{% if (zone.masq6 && fw4.default_option("fullcone6")): %}
+ {%+ include("zone-fullcone.uc", { fw4, zone, family: 6, direction: "dstnat" }) %}
+{% endif %}
{% fw4.includes('chain-append', `dstnat_${zone.name}`) %}
@ -67,10 +67,10 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org>
{% endfor %}
{% endfor %}
{% endif %}
+{% if (fw4.default_option("fullcone")): %}
+{% if (zone.masq && fw4.default_option("fullcone")): %}
+ {%+ include("zone-fullcone.uc", { fw4, zone, family: 4, direction: "srcnat" }) %}
+{% endif %}
+{% if (fw4.default_option("fullcone6")): %}
+{% if (zone.masq6 && fw4.default_option("fullcone6")): %}
+ {%+ include("zone-fullcone.uc", { fw4, zone, family: 6, direction: "srcnat" }) %}
+{% endif %}
{% fw4.includes('chain-append', `srcnat_${zone.name}`) %}
@ -201,17 +201,17 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org>
if (zone.mtu_fix && this.kernel < 0x040a0000) {
this.warn_section(data, "option 'mtu_fix' requires kernel 4.10 or later");
return;
@@ -2124,10 +2187,15 @@ return {
@@ -2124,10 +2187,14 @@ return {
zone.related_subnets = related_subnets;
zone.related_physdevs = related_physdevs;
+ if (this.state.defaults.fullcone || this.state.defaults.fullcone6) {
+ zone.dflags.snat = true;
+ zone.dflags.dnat = true;
+ }
+
if (zone.masq || zone.masq6)
zone.dflags.snat = true;
- zone.dflags.snat = true;
+ if (this.state.defaults.fullcone || this.state.defaults.fullcone6) {
+ zone.dflags.snat = true;
+ zone.dflags.dnat = true;
+ } else
+ zone.dflags.snat = true;
- if ((zone.auto_helper && !(zone.masq || zone.masq6)) || length(zone.helper)) {
+ if ((zone.auto_helper && !(zone.masq || zone.masq6 || this.state.defaults.fullcone || this.state.defaults.fullcone6)) || length(zone.helper)) {