From 19bc0c3fc31380f015cdc3cfcc47ec1a66a4229c Mon Sep 17 00:00:00 2001
From: arimitx <zyc199847@gmail.com>
Date: Sun, 19 Mar 2023 02:34:14 +0800
Subject: [PATCH] firewall4: restrict fullcone nat with masquerade

---
 ...rewall4-add-support-for-fullcone-nat.patch | 26 +++++++++----------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch b/package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch
index cc3c6403bc..eac06f5583 100644
--- a/package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch
+++ b/package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch
@@ -16,8 +16,8 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org>
  root/etc/config/firewall                      |  2 ++
  root/usr/share/firewall4/templates/ruleset.uc | 16 ++++++++++++++--
  .../firewall4/templates/zone-fullcone.uc      |  4 ++++
- root/usr/share/ucode/fw4.uc                   | 70 ++++++++++++++++++-
- 4 files changed, 89 insertions(+), 3 deletions(-)
+ root/usr/share/ucode/fw4.uc                   | 69 ++++++++++++++++++-
+ 4 files changed, 89 insertions(+), 4 deletions(-)
  create mode 100644 root/usr/share/firewall4/templates/zone-fullcone.uc
 
 --- a/root/etc/config/firewall
@@ -38,10 +38,10 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org>
  {%   for (let redirect in fw4.redirects(`dstnat_${zone.name}`)): %}
  		{%+ include("redirect.uc", { fw4, redirect }) %}
  {%   endfor %}
-+{%   if (fw4.default_option("fullcone")): %}
++{%   if (zone.masq && fw4.default_option("fullcone")): %}
 +		{%+ include("zone-fullcone.uc", { fw4, zone, family: 4, direction: "dstnat" }) %}
 +{%   endif %}
-+{%   if (fw4.default_option("fullcone6")): %}
++{%   if (zone.masq6 && fw4.default_option("fullcone6")): %}
 +		{%+ include("zone-fullcone.uc", { fw4, zone, family: 6, direction: "dstnat" }) %}
 +{%   endif %}
  {%   fw4.includes('chain-append', `dstnat_${zone.name}`) %}
@@ -67,10 +67,10 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org>
  {%     endfor %}
  {%    endfor %}
  {%   endif %}
-+{%   if (fw4.default_option("fullcone")): %}
++{%   if (zone.masq && fw4.default_option("fullcone")): %}
 +		{%+ include("zone-fullcone.uc", { fw4, zone, family: 4, direction: "srcnat" }) %}
 +{%   endif %}
-+{%   if (fw4.default_option("fullcone6")): %}
++{%   if (zone.masq6 && fw4.default_option("fullcone6")): %}
 +		{%+ include("zone-fullcone.uc", { fw4, zone, family: 6, direction: "srcnat" }) %}
 +{%   endif %}
  {%   fw4.includes('chain-append', `srcnat_${zone.name}`) %}
@@ -201,17 +201,17 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org>
  		if (zone.mtu_fix && this.kernel < 0x040a0000) {
  			this.warn_section(data, "option 'mtu_fix' requires kernel 4.10 or later");
  			return;
-@@ -2124,10 +2187,15 @@ return {
+@@ -2124,10 +2187,14 @@ return {
  		zone.related_subnets = related_subnets;
  		zone.related_physdevs = related_physdevs;
  
-+		if (this.state.defaults.fullcone || this.state.defaults.fullcone6) {
-+			zone.dflags.snat = true;
-+			zone.dflags.dnat = true;
-+		}
-+
  		if (zone.masq || zone.masq6)
- 			zone.dflags.snat = true;
+-			zone.dflags.snat = true;
++			if (this.state.defaults.fullcone || this.state.defaults.fullcone6) {
++				zone.dflags.snat = true;
++				zone.dflags.dnat = true;
++			} else
++				zone.dflags.snat = true;
  
 -		if ((zone.auto_helper && !(zone.masq || zone.masq6)) || length(zone.helper)) {
 +		if ((zone.auto_helper && !(zone.masq || zone.masq6 || this.state.defaults.fullcone || this.state.defaults.fullcone6)) || length(zone.helper)) {