firewall: - fix possible endless loop when the family option is used for forwardings - only generate forwarding rules in SNAT redirect sections if src_dip is specified
SVN-Revision: 22938
This commit is contained in:
parent
eb79296cc1
commit
5ab58aa39c
@ -31,13 +31,15 @@ fw_load_redirect() {
|
|||||||
fw_die "redirect ${redirect_name}: needs src and dest_ip or dest_port"
|
fw_die "redirect ${redirect_name}: needs src and dest_ip or dest_port"
|
||||||
}
|
}
|
||||||
|
|
||||||
local chain destopt
|
local chain destopt destaddr
|
||||||
if [ "$redirect_target" == "DNAT" ]; then
|
if [ "$redirect_target" == "DNAT" ]; then
|
||||||
chain="zone_${redirect_src}_prerouting"
|
chain="zone_${redirect_src}_prerouting"
|
||||||
destopt="--to-destination"
|
destopt="--to-destination"
|
||||||
|
destaddr="$redirect_dest_ip"
|
||||||
elif [ "$redirect_target" == "SNAT" ]; then
|
elif [ "$redirect_target" == "SNAT" ]; then
|
||||||
chain="zone_${redirect_src}_nat"
|
chain="zone_${redirect_src}_nat"
|
||||||
destopt="--to-source"
|
destopt="--to-source"
|
||||||
|
destaddr="$redirect_src_dip"
|
||||||
else
|
else
|
||||||
fw_die "redirect ${redirect_name}: target must be either DNAT or SNAT"
|
fw_die "redirect ${redirect_name}: target must be either DNAT or SNAT"
|
||||||
fi
|
fi
|
||||||
@ -65,9 +67,9 @@ fw_load_redirect() {
|
|||||||
$destopt ${redirect_dest_ip}${redirect_dest_port:+:$nat_dest_port} \
|
$destopt ${redirect_dest_ip}${redirect_dest_port:+:$nat_dest_port} \
|
||||||
}
|
}
|
||||||
|
|
||||||
[ -n "$redirect_dest_ip" ] && \
|
[ -n "$destaddr" ] && \
|
||||||
fw add $mode f zone_${redirect_src}_forward ACCEPT ^ { $redirect_src_ip $redirect_dest_ip } { \
|
fw add $mode f zone_${redirect_src}_forward ACCEPT ^ { $redirect_src_ip $redirect_dest_ip } { \
|
||||||
-d $redirect_dest_ip \
|
-d $destaddr \
|
||||||
${redirect_proto:+-p $redirect_proto} \
|
${redirect_proto:+-p $redirect_proto} \
|
||||||
${redirect_src_ip:+-s $redirect_src_ip/$redirect_src_ip_prefixlen} \
|
${redirect_src_ip:+-s $redirect_src_ip/$redirect_src_ip_prefixlen} \
|
||||||
${redirect_src_port:+--sport $redirect_src_port} \
|
${redirect_src_port:+--sport $redirect_src_port} \
|
||||||
|
@ -149,7 +149,7 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
case "$fam" in
|
case "$fam" in
|
||||||
G*) shift; while [ "$1" != "{" ]; do shift; done ;;
|
G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
if [ $# -gt 0 ]; then
|
if [ $# -gt 0 ]; then
|
||||||
|
Loading…
Reference in New Issue
Block a user