Openwrt/package
Jo-Philipp Wich a9977eca91 firewall: allow local redirection of ports
Allow a redirect like:

config redirect
        option src 'wan'
        option dest 'lan'
        option src_dport '22001'
        option dest_port '22'
        option proto 'tcp'

note the absence of the "dest_ip" field, meaning to terminate the connection on the firewall itself.

This patch makes three changes:

(1) moves the conntrack module into the conntrack package (but not any of the conntrack_* helpers).
(2) fixes a bug where the wrong table is used when the "dest_ip" field is absent.
(3) accepts incoming connections on the destination port on the input_ZONE table, but only for DNATted
    connections.

In the above example,

ssh -p 22 root@myrouter

would fail from the outside, but:

ssh -p 22001 root@myrouter

would succeed.  This is handy if:

(1) you want to avoid ssh probes on your router, or
(2) you want to redirect incoming connections on port 22 to some machine inside your firewall, but
    still want to allow firewall access from outside.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

SVN-Revision: 26617
2011-04-12 20:03:59 +00:00
..
6in4 6in4: re-establish tunnel also if no credentials are used (static setup) 2011-02-20 18:27:19 +00:00
6to4 6to4: support multiple internal networks, use state vars for radvd config 2010-12-02 22:41:03 +00:00
acx acx: Major rework of acx.sh script 2011-03-17 07:23:28 +00:00
acx-mac80211 acx-mac80211 needs some header files from compat-wireless to build 2011-04-09 23:44:03 +00:00
admswconfig admswconfig: reset interface after applying config 2011-01-27 21:49:50 +00:00
apex only support EABI on ARM targets 2011-03-07 12:59:19 +00:00
ar7-atm add support for 2.6.37, thanks Wipster! 2011-02-18 12:52:04 +00:00
arptables artables ebtables iptables: Moved *tables to Firewall submenu of the Network package group because that's where all the feeds packages for firewalls now are. 2011-03-12 01:24:18 +00:00
avila-wdt
base-files base-files: Use -h instead of deprecated -L for symlink check 2011-04-05 15:09:43 +00:00
block-mount block-mount: Reverting 26503. Was already fixed in a better way in commit 26474. 2011-04-07 01:00:14 +00:00
bridge-utils
broadcom-diag brcm47xx: add Netgear WNR834BV1 2011-04-08 19:22:09 +00:00
broadcom-wl
busybox busybox: get rid of the useless extra menu 2011-04-05 19:04:02 +00:00
button-hotplug
comgt comgt: handle ttyHS* devices in usb hotplug, fix typo (#9046) 2011-03-15 09:09:05 +00:00
compcache
crda crda: update to version 1.1.1 and update regulatory database to most recent official version. 2011-01-01 16:10:15 +00:00
cyassl package/cyassl: sync with latest libtool2 changes 2010-12-08 12:59:16 +00:00
dnsmasq dnsmasq: use -ffunction-sections, -fdata-sections and --gc-sections, saves 8k uncompressed 2011-03-02 12:47:57 +00:00
dropbear r25831 reduced the size of the dropbear executable by, among other things, 2011-04-01 10:55:23 +00:00
e2fsprogs e2fsprogs: revert r24848 as well 2011-01-01 16:03:53 +00:00
ead ead: fixup some AC_DEFINE() invocations that will make recent automak bail 2010-12-13 01:47:35 +00:00
ebtables artables ebtables iptables: Moved *tables to Firewall submenu of the Network package group because that's where all the feeds packages for firewalls now are. 2011-03-12 01:24:18 +00:00
ep80579-drivers
fconfig
firewall firewall: allow local redirection of ports 2011-04-12 20:03:59 +00:00
fuse package/fuse: update to version 2.8.5, refresh patches 2010-12-08 20:15:10 +00:00
gdb
goldfish-qemu
gpioctl
grub add ext4 support 2010-11-22 11:27:47 +00:00
hostap-driver hostap-driver: Remove newline at start of config (cosmetic) 2011-03-17 07:23:32 +00:00
hostap-utils
hostapd hostapd: properly mark random data as ready if initialization succeeds without reassociation (#9222) 2011-04-12 17:30:16 +00:00
hotplug2 hotplug2: Added zaptel subsystem to /etc/hotplugs2.rules so that the zaptel kernel module package only needs to had a script to create the correct device nodes (default names differ from what all apps that use zaptel actually use, so a script is necessary). 2011-03-21 05:53:17 +00:00
i2c-gpio-custom
ifenslave
iproute2 iproute2 relayd: Moved iproute2 and relayd to Routing and Redirection submenu of the Network package group so that they appear with the packages feed packages that are related. 2011-03-12 07:27:57 +00:00
ipset ipset: do not use -static-libgcc 2011-03-01 15:41:28 +00:00
iptables iptables: libiptc.so is only a compatibility stub, split the package into libip4tc and libip6tc and adjust dependencies 2011-03-25 18:02:51 +00:00
iw iw: add support for showing the rx bitrate 2011-02-10 03:37:35 +00:00
ixp4xx-microcode
jshn jshn: add build dependency on libubox, it needs the list.h header from it 2011-02-21 19:49:48 +00:00
kernel package/kernel: add module for the gpio_keys_polled driver 2011-04-12 09:29:14 +00:00
kexec-tools change PKG_FIXUP:=libtool to PKG_FIXUP:=autoreconf 2011-03-06 21:42:48 +00:00
libipfix
libjson-c change PKG_FIXUP:=libtool to PKG_FIXUP:=autoreconf 2011-03-06 21:42:48 +00:00
libnl libnl: update to version 2.0 (patch by Philip Prindeville) 2011-02-13 03:56:12 +00:00
libnl-tiny libnl-tiny: remove some more functions to reduce binary size 2011-02-13 17:05:34 +00:00
libpcap
libreadline
librpc librpc: use MDEPENDS instead of DEPENDS for @USE_UCLIBC to fix recursive busybox dependencies 2011-04-05 19:03:55 +00:00
libtool libtool: remove patches, they don't apply to libltdl 2010-12-18 18:13:12 +00:00
libubox libubox: update to 2011-03-27 (includes some minor fixes), add PKG_MIRROR_MD5SUM 2011-03-27 18:21:40 +00:00
linux-atm linux-atm: package atm-diagnostics with atmdump, atmdiag, etc. 2011-04-09 13:05:48 +00:00
lqtapi should depend on lantiq and not ifxmips 2011-02-01 14:33:40 +00:00
ltq-dsl * fixes .unlocked_ioctl functions 2011-03-14 07:34:08 +00:00
ltq-dsl-app * rename lqdsl packages to ltq-dsl * small rework of packages * make it work with latest kernel 2011-02-01 14:30:38 +00:00
ltq-ifxos ltq-ifxos: only attempt to build if the lantiq target is selected (fixes #9035) 2011-03-13 18:45:27 +00:00
ltq-kpi2udp * adss in-kernel udp redirect plugin for lantiq voice optimisation 2011-02-07 21:48:55 +00:00
ltq-tapi * several updates to the voice packages 2011-03-29 05:17:10 +00:00
ltq-tapidemo * rename voice package * sync with lantiqs release * make it work on lantiq kernel 2011-02-01 14:32:25 +00:00
ltq-vmmc The makefile was missing the coef source filename, so it would install a directory instead of the coefficients file, breaking voice applications. 2011-04-04 07:37:32 +00:00
lua
mac80211 mac80211: fix WPA auth on WDS station interfaces (#9227) 2011-04-12 17:17:56 +00:00
madwifi madwifi: typo(s) in /lib/wifi/madwifi.sh 2011-04-06 20:50:14 +00:00
mmc_over_gpio
mountd
mtd package/mtd: make fixtrx available on ar71xx as well 2011-01-05 19:27:55 +00:00
ncurses ncurses: install ncurses5-config and ncursesw5-config (#9044) 2011-03-21 06:45:20 +00:00
nvram
ocf-crypto-headers
openssl openssl: update to 1.0.0d - includes important bug and security fixes (patch by tripolar) 2011-02-08 22:52:21 +00:00
opkg opkg: update to r618 2011-04-11 22:08:43 +00:00
pjsip pjsip: make pjsip-ltq-tapi dependencies conditional to make the build dependencies conditional as well 2011-03-13 23:02:52 +00:00
ppp pppd: support the nomp option if multilink support is disabled 2011-04-12 18:29:28 +00:00
pptp
ps3-utils change PKG_FIXUP:=libtool to PKG_FIXUP:=autoreconf 2011-03-06 21:42:48 +00:00
pwm-gpio-custom
px5g
qos-scripts qos-scripts: remove the layer7 based classifiers from the default configuration - they are unreliable and prone to memory leaks 2011-03-30 10:44:27 +00:00
redboot-ar231x redboot-ar231x: mark as broken, the ecos host tool crap needs some rework for tcl on some systems 2011-03-25 00:55:25 +00:00
relayd iproute2 relayd: Moved iproute2 and relayd to Routing and Redirection submenu of the Network package group so that they appear with the packages feed packages that are related. 2011-03-12 07:27:57 +00:00
robocfg
rotary-gpio-custom
rtc-rv5c386a
siit
soloscli soloscli: allow user to apply settings to solos h/w before bringing up network (patch by Philip Prindeville) 2011-02-13 02:52:49 +00:00
spi-ks8995
spidev_test
swconfig swconfig: add -lnl-genl (patch by Philip Prindeville) - purely cosmetic, swconfig uses libnl-tiny anyway 2011-02-13 02:52:44 +00:00
switch switch: fix switch-robo device reference counting 2011-02-20 17:24:15 +00:00
uboot-ar71xx uboot-ar71xx: fix compilation on FreeBSD 2011-04-02 13:20:11 +00:00
uboot-envtools
uboot-kirkwood
uboot-lantiq * add some compile flags 2011-03-11 08:22:47 +00:00
uboot-omap35xx Modify environment variables for altered filesystem layout 2011-04-12 14:24:20 +00:00
uboot-xburst
ubsec_ssb
ubus ubus: update to 2011-03-27 (includes an API simplification for object signatures), use PKG_MIRROR_MD5SUM 2011-03-27 18:21:45 +00:00
uci uci: mark uci as unsafe for parallel building 2011-04-04 12:06:37 +00:00
udev udev: install development libraries in staging dir (#8370) 2011-01-29 22:06:26 +00:00
uhttpd uhttpd: Moved uhttpd to Network|Web Servers/Proxies submenu, just like all the other web serves and proxies from the packages feed 2011-03-12 04:47:02 +00:00
util-linux-ng
vsc73x5-ucode
w1-gpio-custom
wireless-tools wireless-tools: remove some more unnecessary stuff from iwconfig 2011-03-18 03:41:22 +00:00
wprobe package/wprobe: fix for kernels >= 2.6.38 2011-02-24 15:51:28 +00:00
wrt55agv2-spidevs
xfsprogs change PKG_FIXUP:=libtool to PKG_FIXUP:=autoreconf 2011-03-06 21:42:48 +00:00
yamonenv
zlib
Makefile remove postinst files for preinstalled packages 2011-03-25 23:47:08 +00:00