firewall: - fix possible endless loop when the family option is used for forwardings - only generate forwarding rules in SNAT redirect sections if src_dip is specified

SVN-Revision: 22938
owl
Jo-Philipp Wich 2010-09-05 20:17:23 +00:00
parent eb79296cc1
commit 5ab58aa39c
2 changed files with 6 additions and 4 deletions

View File

@ -31,13 +31,15 @@ fw_load_redirect() {
fw_die "redirect ${redirect_name}: needs src and dest_ip or dest_port" fw_die "redirect ${redirect_name}: needs src and dest_ip or dest_port"
} }
local chain destopt local chain destopt destaddr
if [ "$redirect_target" == "DNAT" ]; then if [ "$redirect_target" == "DNAT" ]; then
chain="zone_${redirect_src}_prerouting" chain="zone_${redirect_src}_prerouting"
destopt="--to-destination" destopt="--to-destination"
destaddr="$redirect_dest_ip"
elif [ "$redirect_target" == "SNAT" ]; then elif [ "$redirect_target" == "SNAT" ]; then
chain="zone_${redirect_src}_nat" chain="zone_${redirect_src}_nat"
destopt="--to-source" destopt="--to-source"
destaddr="$redirect_src_dip"
else else
fw_die "redirect ${redirect_name}: target must be either DNAT or SNAT" fw_die "redirect ${redirect_name}: target must be either DNAT or SNAT"
fi fi
@ -65,9 +67,9 @@ fw_load_redirect() {
$destopt ${redirect_dest_ip}${redirect_dest_port:+:$nat_dest_port} \ $destopt ${redirect_dest_ip}${redirect_dest_port:+:$nat_dest_port} \
} }
[ -n "$redirect_dest_ip" ] && \ [ -n "$destaddr" ] && \
fw add $mode f zone_${redirect_src}_forward ACCEPT ^ { $redirect_src_ip $redirect_dest_ip } { \ fw add $mode f zone_${redirect_src}_forward ACCEPT ^ { $redirect_src_ip $redirect_dest_ip } { \
-d $redirect_dest_ip \ -d $destaddr \
${redirect_proto:+-p $redirect_proto} \ ${redirect_proto:+-p $redirect_proto} \
${redirect_src_ip:+-s $redirect_src_ip/$redirect_src_ip_prefixlen} \ ${redirect_src_ip:+-s $redirect_src_ip/$redirect_src_ip_prefixlen} \
${redirect_src_port:+--sport $redirect_src_port} \ ${redirect_src_port:+--sport $redirect_src_port} \

View File

@ -149,7 +149,7 @@ fw__exec() { # <action> <family> <table> <chain> <target> <position> { <rules> }
fi fi
case "$fam" in case "$fam" in
G*) shift; while [ "$1" != "{" ]; do shift; done ;; G*) shift; while [ $# -gt 0 ] && [ "$1" != "{" ]; do shift; done ;;
esac esac
if [ $# -gt 0 ]; then if [ $# -gt 0 ]; then