[package] firewall:
- notrack support was broken in multiple ways, fix it - also consider a zone conntracked if any redirect references it (#7196) git-svn-id: svn://svn.openwrt.org/openwrt/trunk@22215 3c298f89-4303-0410-b956-a3cf2f4a3e73master
parent
956de1c120
commit
df7742c8aa
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||||
PKG_NAME:=firewall
|
PKG_NAME:=firewall
|
||||||
|
|
||||||
PKG_VERSION:=2
|
PKG_VERSION:=2
|
||||||
PKG_RELEASE:=6
|
PKG_RELEASE:=7
|
||||||
|
|
||||||
include $(INCLUDE_DIR)/package.mk
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
|
|
@ -39,7 +39,7 @@ fw_start() {
|
||||||
echo "Loading includes"
|
echo "Loading includes"
|
||||||
config_foreach fw_load_include include
|
config_foreach fw_load_include include
|
||||||
|
|
||||||
[ -n "$FW_NOTRACK_DISABLED" ] && {
|
[ -z "$FW_NOTRACK_DISABLED" ] && {
|
||||||
echo "Optimizing conntrack"
|
echo "Optimizing conntrack"
|
||||||
config_foreach fw_load_notrack_zone zone
|
config_foreach fw_load_notrack_zone zone
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,11 +32,11 @@ fw_load_forwarding() {
|
||||||
fw add $mode f $chain $target ^
|
fw add $mode f $chain $target ^
|
||||||
|
|
||||||
# propagate masq zone flag
|
# propagate masq zone flag
|
||||||
[ -n "$forwarding_src" ] && list_contains CONNTRACK_ZONES $forwarding_src && {
|
[ -n "$forwarding_src" ] && list_contains FW_CONNTRACK_ZONES $forwarding_src && {
|
||||||
append CONNTRACK_ZONES $forwarding_dest
|
append FW_CONNTRACK_ZONES $forwarding_dest
|
||||||
}
|
}
|
||||||
[ -n "$forwarding_dest" ] && list_contains CONNTRACK_ZONES $forwarding_dest && {
|
[ -n "$forwarding_dest" ] && list_contains FW_CONNTRACK_ZONES $forwarding_dest && {
|
||||||
append CONNTRACK_ZONES $forwarding_src
|
append FW_CONNTRACK_ZONES $forwarding_src
|
||||||
}
|
}
|
||||||
|
|
||||||
fw_callback post forwarding
|
fw_callback post forwarding
|
||||||
|
|
|
@ -228,13 +228,12 @@ fw_load_zone() {
|
||||||
}
|
}
|
||||||
|
|
||||||
fw_load_notrack_zone() {
|
fw_load_notrack_zone() {
|
||||||
list_contains FW_CONNTRACK_ZONES "$1" && return
|
|
||||||
|
|
||||||
fw_config_get_zone "$1"
|
fw_config_get_zone "$1"
|
||||||
|
list_contains FW_CONNTRACK_ZONES "${zone_name}" && return
|
||||||
|
|
||||||
fw_callback pre notrack
|
fw_callback pre notrack
|
||||||
|
|
||||||
fw add i f zone_${zone_name}_notrack NOTRACK $
|
fw add i r zone_${zone_name}_notrack NOTRACK $
|
||||||
|
|
||||||
fw_callback post notrack
|
fw_callback post notrack
|
||||||
}
|
}
|
||||||
|
|
|
@ -30,6 +30,9 @@ fw_load_redirect() {
|
||||||
fw_die "redirect ${redirect_name}: needs src and dest_ip"
|
fw_die "redirect ${redirect_name}: needs src and dest_ip"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
list_contains FW_CONNTRACK_ZONES $redirect_src || \
|
||||||
|
append FW_CONNTRACK_ZONES $redirect_src
|
||||||
|
|
||||||
local mode=$(fw_get_family_mode ${redirect_family:-x} $redirect_src I)
|
local mode=$(fw_get_family_mode ${redirect_family:-x} $redirect_src I)
|
||||||
|
|
||||||
local nat_dest_port=$redirect_dest_port
|
local nat_dest_port=$redirect_dest_port
|
||||||
|
|
Loading…
Reference in New Issue