firewall: initialize dest_port with src_dport if omitted in redirect sections to narrow down corresponding forward rules to the actual target ports - thanks Niels Boehm! (#6249)

SVN-Revision: 18617
15 years ago · 6cb040903b
parent a263714936
commit 6cb040903b
2 changed files with 22 additions and 22 deletions
--- a/package/firewall/Makefile
+++ b/package/firewall/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=firewall

 PKG_VERSION:=1
-PKG_RELEASE:=8
+PKG_RELEASE:=9

 include $(INCLUDE_DIR)/package.mk

--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@ -1,4 +1,4 @@
-#!/bin/sh 
+#!/bin/sh
 # Copyright (C) 2008 John Crispin <blogic@openwrt.org>

 . /etc/functions.sh
@ -43,12 +43,12 @@ load_policy() {

 create_zone() {
 	local exists
-	
+
 	[ "$1" == "loopback" ] && return

 	config_get exists $ZONE_LIST $1
 	[ -n "$exists" ] && return
-	config_set $ZONE_LIST $1 1 
+	config_set $ZONE_LIST $1 1

 	$IPTABLES -N zone_$1
 	$IPTABLES -N zone_$1_MSSFIX
@ -90,8 +90,8 @@ addif() {
 	$IPTABLES -I zone_${zone}_ACCEPT 1 -i "$ifname" -j ACCEPT
 	$IPTABLES -I zone_${zone}_DROP 1 -i "$ifname" -j DROP
 	$IPTABLES -I zone_${zone}_REJECT 1 -i "$ifname" -j reject
-	$IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -j MASQUERADE 
-	$IPTABLES -I PREROUTING 1 -t nat -i "$ifname" -j zone_${zone}_prerouting 
+	$IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -j MASQUERADE
+	$IPTABLES -I PREROUTING 1 -t nat -i "$ifname" -j zone_${zone}_prerouting
 	$IPTABLES -A forward -i "$ifname" -j zone_${zone}_forward
 	$IPTABLES -t raw -I PREROUTING 1 -i "$ifname" -j zone_${zone}_notrack
 	uci_set_state firewall core "${network}_ifname" "$ifname"
@ -113,8 +113,8 @@ delif() {
 	$IPTABLES -D zone_${zone}_ACCEPT -i "$ifname" -j ACCEPT
 	$IPTABLES -D zone_${zone}_DROP -i "$ifname" -j DROP
 	$IPTABLES -D zone_${zone}_REJECT -i "$ifname" -j reject
-	$IPTABLES -D zone_${zone}_nat -t nat -o "$ifname" -j MASQUERADE 
-	$IPTABLES -D PREROUTING -t nat -i "$ifname" -j zone_${zone}_prerouting 
+	$IPTABLES -D zone_${zone}_nat -t nat -o "$ifname" -j MASQUERADE
+	$IPTABLES -D PREROUTING -t nat -i "$ifname" -j zone_${zone}_prerouting
 	$IPTABLES -D forward -i "$ifname" -j zone_${zone}_forward
 	uci_revert_state firewall core "${network}_ifname"
 	uci_revert_state firewall core "${network}_zone"
@ -160,17 +160,17 @@ fw_defaults() {
 	load_policy "$1"

 	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
-	for f in /proc/sys/net/ipv4/conf/*/accept_redirects 
+	for f in /proc/sys/net/ipv4/conf/*/accept_redirects
 	do
 		echo 0 > $f
 	done
-	for f in /proc/sys/net/ipv4/conf/*/accept_source_route 
+	for f in /proc/sys/net/ipv4/conf/*/accept_source_route
 	do
 		echo 0 > $f
-	done                                                                   
-	
+	done
+
 	uci_revert_state firewall core
-	uci_set_state firewall core "" firewall_state 
+	uci_set_state firewall core "" firewall_state

 	$IPTABLES -P INPUT DROP
 	$IPTABLES -P OUTPUT DROP
@ -197,7 +197,7 @@ fw_defaults() {
 	config_get syn_rate $1 syn_rate
 	config_get syn_burst $1 syn_burst
 	[ "$syn_flood" == "1" ] && load_synflood $syn_rate $syn_burst
-	
+
 	echo "Adding custom chains"
 	fw_custom_chains

@ -253,7 +253,7 @@ fw_zone() {
 }

 fw_rule() {
-	local src 
+	local src
 	local src_ip
 	local src_mac
 	local src_port
@ -287,7 +287,7 @@ fw_rule() {
 	dest_port_last=${dest_port#*-}
 	[ "$dest_port_first" -ne "$dest_port_last" ] && { \
 		dest_port="$dest_port_first:$dest_port_last"; }
-	
+
 	ZONE=input
 	TARGET=$target
 	[ -z "$target" ] && target=DROP
@ -303,7 +303,7 @@ fw_rule() {
 			${src_mac:+-m mac --mac-source $src_mac} \
 			${dest_ip:+-d $dest_ip} \
 			${dest_port:+--dport $dest_port} \
-			-j $TARGET 
+			-j $TARGET
 	}
 	[ "$proto" == "tcpudp" -o -z "$proto" ] && {
 		proto=tcp
@ -340,7 +340,7 @@ fw_redirect() {
 	local dest_ip
 	local dest_port dest_port2
 	local proto
-	
+
 	config_get src $1 src
 	config_get src_ip $1 src_ip
 	config_get src_port $1 src_port
@ -351,7 +351,7 @@ fw_redirect() {
 	config_get proto $1 proto
 	[ -z "$src" -o -z "$dest_ip" ] && { \
 		echo "redirect needs src and dest_ip"; return ; }
-	
+
 	src_port_first=${src_port%-*}
 	src_port_last=${src_port#*-}
 	[ "$src_port_first" -ne "$src_port_last" ] && { \
@ -362,7 +362,7 @@ fw_redirect() {
 	[ "$src_dport_first" -ne "$src_dport_last" ] && { \
 		src_dport="$src_dport_first:$src_dport_last"; }

-	dest_port2=$dest_port
+	dest_port2=${dest_port:-$src_dport}
 	dest_port_first=${dest_port2%-*}
 	dest_port_last=${dest_port2#*-}
 	[ "$dest_port_first" -ne "$dest_port_last" ] && { \
@ -384,7 +384,7 @@ fw_redirect() {
 			${src_port:+--sport $src_port} \
 			${dest_port2:+--dport $dest_port2} \
 			${src_mac:+-m mac --mac-source $src_mac} \
-			-j ACCEPT 
+			-j ACCEPT
 	}
 	[ "$proto" == "tcpudp" -o -z "$proto" ] && {
 		proto=tcp
@ -418,7 +418,7 @@ fw_custom_chains() {
 	$IPTABLES -N forwarding_rule
 	$IPTABLES -N prerouting_rule -t nat
 	$IPTABLES -N postrouting_rule -t nat
-			
+
 	$IPTABLES -A INPUT -j input_rule
 	$IPTABLES -A OUTPUT -j output_rule
 	$IPTABLES -A FORWARD -j forwarding_rule