+ /* Build DNAT rules */
+ for( e = z->redirects; e && (r = &e->section.redirect); e = e->next )
+ {
+ printf("\n# Net %s (%s) - redirect Z:%s N:%s I:%s\n",
+ n->name, n->ifname, z->name, n->name, n->ifname);
+
+ /* DNAT */
+ b = fwd_ipt_init("nat");
+ fwd_ipt_add_format(b, " -A redirects -i %s -d %s",
+ n->ifname, inet_ntoa(a->ipaddr.v4));
+ fwd_ipt_add_proto(b, r->proto);
+ fwd_ipt_add_srcaddr(b, r->src_ip);
+ fwd_ipt_add_srcport(b, r->src_port);
+ fwd_ipt_add_destport(b, r->src_dport);
+ fwd_ipt_add_srcmac(b, r->src_mac);
+ fwd_ipt_add_dnat_target(b, r->dest_ip, r->dest_port);
+ fwd_ipt_add_comment(b, "redir", z, n, NULL);
+ fwd_ipt_exec(b);
+
+ /* Forward */
+ b = fwd_ipt_init("filter");
+ fwd_ipt_add_format(b, " -A redirects -i %s", n->ifname);
+ fwd_ipt_add_proto(b, r->proto);
+ fwd_ipt_add_srcmac(b, r->src_mac);
+ fwd_ipt_add_srcaddr(b, r->src_ip);
+ fwd_ipt_add_srcport(b, r->src_port);
+ fwd_ipt_add_destaddr(b, r->dest_ip);
+ fwd_ipt_add_destport(b, r->dest_port);
+ fwd_ipt_add_policy_target(b, FWD_P_ACCEPT);
+ fwd_ipt_add_comment(b, "redir", z, n, NULL);
+ fwd_ipt_exec(b);
+
+ /* Add loopback rule if neither src_ip nor src_mac are defined */
+ if( !r->src_ip && !r->src_mac )
+ {
+ b = fwd_ipt_init("nat");
+ fwd_ipt_add_format(b, " -A redirects -i ! %s -d %s",
+ n->ifname, inet_ntoa(r->dest_ip->addr));
+ fwd_ipt_add_proto(b, r->proto);
+ fwd_ipt_add_srcport(b, r->src_port);
+ fwd_ipt_add_destport(b, r->src_dport);
+ fwd_ipt_add_format(b, " -j MASQUERADE");
+ fwd_ipt_add_comment(b, "redir", z, n, NULL);
+ fwd_ipt_exec(b);
+ }
+ }