Treat redirects as port redirections if the specified dest_ip belongs to the router...

diff --git a/options.h b/options.h
index 558013bd90ea2b9000f04f99f2b0da095278dff5..88c98a0cedc915ca7c7be926bb004692786a631c 100644 (file)
--- a/options.h
+++ b/options.h
@@ -389,6 +389,7 @@ struct fw3_redirect
 
        const char *extra;
 
+       bool local;
        bool reflection;
        enum fw3_reflection_source reflection_src;
 };

diff --git a/redirects.c b/redirects.c
index 15855c9ea74673af8614a7ad7c3ccdc88f1eda08..bb5e1ff1c79dd967b172b091e16ed8087cd91926 100644 (file)
--- a/redirects.c
+++ b/redirects.c
@@ -118,7 +118,7 @@ compare_addr(struct fw3_address *a, struct fw3_address *b)
 {
        uint32_t mask;
 
-       if (a->family != FW3_FAMILY_V4)
+       if (a->family != FW3_FAMILY_V4 || b->family != FW3_FAMILY_V4)
                return false;
 
        mask = htonl(~((1 << (32 - a->mask)) - 1));
@@ -165,6 +165,55 @@ resolve_dest(struct uci_element *e, struct fw3_redirect *redir,
        return false;
 }
 
+static bool
+check_local(struct uci_element *e, struct fw3_redirect *redir,
+            struct fw3_state *state)
+{
+       struct fw3_zone *zone;
+       struct fw3_device *net;
+       struct fw3_address *addr;
+       struct list_head *addrs;
+
+       if (redir->target != FW3_FLAG_DNAT)
+               return false;
+
+       if (!redir->ip_redir.set)
+               redir->local = true;
+
+       if (redir->local)
+               return true;
+
+       list_for_each_entry(zone, &state->zones, list)
+       {
+               list_for_each_entry(net, &zone->networks, list)
+               {
+                       addrs = fw3_ubus_address(net->name);
+
+                       if (!addrs)
+                               continue;
+
+                       list_for_each_entry(addr, addrs, list)
+                       {
+                               if (!compare_addr(&redir->ip_redir, addr))
+                                       continue;
+
+                               warn_elem(e, "refers to a destination address on this router, "
+                                            "assuming port redirection");
+
+                               redir->local = true;
+                               break;
+                       }
+
+                       fw3_free_list(addrs);
+
+                       if (redir->local)
+                               return true;
+               }
+       }
+
+       return false;
+}
+
 void
 fw3_load_redirects(struct fw3_state *state, struct uci_package *p)
 {
@@ -270,7 +319,8 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p)
                                valid = true;
                        }
 
-                       if (!redir->dest.set && resolve_dest(e, redir, state))
+                       if (!check_local(e, redir, state) && !redir->dest.set &&
+                           resolve_dest(e, redir, state))
                        {
                                warn_elem(e, "does not specify a destination, assuming '%s'",
                                          redir->dest.name);
@@ -377,8 +427,7 @@ append_chain_filter(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
 {
        if (redir->target == FW3_FLAG_DNAT)
        {
-               /* XXX: check for local ip */
-               if (!redir->ip_redir.set)
+               if (redir->local)
                        fw3_ipt_rule_append(r, "zone_%s_input", redir->src.name);
                else
                        fw3_ipt_rule_append(r, "zone_%s_forward", redir->src.name);
@@ -395,8 +444,7 @@ append_chain_filter(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
 static void
 set_target_filter(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
 {
-       /* XXX: check for local ip */
-       if (redir->target == FW3_FLAG_DNAT && !redir->ip_redir.set)
+       if (redir->local)
                fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
 
        fw3_ipt_rule_target(r, "ACCEPT");