From f8fa598bf461ccdbd0fc6ddb5a61561b9197fed9 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 15 Jul 2010 22:01:48 +0000 Subject: [PATCH] firewall: - notrack support was broken in multiple ways, fix it - also consider a zone conntracked if any redirect references it (#7196) SVN-Revision: 22215 --- package/firewall/Makefile | 2 +- package/firewall/files/lib/core.sh | 2 +- package/firewall/files/lib/core_forwarding.sh | 8 ++++---- package/firewall/files/lib/core_init.sh | 5 ++--- package/firewall/files/lib/core_redirect.sh | 3 +++ 5 files changed, 11 insertions(+), 9 deletions(-) diff --git a/package/firewall/Makefile b/package/firewall/Makefile index b81531bdf2..b1969d9abd 100644 --- a/package/firewall/Makefile +++ b/package/firewall/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=firewall PKG_VERSION:=2 -PKG_RELEASE:=6 +PKG_RELEASE:=7 include $(INCLUDE_DIR)/package.mk diff --git a/package/firewall/files/lib/core.sh b/package/firewall/files/lib/core.sh index 5880cd3acc..03a80c6f6c 100644 --- a/package/firewall/files/lib/core.sh +++ b/package/firewall/files/lib/core.sh @@ -39,7 +39,7 @@ fw_start() { echo "Loading includes" config_foreach fw_load_include include - [ -n "$FW_NOTRACK_DISABLED" ] && { + [ -z "$FW_NOTRACK_DISABLED" ] && { echo "Optimizing conntrack" config_foreach fw_load_notrack_zone zone } diff --git a/package/firewall/files/lib/core_forwarding.sh b/package/firewall/files/lib/core_forwarding.sh index 689e2628c2..b62e18a76e 100644 --- a/package/firewall/files/lib/core_forwarding.sh +++ b/package/firewall/files/lib/core_forwarding.sh @@ -32,11 +32,11 @@ fw_load_forwarding() { fw add $mode f $chain $target ^ # propagate masq zone flag - [ -n "$forwarding_src" ] && list_contains CONNTRACK_ZONES $forwarding_src && { - append CONNTRACK_ZONES $forwarding_dest + [ -n "$forwarding_src" ] && list_contains FW_CONNTRACK_ZONES $forwarding_src && { + append FW_CONNTRACK_ZONES $forwarding_dest } - [ -n "$forwarding_dest" ] && list_contains CONNTRACK_ZONES $forwarding_dest && { - append CONNTRACK_ZONES $forwarding_src + [ -n "$forwarding_dest" ] && list_contains FW_CONNTRACK_ZONES $forwarding_dest && { + append FW_CONNTRACK_ZONES $forwarding_src } fw_callback post forwarding diff --git a/package/firewall/files/lib/core_init.sh b/package/firewall/files/lib/core_init.sh index 92d117160f..a55ace17c1 100644 --- a/package/firewall/files/lib/core_init.sh +++ b/package/firewall/files/lib/core_init.sh @@ -228,13 +228,12 @@ fw_load_zone() { } fw_load_notrack_zone() { - list_contains FW_CONNTRACK_ZONES "$1" && return - fw_config_get_zone "$1" + list_contains FW_CONNTRACK_ZONES "${zone_name}" && return fw_callback pre notrack - fw add i f zone_${zone_name}_notrack NOTRACK $ + fw add i r zone_${zone_name}_notrack NOTRACK $ fw_callback post notrack } diff --git a/package/firewall/files/lib/core_redirect.sh b/package/firewall/files/lib/core_redirect.sh index 87f584e37b..b51f79390a 100644 --- a/package/firewall/files/lib/core_redirect.sh +++ b/package/firewall/files/lib/core_redirect.sh @@ -30,6 +30,9 @@ fw_load_redirect() { fw_die "redirect ${redirect_name}: needs src and dest_ip" } + list_contains FW_CONNTRACK_ZONES $redirect_src || \ + append FW_CONNTRACK_ZONES $redirect_src + local mode=$(fw_get_family_mode ${redirect_family:-x} $redirect_src I) local nat_dest_port=$redirect_dest_port -- 2.25.1