Mirror only - Please move to https://github.com/immortalwrt/immortalwrt
| Revision | 19bc0c3fc31380f015cdc3cfcc47ec1a66a4229c (tree) |
|---|---|
| Zeit | 2023-03-19 13:05:28 |
| Autor | arimitx <zyc199847@gmai...> |
| Commiter | ZiMing Mo |
firewall4: restrict fullcone nat with masquerade
package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch (diff)| @@ -16,8 +16,8 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org> | ||
| 16 | 16 | root/etc/config/firewall | 2 ++ |
| 17 | 17 | root/usr/share/firewall4/templates/ruleset.uc | 16 ++++++++++++++-- |
| 18 | 18 | .../firewall4/templates/zone-fullcone.uc | 4 ++++ |
| 19 | - root/usr/share/ucode/fw4.uc | 70 ++++++++++++++++++- | |
| 20 | - 4 files changed, 89 insertions(+), 3 deletions(-) | |
| 19 | + root/usr/share/ucode/fw4.uc | 69 ++++++++++++++++++- | |
| 20 | + 4 files changed, 89 insertions(+), 4 deletions(-) | |
| 21 | 21 | create mode 100644 root/usr/share/firewall4/templates/zone-fullcone.uc |
| 22 | 22 | |
| 23 | 23 | --- a/root/etc/config/firewall |
| @@ -38,10 +38,10 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org> | ||
| 38 | 38 | {% for (let redirect in fw4.redirects(`dstnat_${zone.name}`)): %} |
| 39 | 39 | {%+ include("redirect.uc", { fw4, redirect }) %} |
| 40 | 40 | {% endfor %} |
| 41 | -+{% if (fw4.default_option("fullcone")): %} | |
| 41 | ++{% if (zone.masq && fw4.default_option("fullcone")): %} | |
| 42 | 42 | + {%+ include("zone-fullcone.uc", { fw4, zone, family: 4, direction: "dstnat" }) %} |
| 43 | 43 | +{% endif %} |
| 44 | -+{% if (fw4.default_option("fullcone6")): %} | |
| 44 | ++{% if (zone.masq6 && fw4.default_option("fullcone6")): %} | |
| 45 | 45 | + {%+ include("zone-fullcone.uc", { fw4, zone, family: 6, direction: "dstnat" }) %} |
| 46 | 46 | +{% endif %} |
| 47 | 47 | {% fw4.includes('chain-append', `dstnat_${zone.name}`) %} |
| @@ -67,10 +67,10 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org> | ||
| 67 | 67 | {% endfor %} |
| 68 | 68 | {% endfor %} |
| 69 | 69 | {% endif %} |
| 70 | -+{% if (fw4.default_option("fullcone")): %} | |
| 70 | ++{% if (zone.masq && fw4.default_option("fullcone")): %} | |
| 71 | 71 | + {%+ include("zone-fullcone.uc", { fw4, zone, family: 4, direction: "srcnat" }) %} |
| 72 | 72 | +{% endif %} |
| 73 | -+{% if (fw4.default_option("fullcone6")): %} | |
| 73 | ++{% if (zone.masq6 && fw4.default_option("fullcone6")): %} | |
| 74 | 74 | + {%+ include("zone-fullcone.uc", { fw4, zone, family: 6, direction: "srcnat" }) %} |
| 75 | 75 | +{% endif %} |
| 76 | 76 | {% fw4.includes('chain-append', `srcnat_${zone.name}`) %} |
| @@ -201,17 +201,17 @@ Renew: ZiMing Mo <msylgj@immortalwrt.org> | ||
| 201 | 201 | if (zone.mtu_fix && this.kernel < 0x040a0000) { |
| 202 | 202 | this.warn_section(data, "option 'mtu_fix' requires kernel 4.10 or later"); |
| 203 | 203 | return; |
| 204 | -@@ -2124,10 +2187,15 @@ return { | |
| 204 | +@@ -2124,10 +2187,14 @@ return { | |
| 205 | 205 | zone.related_subnets = related_subnets; |
| 206 | 206 | zone.related_physdevs = related_physdevs; |
| 207 | 207 | |
| 208 | -+ if (this.state.defaults.fullcone || this.state.defaults.fullcone6) { | |
| 209 | -+ zone.dflags.snat = true; | |
| 210 | -+ zone.dflags.dnat = true; | |
| 211 | -+ } | |
| 212 | -+ | |
| 213 | 208 | if (zone.masq || zone.masq6) |
| 214 | - zone.dflags.snat = true; | |
| 209 | +- zone.dflags.snat = true; | |
| 210 | ++ if (this.state.defaults.fullcone || this.state.defaults.fullcone6) { | |
| 211 | ++ zone.dflags.snat = true; | |
| 212 | ++ zone.dflags.dnat = true; | |
| 213 | ++ } else | |
| 214 | ++ zone.dflags.snat = true; | |
| 215 | 215 | |
| 216 | 216 | - if ((zone.auto_helper && !(zone.masq || zone.masq6)) || length(zone.helper)) { |
| 217 | 217 | + if ((zone.auto_helper && !(zone.masq || zone.masq6 || this.state.defaults.fullcone || this.state.defaults.fullcone6)) || length(zone.helper)) { |
Fork