Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#248 - Firewall configuration: multiple negative masq_dest options do not work #5314

Closed
openwrt-bot opened this issue Oct 25, 2016 · 0 comments
Labels

Comments

@openwrt-bot
Copy link

danielkza:

LEDE r1783

Adding multiple exclusion masq_dest options in a firewall zone configuration does not work.

Multiple MASQUERADE rules - each one excluding only one of the destinations - are created, in effect excluding nothing at all, since any address ignored by one rule will not be ignored by the others.

Exclusion rules should be translated to early entries in the zone_*_postrouting chain with a RETURN action instead. For example, with the following configuration:

list masq_dest 172.31.0.0/16
list masq_dest 172.32.0.0/16

The chain currently is set up as:

Chain zone_wan_postrouting (1 references)
target prot opt source destination
postrouting_wan_rule all -- anywhere anywhere ID:66773300 /* user chain for postrouting */
MASQUERADE all -- anywhere !172.31.0.0/16 ID:66773300
MASQUERADE all -- anywhere !172.32.0.0/16 ID:66773300

When it should be setup as:

Chain zone_wan_postrouting (1 references) target prot opt source destination RETURN all -- anywhere 172.32.0.0/16 RETURN all -- anywhere 172.31.0.0/16 postrouting_wan_rule all -- anywhere anywhere ID:66773300 /* user chain for postrouting */ MASQUERADE all -- anywhere anywhere ID:66773300
@openwrt-bot
Copy link
Author

jow-:

Fix to firewall3.git added with https://git.lede-project.org/097282e.

The following zone declaration:

config zone
option name test
option device foo0
option masq 1
list masq_src !1.1.1.1
list masq_src !1.1.2.2
list masq_src 1.1.3.3
list masq_src 1.1.4.4
list masq_dest !2.2.1.1
list masq_dest !2.2.2.2
list masq_dest 2.2.3.3
list masq_dest 2.2.4.4

... will yield the following rules now:

iptables -t nat -A zone_test_postrouting -s 1.1.1.1/255.255.255.255 -m id --id 0x66773300 -j RETURN
iptables -t nat -A zone_test_postrouting -s 1.1.2.2/255.255.255.255 -m id --id 0x66773300 -j RETURN
iptables -t nat -A zone_test_postrouting -d 2.2.1.1/255.255.255.255 -m id --id 0x66773300 -j RETURN
iptables -t nat -A zone_test_postrouting -d 2.2.2.2/255.255.255.255 -m id --id 0x66773300 -j RETURN
iptables -t nat -A zone_test_postrouting -s 1.1.3.3/255.255.255.255 -d 2.2.3.3/255.255.255.255 -m id --id 0x66773300 -j MASQUERADE
iptables -t nat -A zone_test_postrouting -s 1.1.3.3/255.255.255.255 -d 2.2.4.4/255.255.255.255 -m id --id 0x66773300 -j MASQUERADE
iptables -t nat -A zone_test_postrouting -s 1.1.4.4/255.255.255.255 -d 2.2.3.3/255.255.255.255 -m id --id 0x66773300 -j MASQUERADE
iptables -t nat -A zone_test_postrouting -s 1.1.4.4/255.255.255.255 -d 2.2.4.4/255.255.255.255 -m id --id 0x66773300 -j MASQUERADE

@openwrt-bot
Copy link
Author

jow-:

Fixed with http://git.lede-project.org/113544d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant