[Server] slightly broadens FORWARD rule matching, disables rewriting sport for snat
This commit is contained in:
Jonathan Bennett
parent
246d8a1db7
commit
d448004f38
@ -1279,9 +1279,9 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
|
|||||||
"forward_access_rule() forward_all: %d, nat_ip: %s, nat_port: %d",
|
"forward_access_rule() forward_all: %d, nat_ip: %s, nat_port: %d",
|
||||||
acc->forward_all, nat_ip, nat_port);
|
acc->forward_all, nat_ip, nat_port);
|
||||||
|
|
||||||
|
memset(rule_buf, 0, CMD_BUFSIZE);
|
||||||
if(acc->forward_all)
|
if(acc->forward_all)
|
||||||
{
|
{
|
||||||
memset(rule_buf, 0, CMD_BUFSIZE);
|
|
||||||
|
|
||||||
snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_FWD_ALL_RULE_ARGS,
|
snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_FWD_ALL_RULE_ARGS,
|
||||||
fwd_chain->table,
|
fwd_chain->table,
|
||||||
@ -1300,8 +1300,16 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
|
|||||||
{
|
{
|
||||||
/* Make the FORWARD access rule
|
/* Make the FORWARD access rule
|
||||||
*/
|
*/
|
||||||
firewd_rule(opts, NULL, FIREWD_FWD_RULE_ARGS, spadat->use_src_ip,
|
snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_FWD_RULE_ARGS,
|
||||||
nat_ip, fst_proto, nat_port, NULL, NAT_ANY_PORT,
|
fwd_chain->table,
|
||||||
|
fst_proto,
|
||||||
|
spadat->use_src_ip,
|
||||||
|
nat_port,
|
||||||
|
exp_ts,
|
||||||
|
fwd_chain->target
|
||||||
|
);
|
||||||
|
firewd_rule(opts, rule_buf, NULL, spadat->use_src_ip,
|
||||||
|
NULL, fst_proto, nat_port, NULL, NAT_ANY_PORT,
|
||||||
fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain);
|
fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain);
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
@ -1433,7 +1441,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
|||||||
/* Using static SNAT */
|
/* Using static SNAT */
|
||||||
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
|
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
|
||||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
||||||
"--to-source %s:%i", acc->force_snat_ip, fst_port);
|
"--to-source %s", acc->force_snat_ip);
|
||||||
}
|
}
|
||||||
else if(acc->force_snat && acc->force_masquerade)
|
else if(acc->force_snat && acc->force_masquerade)
|
||||||
{
|
{
|
||||||
@ -1448,8 +1456,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
|||||||
/* Using static SNAT */
|
/* Using static SNAT */
|
||||||
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
|
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
|
||||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
||||||
"--to-source %s:%i", opts->config[CONF_SNAT_TRANSLATE_IP],
|
"--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]);
|
||||||
fst_port);
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|||||||
@ -46,7 +46,7 @@
|
|||||||
#define FIREWD_CHK_RULE_ARGS "-C %s %s" /* the other macros add SH_REDIR if necessary */
|
#define FIREWD_CHK_RULE_ARGS "-C %s %s" /* the other macros add SH_REDIR if necessary */
|
||||||
#define FIREWD_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
#define FIREWD_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
||||||
#define FIREWD_OUT_RULE_ARGS "-t %s -p %i -d %s -s %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
#define FIREWD_OUT_RULE_ARGS "-t %s -p %i -d %s -s %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
||||||
#define FIREWD_FWD_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
#define FIREWD_FWD_RULE_ARGS "-t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
||||||
#define FIREWD_FWD_ALL_RULE_ARGS "-t %s -s %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
#define FIREWD_FWD_ALL_RULE_ARGS "-t %s -s %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
||||||
#define FIREWD_DNAT_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i" SH_REDIR
|
#define FIREWD_DNAT_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i" SH_REDIR
|
||||||
#define FIREWD_DNAT_ALL_RULE_ARGS "-t %s -s %s -d %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s" SH_REDIR
|
#define FIREWD_DNAT_ALL_RULE_ARGS "-t %s -s %s -d %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s" SH_REDIR
|
||||||
|
|||||||
@ -1262,9 +1262,9 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
|
|||||||
"forward_access_rule() forward_all: %d, nat_ip: %s, nat_port: %d",
|
"forward_access_rule() forward_all: %d, nat_ip: %s, nat_port: %d",
|
||||||
acc->forward_all, nat_ip, nat_port);
|
acc->forward_all, nat_ip, nat_port);
|
||||||
|
|
||||||
|
memset(rule_buf, 0, CMD_BUFSIZE);
|
||||||
if(acc->forward_all)
|
if(acc->forward_all)
|
||||||
{
|
{
|
||||||
memset(rule_buf, 0, CMD_BUFSIZE);
|
|
||||||
|
|
||||||
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_FWD_ALL_RULE_ARGS,
|
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_FWD_ALL_RULE_ARGS,
|
||||||
fwd_chain->table,
|
fwd_chain->table,
|
||||||
@ -1281,10 +1281,18 @@ static void forward_access_rule(const fko_srv_options_t * const opts,
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
snprintf(rule_buf, CMD_BUFSIZE-1, IPT_FWD_RULE_ARGS,
|
||||||
|
fwd_chain->table,
|
||||||
|
fst_proto,
|
||||||
|
spadat->use_src_ip,
|
||||||
|
nat_port,
|
||||||
|
exp_ts,
|
||||||
|
fwd_chain->target
|
||||||
|
);
|
||||||
/* Make the FORWARD access rule
|
/* Make the FORWARD access rule
|
||||||
*/
|
*/
|
||||||
ipt_rule(opts, NULL, IPT_FWD_RULE_ARGS, spadat->use_src_ip,
|
ipt_rule(opts, rule_buf, NULL, spadat->use_src_ip,
|
||||||
nat_ip, fst_proto, nat_port, NULL, NAT_ANY_PORT,
|
NULL, fst_proto, nat_port, NULL, NAT_ANY_PORT,
|
||||||
fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain);
|
fwd_chain, exp_ts, now, "FORWARD", spadat->spa_message_remain);
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
@ -1416,7 +1424,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
|||||||
/* Using static SNAT */
|
/* Using static SNAT */
|
||||||
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
|
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
|
||||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
||||||
"--to-source %s:%i", acc->force_snat_ip, fst_port);
|
"--to-source %s", acc->force_snat_ip);
|
||||||
}
|
}
|
||||||
else if(acc->force_snat && acc->force_masquerade)
|
else if(acc->force_snat && acc->force_masquerade)
|
||||||
{
|
{
|
||||||
@ -1431,8 +1439,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
|
|||||||
/* Using static SNAT */
|
/* Using static SNAT */
|
||||||
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
|
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
|
||||||
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
snprintf(snat_target, SNAT_TARGET_BUFSIZE-1,
|
||||||
"--to-source %s:%i", opts->config[CONF_SNAT_TRANSLATE_IP],
|
"--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]);
|
||||||
fst_port);
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|||||||
@ -43,7 +43,7 @@
|
|||||||
#define IPT_CHK_RULE_ARGS "-C %s %s" /* the other macros add SH_REDIR if necessary */
|
#define IPT_CHK_RULE_ARGS "-C %s %s" /* the other macros add SH_REDIR if necessary */
|
||||||
#define IPT_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
#define IPT_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
||||||
#define IPT_OUT_RULE_ARGS "-t %s -p %i -d %s -s %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
#define IPT_OUT_RULE_ARGS "-t %s -p %i -d %s -s %s --sport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
||||||
#define IPT_FWD_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
#define IPT_FWD_RULE_ARGS "-t %s -p %i -s %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
||||||
#define IPT_FWD_ALL_RULE_ARGS "-t %s -s %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
#define IPT_FWD_ALL_RULE_ARGS "-t %s -s %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s" SH_REDIR
|
||||||
#define IPT_DNAT_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i" SH_REDIR
|
#define IPT_DNAT_RULE_ARGS "-t %s -p %i -s %s -d %s --dport %i -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s:%i" SH_REDIR
|
||||||
#define IPT_DNAT_ALL_RULE_ARGS "-t %s -s %s -d %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s" SH_REDIR
|
#define IPT_DNAT_ALL_RULE_ARGS "-t %s -s %s -d %s -m comment --comment " EXPIRE_COMMENT_PREFIX "%u -j %s --to-destination %s" SH_REDIR
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user