- fw3_pr("-A zone_%s_input -j zone_%s_src_%s\n",
- zone->name, zone->name, fw3_flag_names[zone->policy_input]);
+ if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
+ {
+ r = fw3_ipt_rule_new(handle);
+ fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+ fw3_ipt_rule_comment(r, "Accept port redirections");
+ fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+ fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
+
+ r = fw3_ipt_rule_new(handle);
+ fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+ fw3_ipt_rule_comment(r, "Accept port forwards");
+ fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+ fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
+ }
+
+ r = fw3_ipt_rule_new(handle);
+ fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name,
+ fw3_flag_names[zone->policy_input]);
+ fw3_ipt_rule_append(r, "zone_%s_input", zone->name);