X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=zones.c;h=88133e26b3348fdc9e1ce261ed2b241ef955c166;hp=982424930a365887fe657b4c06c2d817ffed3d57;hb=0990a28a763a77dcd6b0711ac832751adb06f9da;hpb=d54cb962ebafdf2fde7256e234a2f3cfe8223c71

diff --git a/zones.c b/zones.c
index 9824249..88133e2 100644
--- a/zones.c
+++ b/zones.c
@@ -83,6 +83,8 @@ const struct fw3_option fw3_zone_opts[] = {
 	FW3_OPT("__flags_v4",          int,      zone,     flags[0]),
 	FW3_OPT("__flags_v6",          int,      zone,     flags[1]),
 
+	FW3_LIST("__addrs",            address,  zone,     old_addrs),
+
 	{ }
 };
 
@@ -128,19 +130,18 @@ fw3_alloc_zone(void)
 {
 	struct fw3_zone *zone;
 
-	zone = malloc(sizeof(*zone));
-
+	zone = calloc(1, sizeof(*zone));
 	if (!zone)
 		return NULL;
 
-	memset(zone, 0, sizeof(*zone));
-
 	INIT_LIST_HEAD(&zone->networks);
 	INIT_LIST_HEAD(&zone->devices);
 	INIT_LIST_HEAD(&zone->subnets);
 	INIT_LIST_HEAD(&zone->masq_src);
 	INIT_LIST_HEAD(&zone->masq_dest);
 
+	INIT_LIST_HEAD(&zone->old_addrs);
+
 	zone->enabled = true;
 	zone->custom_chains = true;
 	zone->log_limit.rate = 10;
@@ -226,11 +227,11 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
 		}
 
 		setbit(zone->flags[0], fw3_to_src_target(zone->policy_input));
-		setbit(zone->flags[0], fw3_to_src_target(zone->policy_forward));
+		setbit(zone->flags[0], zone->policy_forward);
 		setbit(zone->flags[0], zone->policy_output);
 
 		setbit(zone->flags[1], fw3_to_src_target(zone->policy_input));
-		setbit(zone->flags[1], fw3_to_src_target(zone->policy_forward));
+		setbit(zone->flags[1], zone->policy_forward);
 		setbit(zone->flags[1], zone->policy_output);
 
 		list_add_tail(&zone->list, &state->zones);
@@ -330,9 +331,9 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 	int i;
 
 	const char *chains[] = {
-		"input",
-		"output",
-		"forward",
+		"input", "INPUT",
+		"output", "OUTPUT",
+		"forward", "FORWARD",
 	};
 
 #define jump_target(t) \
@@ -361,7 +362,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			}
 		}
 
-		for (i = 0; i < sizeof(chains)/sizeof(chains[0]); i++)
+		for (i = 0; i < sizeof(chains)/sizeof(chains[0]); i += 2)
 		{
 			if (*chains[i] == 'o')
 				r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
@@ -375,7 +376,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			else
 				fw3_ipt_rule_extra(r, zone->extra_src);
 
-			fw3_ipt_rule_replace(r, "delegate_%s", chains[i]);
+			fw3_ipt_rule_replace(r, chains[i + 1]);
 		}
 	}
 	else if (handle->table == FW3_TABLE_NAT)
@@ -385,7 +386,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
 			fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
 			fw3_ipt_rule_extra(r, zone->extra_src);
-			fw3_ipt_rule_replace(r, "delegate_prerouting");
+			fw3_ipt_rule_replace(r, "PREROUTING");
 		}
 
 		if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
@@ -393,7 +394,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
 			fw3_ipt_rule_target(r, "zone_%s_postrouting", zone->name);
 			fw3_ipt_rule_extra(r, zone->extra_dest);
-			fw3_ipt_rule_replace(r, "delegate_postrouting");
+			fw3_ipt_rule_replace(r, "POSTROUTING");
 		}
 	}
 	else if (handle->table == FW3_TABLE_MANGLE)
@@ -411,7 +412,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 				fw3_ipt_rule_comment(r, "%s (mtu_fix logging)", zone->name);
 				fw3_ipt_rule_target(r, "LOG");
 				fw3_ipt_rule_addarg(r, false, "--log-prefix", buf);
-				fw3_ipt_rule_replace(r, "mssfix");
+				fw3_ipt_rule_replace(r, "FORWARD");
 			}
 
 			r = fw3_ipt_rule_create(handle, &tcp, NULL, dev, NULL, sub);
@@ -420,7 +421,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			fw3_ipt_rule_comment(r, "%s (mtu_fix)", zone->name);
 			fw3_ipt_rule_target(r, "TCPMSS");
 			fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
-			fw3_ipt_rule_replace(r, "mssfix");
+			fw3_ipt_rule_replace(r, "FORWARD");
 		}
 	}
 	else if (handle->table == FW3_TABLE_RAW)
@@ -430,7 +431,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
 			fw3_ipt_rule_target(r, "zone_%s_notrack", zone->name);
 			fw3_ipt_rule_extra(r, zone->extra_src);
-			fw3_ipt_rule_replace(r, "delegate_notrack");
+			fw3_ipt_rule_replace(r, "PREROUTING");
 		}
 	}
 }
@@ -477,11 +478,13 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 		{
 			r = fw3_ipt_rule_new(handle);
 			fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+			fw3_ipt_rule_comment(r, "Accept port redirections");
 			fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
 			fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
 
 			r = fw3_ipt_rule_new(handle);
 			fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+			fw3_ipt_rule_comment(r, "Accept port forwards");
 			fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
 			fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
 		}
@@ -492,7 +495,7 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 		fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
 
 		r = fw3_ipt_rule_new(handle);
-		fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name,
+		fw3_ipt_rule_target(r, "zone_%s_dest_%s", zone->name,
 		                     fw3_flag_names[zone->policy_forward]);
 		fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
 
@@ -675,45 +678,43 @@ fw3_lookup_zone(struct fw3_state *state, const char *name)
 }
 
 struct list_head *
-fw3_resolve_zone_addresses(struct fw3_zone *zone)
+fw3_resolve_zone_addresses(struct fw3_zone *zone, struct fw3_address *addr)
 {
 	struct fw3_device *net;
-	struct fw3_address *addr, *tmp;
-	struct list_head *addrs, *all;
-
-	all = malloc(sizeof(*all));
+	struct fw3_address *cur, *tmp;
+	struct list_head *all;
 
+	all = calloc(1, sizeof(*all));
 	if (!all)
 		return NULL;
 
-	memset(all, 0, sizeof(*all));
 	INIT_LIST_HEAD(all);
 
-	list_for_each_entry(net, &zone->networks, list)
+	if (addr && addr->set)
 	{
-		addrs = fw3_ubus_address(net->name);
-
-		if (!addrs)
-			continue;
+		tmp = malloc(sizeof(*tmp));
 
-		list_for_each_entry_safe(addr, tmp, addrs, list)
+		if (tmp)
 		{
-			list_del(&addr->list);
-			list_add_tail(&addr->list, all);
+			*tmp = *addr;
+			list_add_tail(&tmp->list, all);
 		}
-
-		free(addrs);
 	}
-
-	list_for_each_entry(addr, &zone->subnets, list)
+	else
 	{
-		tmp = malloc(sizeof(*tmp));
+		list_for_each_entry(net, &zone->networks, list)
+			fw3_ubus_address(all, net->name);
 
-		if (!tmp)
-			continue;
+		list_for_each_entry(cur, &zone->subnets, list)
+		{
+			tmp = malloc(sizeof(*tmp));
 
-		memcpy(tmp, addr, sizeof(*tmp));
-		list_add_tail(&tmp->list, all);
+			if (!tmp)
+				continue;
+
+			*tmp = *cur;
+			list_add_tail(&tmp->list, all);
+		}
 	}
 
 	return all;