X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=zones.c;h=fe507b0d82b7fc784aeb27ab057a93739e3e0e86;hp=8d8fd3d05d41c4b0badc032aa6d7c6daf6d35259;hb=fa3386a7054aa9541decd68c8cf8de1e0d6f8832;hpb=76976c044de639bb4bf170aa1c7a33fbeca1f1a5

diff --git a/zones.c b/zones.c
index 8d8fd3d..fe507b0 100644
--- a/zones.c
+++ b/zones.c
@@ -199,6 +199,8 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
 			continue;
 		}
 
+		fw3_ubus_zone_devices(zone);
+
 		if (list_empty(&zone->networks) && list_empty(&zone->devices) &&
 		    list_empty(&zone->subnets) && !zone->extra_src)
 		{
@@ -471,6 +473,21 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 	switch (handle->table)
 	{
 	case FW3_TABLE_FILTER:
+		if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
+		{
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+			fw3_ipt_rule_comment(r, "Accept port redirections");
+			fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+			fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
+
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+			fw3_ipt_rule_comment(r, "Accept port forwards");
+			fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+			fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
+		}
+
 		r = fw3_ipt_rule_new(handle);
 		fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name,
 		                     fw3_flag_names[zone->policy_input]);