[OpenWrt-Devel] [PATCH] [package] firewall: Redirect incoming WAN traffic only when destination IP address matches the IP address used for masquerading

[Alin Năstac]

This is a git patch for the firewall3 git repo at git://nbd.name/firewall3.git

Basically it prevents zone_wan_prerouting rules to affect traffic
towards IP addresses that are not used for masquerading LAN private IP
space and it does that by setting destination IP address of the
delegate_prerouting rules for zone with masq enabled to whatever
address(es) that particular network interface has.

The typical scenario this patch fixes involves 2 LAN network prefixes:
  - the usual 192.168.1.0/24 which is masqueraded by the public IP
address configured on the WAN interface
  - a public IP network prefix for those LAN devices that are supposed
to be excluded from NAT
Without this patch, port forwarding rules introduced for 192.168.1.x
LAN devices will also affect traffic towards the 2nd prefix.