<div dir="ltr">Here is the original description I gave to my patch (see <a href="http://patchwork.ozlabs.org/patch/516167/">http://patchwork.ozlabs.org/patch/516167/</a>):<br><br>
Basically it prevents zone_wan_prerouting rules to affect traffic towards IP addresses that are not used<br>
for masquerading LAN private IP space and it does that by setting destination IP address of the<br>
delegate_prerouting rules for zone with masq enabled to whatever address(es) that particular network<br>
interface has.<br>
<br>
The typical scenario this patch fixes involves 2 LAN network prefixes:<br>
  - the usual <a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a> which is masqueraded by the public IP address configured on the WAN interface<br>
  - a public IP network prefix for those LAN devices that are supposed to be excluded from NAT<br>
Without this patch, port forwarding rules introduced for 192.168.1.x LAN devices will also affect traffic<br>
towards the 2nd prefix.<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct 1, 2015 at 10:05 PM, Jo-Philipp Wich <span dir="ltr"><<a href="mailto:jow@openwrt.org" target="_blank">jow@openwrt.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
wouldn't this break port forwards to hosts not being within the range of<br>
the on-link lan subnet?<br>
<br>
I also read the patch description three times and still am not sure what<br>
that change attempts to achive.<br>
<br>
Can you further explain the problem please and provide a before/after<br>
"fw3 print" diff so that I better understand your proposed solution?<br>
<br>
~ Jow<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
Am 01.10.2015 um 18:38 schrieb Hans Dedecker:<br>
> This patch fixes an issue when 2 LAN network prefixes are in use :<br>
>  - the usual <a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a> which is masqueraded by the public IP address on the<br>
>    WAN interface<br>
>  - a public IP network prefix for those LAN devices that are excluded from NAT<br>
><br>
> Port forwarding rules introduced for 192.168.1.x devices will currently also<br>
> translate traffic addressed to the public network addresses in use on the LAN<br>
> as the destination address in the delegate prerouting rule(s) is unset.<br>
> The patch sets the destination IP address(es) in the delegate prerouting rules<br>
> equal to the IP address(es) that particular network interface has as extra descriminator<br>
><br>
> Signed-off-by: Hans Dedecker <<a href="mailto:dedeckeh@gmail.com">dedeckeh@gmail.com</a>><br>
> Signed-off-by: Alin Nastac <<a href="mailto:alin.nastac@gmail.com">alin.nastac@gmail.com</a>><br>
> ---<br>
>  zones.c | 36 ++++++++++++++++++++++++++++++++----<br>
>  1 file changed, 32 insertions(+), 4 deletions(-)<br>
><br>
> diff --git a/zones.c b/zones.c<br>
> index 2ddd7b4..8bd6673 100644<br>
> --- a/zones.c<br>
> +++ b/zones.c<br>
> @@ -383,10 +383,38 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,<br>
>       {<br>
>               if (has(zone->flags, handle->family, FW3_FLAG_DNAT))<br>
>               {<br>
> -                     r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);<br>
> -                     fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);<br>
> -                     fw3_ipt_rule_extra(r, zone->extra_src);<br>
> -                     fw3_ipt_rule_replace(r, "delegate_prerouting");<br>
> +                     struct list_head *addrs;<br>
> +                     struct fw3_address *addr;<br>
> +<br>
> +                     addrs = zone->masq ? calloc(1, sizeof(*addrs)) : NULL;<br>
> +                     if (addrs)<br>
> +                     {<br>
> +                             /* redirect only the traffic towards a locally configured address */<br>
> +                             INIT_LIST_HEAD(addrs);<br>
> +                             fw3_ubus_address(addrs, dev->network);<br>
> +<br>
> +                             list_for_each_entry(addr, addrs, list)<br>
> +                             {<br>
> +                                     if (!fw3_is_family(addr, handle->family))<br>
> +                                             continue;<br>
> +                                     /* reset mask to its maximum value */<br>
> +                                     memset(&addr->mask.v6, 0xFF, sizeof(addr->mask.v6));<br>
> +<br>
> +                                     r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, addr);<br>
> +                                     fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);<br>
> +                                     fw3_ipt_rule_extra(r, zone->extra_src);<br>
> +                                     fw3_ipt_rule_replace(r, "delegate_prerouting");<br>
> +                             }<br>
> +<br>
> +                             fw3_free_list(addrs);<br>
> +                     }<br>
> +                     else<br>
> +                     {<br>
> +                             r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);<br>
> +                             fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);<br>
> +                             fw3_ipt_rule_extra(r, zone->extra_src);<br>
> +                             fw3_ipt_rule_replace(r, "delegate_prerouting");<br>
> +                     }<br>
>               }<br>
><br>
>               if (has(zone->flags, handle->family, FW3_FLAG_SNAT))<br>
><br>
<br>
</div></div></blockquote></div><br></div>