if (length(rip[0]) > 1 || length(rip[1]) > 1)
this.warn_section(data, "specifies multiple rewrite addresses, using only first one");
+ let has_ip4_addr = length(sip[0]) || length(dip[0]) || length(rip[0]),
+ has_ip6_addr = length(sip[1]) || length(dip[1]) || length(rip[1]),
+ has_any_addr = has_ip4_addr || has_ip6_addr;
+
/* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
- if (!family && !length(sip[0]) && !length(sip[1]) && !length(dip[0]) && !length(dip[1]) && !length(rip[0]) && !length(rip[1])) {
+ if (!family && !has_any_addr) {
/* for backwards compatibility, treat unspecified family as IPv4 unless user explicitly requested any (0) */
if (family == null)
family = 4;
/* we need to emit one or two AF specific rules */
else {
- if ((!family || family == 4) && (length(sip[0]) || length(dip[0]) || length(rip[0]))) {
+ if ((!family || family == 4) && (!has_any_addr || has_ip4_addr)) {
for (let saddrs in subnets_group_by_masking(sip[0]))
for (let daddrs in subnets_group_by_masking(dip[0]))
add_rule(4, proto, saddrs, daddrs, rip[0], sport, dport, rport, ipset, redir);
}
- if ((!family || family == 6) && (length(sip[1]) || length(dip[1]) || length(rip[1]))) {
+ if ((!family || family == 6) && (!has_any_addr || has_ip6_addr)) {
for (let saddrs in subnets_group_by_masking(sip[1]))
for (let daddrs in subnets_group_by_masking(dip[1]))
add_rule(6, proto, saddrs, daddrs, rip[1], sport, dport, rport, ipset, redir);
"dest_ip": "2001:db8:1000:1::1234",
"dest_port": "25",
"target": "dnat"
+ },
+ {
+ ".description": "Ensure that family restricted redirect rules work properly",
+ "name": "Redirect test #7",
+ "family": "ipv4",
+ "src": "wan",
+ "dest": "lan",
+ "proto": "tcp",
+ "src_dport": "26",
+ "dest_port": "26",
+ "target": "dnat"
+ },
+ {
+ ".description": "Ensure that family restricted redirect rules work properly",
+ "name": "Redirect test #8",
+ "family": "ipv6",
+ "src": "wan",
+ "dest": "lan",
+ "proto": "tcp",
+ "src_dport": "27",
+ "dest_port": "27",
+ "target": "dnat"
}
]
}
meta nfproto ipv4 tcp dport 22 counter dnat 192.168.26.100:22 comment "!fw4: Redirect test #3"
meta nfproto ipv4 tcp dport 23 counter dnat 192.168.26.100:23 comment "!fw4: Redirect test #4"
meta nfproto ipv6 tcp dport 25 counter dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6"
+ meta nfproto ipv4 tcp dport 26 counter redirect to 26 comment "!fw4: Redirect test #7"
+ meta nfproto ipv6 tcp dport 27 counter redirect to 27 comment "!fw4: Redirect test #8"
}
chain srcnat_wan {
projects / project / firewall4.git / commitdiff