+ fw3_free_list(addrs);
+
+ if (redir->_dest)
+ return true;
+ }
+
+ return false;
+}
+
+static bool
+check_local(struct uci_element *e, struct fw3_redirect *redir,
+ struct fw3_state *state)
+{
+ if (redir->target != FW3_FLAG_DNAT)
+ return false;
+
+ if (!redir->ip_redir.set)
+ redir->local = true;
+
+ return redir->local;
+}
+
+static void
+select_helper(struct fw3_state *state, struct fw3_redirect *redir)
+{
+ struct fw3_protocol *proto;
+ struct fw3_cthelper *helper;
+ int n_matches = 0;
+
+ if (!state->defaults.auto_helper)
+ return;
+
+ if (!redir->_src || redir->target != FW3_FLAG_DNAT)
+ return;
+
+ if (!redir->port_redir.set || redir->port_redir.invert)
+ return;
+
+ if (redir->helper.set || redir->helper.ptr)
+ return;
+
+ if (list_empty(&redir->proto))
+ return;
+
+ list_for_each_entry(proto, &redir->proto, list)
+ {
+ helper = fw3_lookup_cthelper_by_proto_port(state, proto, &redir->port_redir);
+
+ if (helper)
+ n_matches++;
+ }
+
+ if (n_matches != 1)
+ return;
+
+ /* store pointer to auto-selected helper but set ".set" flag to false,
+ * to allow later code to decide between configured or auto-selected
+ * helpers */
+ redir->helper.set = false;
+ redir->helper.ptr = helper;
+
+ set(redir->_src->flags, FW3_FAMILY_V4, FW3_FLAG_HELPER);
+}
+
+static bool
+check_redirect(struct fw3_state *state, struct fw3_redirect *redir, struct uci_element *e)
+{
+ bool valid;
+
+ if (!redir->enabled)
+ return false;
+
+ if (redir->src.invert)
+ {
+ warn_section("redirect", redir, e, "must not have an inverted source");
+ return false;
+ }
+ else if (redir->src.set && !redir->src.any &&
+ !(redir->_src = fw3_lookup_zone(state, redir->src.name)))
+ {
+ warn_section("redirect", redir, e, "refers to not existing zone '%s'",
+ redir->src.name);
+ return false;
+ }
+ else if (redir->dest.set && !redir->dest.any &&
+ !(redir->_dest = fw3_lookup_zone(state, redir->dest.name)))
+ {
+ warn_section("redirect", redir, e, "refers to not existing zone '%s'",
+ redir->dest.name);
+ return false;
+ }
+ else if (redir->ipset.set && state->disable_ipsets)
+ {
+ warn_section("redirect", redir, e, "skipped due to disabled ipset support");
+ return false;
+ }
+ else if (redir->ipset.set &&
+ !(redir->ipset.ptr = fw3_lookup_ipset(state, redir->ipset.name)))
+ {
+ warn_section("redirect", redir, e, "refers to unknown ipset '%s'",
+ redir->ipset.name);
+ return false;
+ }
+ else if (redir->helper.set &&
+ !(redir->helper.ptr = fw3_lookup_cthelper(state, redir->helper.name)))
+ {
+ warn_section("redirect", redir, e, "refers to unknown CT helper '%s'",
+ redir->helper.name);
+ return false;
+ }
+
+ if (!check_families(e, redir))
+ return false;
+
+ if (redir->target == FW3_FLAG_UNSPEC)
+ {
+ warn_section("redirect", redir, e, "has no target specified, defaulting to DNAT");
+ redir->target = FW3_FLAG_DNAT;
+ }
+ else if (redir->target < FW3_FLAG_DNAT || redir->target > FW3_FLAG_SNAT)
+ {
+ warn_section("redirect", redir, e, "has invalid target specified, defaulting to DNAT");
+ redir->target = FW3_FLAG_DNAT;
+ }
+
+ valid = false;
+
+ if (redir->target == FW3_FLAG_DNAT)
+ {
+ if (redir->src.any)
+ warn_section("redirect", redir, e, "must not have source '*' for DNAT target");
+ else if (!redir->_src)
+ warn_section("redirect", redir, e, "has no source specified");
+ else if (redir->helper.invert)
+ warn_section("redirect", redir, e, "must not use a negated helper match");
+ else