From d54cb962ebafdf2fde7256e234a2f3cfe8223c71 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jow@openwrt.org>
Date: Wed, 6 Nov 2013 23:56:36 +0000
Subject: [PATCH] Use a global -m conntrack --ctstate DNAT rule to accept all
 port forwards of a given zone in filter

---
 redirects.c | 104 ++++++++++++++++++++++++++--------------------------
 zones.c     |  13 +++++++
 2 files changed, 65 insertions(+), 52 deletions(-)

diff --git a/redirects.c b/redirects.c
index b95c1ba..ca5d4d1 100644
--- a/redirects.c
+++ b/redirects.c
@@ -422,33 +422,33 @@ set_target_nat(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
 		set_snat_dnat(r, redir->target, &redir->ip_dest, &redir->port_dest);
 }
 
-static void
-append_chain_filter(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
-{
-	if (redir->target == FW3_FLAG_DNAT)
-	{
-		if (redir->local)
-			fw3_ipt_rule_append(r, "zone_%s_input", redir->src.name);
-		else
-			fw3_ipt_rule_append(r, "zone_%s_forward", redir->src.name);
-	}
-	else
-	{
-		if (redir->src.set && !redir->src.any)
-			fw3_ipt_rule_append(r, "zone_%s_forward", redir->src.name);
-		else
-			fw3_ipt_rule_append(r, "delegate_forward");
-	}
-}
-
-static void
-set_target_filter(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
-{
-	if (redir->local)
-		fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
-
-	fw3_ipt_rule_target(r, "ACCEPT");
-}
+//static void
+//append_chain_filter(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
+//{
+//	if (redir->target == FW3_FLAG_DNAT)
+//	{
+//		if (redir->local)
+//			fw3_ipt_rule_append(r, "zone_%s_input", redir->src.name);
+//		else
+//			fw3_ipt_rule_append(r, "zone_%s_forward", redir->src.name);
+//	}
+//	else
+//	{
+//		if (redir->src.set && !redir->src.any)
+//			fw3_ipt_rule_append(r, "zone_%s_forward", redir->src.name);
+//		else
+//			fw3_ipt_rule_append(r, "delegate_forward");
+//	}
+//}
+//
+//static void
+//set_target_filter(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
+//{
+//	if (redir->local)
+//		fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+//
+//	fw3_ipt_rule_target(r, "ACCEPT");
+//}
 
 static void
 set_comment(struct fw3_ipt_rule *r, const char *name, int num, bool ref)
@@ -506,22 +506,22 @@ print_redirect(struct fw3_ipt_handle *h, struct fw3_state *state,
 		break;
 
 	case FW3_TABLE_FILTER:
-		src = &redir->ip_src;
-		dst = &redir->ip_redir;
-		spt = &redir->port_src;
-		dpt = &redir->port_redir;
-
-		r = fw3_ipt_rule_create(h, proto, NULL, NULL, src, dst);
-		fw3_ipt_rule_sport_dport(r, spt, dpt);
-		fw3_ipt_rule_mac(r, mac);
-		fw3_ipt_rule_ipset(r, &redir->ipset);
-		fw3_ipt_rule_limit(r, &redir->limit);
-		fw3_ipt_rule_time(r, &redir->time);
-		fw3_ipt_rule_mark(r, &redir->mark);
-		set_target_filter(r, redir);
-		fw3_ipt_rule_extra(r, redir->extra);
-		set_comment(r, redir->name, num, false);
-		append_chain_filter(r, redir);
+		//src = &redir->ip_src;
+		//dst = &redir->ip_redir;
+		//spt = &redir->port_src;
+		//dpt = &redir->port_redir;
+		//
+		//r = fw3_ipt_rule_create(h, proto, NULL, NULL, src, dst);
+		//fw3_ipt_rule_sport_dport(r, spt, dpt);
+		//fw3_ipt_rule_mac(r, mac);
+		//fw3_ipt_rule_ipset(r, &redir->ipset);
+		//fw3_ipt_rule_limit(r, &redir->limit);
+		//fw3_ipt_rule_time(r, &redir->time);
+		//fw3_ipt_rule_mark(r, &redir->mark);
+		//set_target_filter(r, redir);
+		//fw3_ipt_rule_extra(r, redir->extra);
+		//set_comment(r, redir->name, num, false);
+		//append_chain_filter(r, redir);
 		break;
 
 	default:
@@ -557,15 +557,15 @@ print_reflection(struct fw3_ipt_handle *h, struct fw3_state *state,
 		fw3_ipt_rule_replace(r, "zone_%s_postrouting", redir->dest.name);
 		break;
 
-	case FW3_TABLE_FILTER:
-		r = fw3_ipt_rule_create(h, proto, NULL, NULL, ia, &redir->ip_redir);
-		fw3_ipt_rule_sport_dport(r, NULL, &redir->port_redir);
-		fw3_ipt_rule_limit(r, &redir->limit);
-		fw3_ipt_rule_time(r, &redir->time);
-		set_comment(r, redir->name, num, true);
-		fw3_ipt_rule_target(r, "zone_%s_dest_ACCEPT", redir->dest.name);
-		fw3_ipt_rule_replace(r, "zone_%s_forward", redir->dest.name);
-		break;
+	//case FW3_TABLE_FILTER:
+	//	r = fw3_ipt_rule_create(h, proto, NULL, NULL, ia, &redir->ip_redir);
+	//	fw3_ipt_rule_sport_dport(r, NULL, &redir->port_redir);
+	//	fw3_ipt_rule_limit(r, &redir->limit);
+	//	fw3_ipt_rule_time(r, &redir->time);
+	//	set_comment(r, redir->name, num, true);
+	//	fw3_ipt_rule_target(r, "zone_%s_dest_ACCEPT", redir->dest.name);
+	//	fw3_ipt_rule_replace(r, "zone_%s_forward", redir->dest.name);
+	//	break;
 
 	default:
 		break;
diff --git a/zones.c b/zones.c
index 8225601..9824249 100644
--- a/zones.c
+++ b/zones.c
@@ -473,6 +473,19 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 	switch (handle->table)
 	{
 	case FW3_TABLE_FILTER:
+		if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
+		{
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+			fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+			fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
+
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+			fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+			fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
+		}
+
 		r = fw3_ipt_rule_new(handle);
 		fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name,
 		                     fw3_flag_names[zone->policy_input]);
-- 
2.30.2