#18544: firewall3: reflection uses wrong dest_ip when src_dip is set
------------------------------+------------------------
Reporter: anonymous | Owner: developers
Type: defect | Status: new
Priority: response-needed | Milestone:
Component: packages | Version: Trunk
Resolution: | Keywords:
------------------------------+------------------------
Comment (by anonymous):
Doesn't change anything.
# iptables -t nat -nvL | grep 8888
0 0 SNAT tcp -- * * 192.168.1.0/24
192.168.1.10 tcp dpt:8888 /* @redirect[0] (reflection) */
to:192.168.1.1
0 0 DNAT tcp -- * * 192.168.1.0/24
192.168.200.1 tcp dpt:8888 /* @redirect[0] (reflection) */
to:192.168.1.10:8888
0 0 DNAT tcp -- * * 0.0.0.0/0
192.168.200.2 tcp dpt:8888 /* @redirect[0] */ to:192.168.1.10:8888
root@OpenWrt:~# uci show firewall.@redirect[0]
firewall.cfg163837=redirect
firewall.cfg163837.src=wan
firewall.cfg163837.src_dip=192.168.200.2
firewall.cfg163837.src_dport=8888
firewall.cfg163837.dest=lan
firewall.cfg163837.dest_ip=192.168.1.10
firewall.cfg163837.proto=tcp
firewall.cfg163837.reflection_src=internal
Reflection should never target external ip in this case as there is no
rule configured that would permit traffic from 192.168.200.1 ->
192.168.1.10.
Rules like this would be needed when wan has aliases with different
services on each external ip. If a DNS name is set to IP2 (configured as
src_dip), then reflection targeting IP1 (external IP) is useless anyway as
it'll not work and internal clients targeting IP2 will not be reflected
back.
--
Ticket URL: <https://dev.openwrt.org/ticket/18544#comment:2>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
