diff --git a/root/etc/config/firewall b/root/etc/config/firewall index 48b2440..b5fea22 100644 --- a/root/etc/config/firewall +++ b/root/etc/config/firewall @@ -155,7 +155,6 @@ config rule # option src_dport 80 # option dest lan # option dest_ip 192.168.16.235 -# option dest_port 80 # option proto tcp # port redirect of remapped ssh port (22001) on wan diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc index 690deb0..0330e61 100644 --- a/root/usr/share/ucode/fw4.uc +++ b/root/usr/share/ucode/fw4.uc @@ -2740,9 +2740,6 @@ return { if (!redir.dest && redir.dest_ip && resolve_dest(redir)) this.warn_section(data, `does not specify a destination, assuming '${redir.dest.zone.name}'`); - if (!redir.dest_port) - redir.dest_port = redir.src_dport; - if (redir.reflection && redir.dest?.zone && redir.src.zone.masq) { redir.dest.zone.dflags.accept = true; redir.dest.zone.dflags.dnat = true; @@ -2976,7 +2973,7 @@ return { for (let daddrs in subnets_group_by_masking(rip[i])) for (let saddrs in subnets_group_by_masking(iaddrs[i])) - add_rule(i ? 6 : 4, proto, saddrs, daddrs, [ to_hostaddr(snat_addr) ], null, rport, null, null, refredir); + add_rule(i ? 6 : 4, proto, saddrs, daddrs, [ to_hostaddr(snat_addr) ], null, rport ? rport : dport, null, null, refredir); } } } diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect index 80e24bb..189cb39 100644 --- a/tests/03_rules/07_redirect +++ b/tests/03_rules/07_redirect @@ -75,6 +75,7 @@ Test various address selection rules in redirect rules. "proto": "tcp", "src_dport": "23", "dest_ip": "192.168.26.100", + "dest_port": "23", "reflection_src": "external" }, { @@ -117,7 +118,17 @@ Test various address selection rules in redirect rules. "dest": "lan", "proto": "tcp", "src_dport": "27", - "dest_port": "27", + "target": "dnat" + }, + { + ".description": "Ensure inverse address match works properly", + "name": "Redirect test #9", + "src": "lan", + "dest": "wan", + "proto": "tcp udp", + "src_dport": "53", + "dest_ip": "192.168.1.53", + "src_ip": "!192.168.1.53", "target": "dnat" } ] @@ -290,11 +301,11 @@ table inet fw4 { } chain dstnat_wan { - meta nfproto ipv4 tcp dport 22 counter dnat 192.168.26.100:22 comment "!fw4: Redirect test #3" + meta nfproto ipv4 tcp dport 22 counter dnat 192.168.26.100 comment "!fw4: Redirect test #3" meta nfproto ipv4 tcp dport 23 counter dnat 192.168.26.100:23 comment "!fw4: Redirect test #4" meta nfproto ipv6 tcp dport 25 counter dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6" meta nfproto ipv4 tcp dport 26 counter redirect to 26 comment "!fw4: Redirect test #7" - meta nfproto ipv6 tcp dport 27 counter redirect to 27 comment "!fw4: Redirect test #8" + meta nfproto ipv6 tcp dport 27 counter redirect comment "!fw4: Redirect test #8" } chain srcnat_wan { @@ -305,9 +316,11 @@ table inet fw4 { chain dstnat_lan { meta nfproto ipv4 udp dport 53 counter redirect to 53 comment "!fw4: Redirect test #1" udp dport 53 counter redirect to 53 comment "!fw4: Redirect test #2" - ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 22 dnat 192.168.26.100:22 comment "!fw4: Redirect test #3 (reflection)" + ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 22 dnat 192.168.26.100 comment "!fw4: Redirect test #3 (reflection)" ip saddr { 10.0.0.0/24, 192.168.26.0/24 } ip daddr 10.11.12.194 tcp dport 23 dnat 192.168.26.100:23 comment "!fw4: Redirect test #4 (reflection)" ip6 saddr { 2001:db8:1000::/60, fd63:e2f:f706::/60 } ip6 daddr 2001:db8:54:321::2 tcp dport 25 dnat [2001:db8:1000:1::1234]:25 comment "!fw4: Redirect test #6 (reflection)" + ip saddr != 192.168.1.53 tcp dport 53 counter dnat 192.168.1.53 comment "!fw4: Redirect test #9" + ip saddr != 192.168.1.53 udp dport 53 counter dnat 192.168.1.53 comment "!fw4: Redirect test #9" } chain srcnat_lan { @@ -317,7 +330,7 @@ table inet fw4 { } chain dstnat_noaddr { - meta nfproto ipv4 tcp dport 24 counter dnat 192.168.26.100:24 comment "!fw4: Redirect test #5" + meta nfproto ipv4 tcp dport 24 counter dnat 192.168.26.100 comment "!fw4: Redirect test #5" } chain srcnat_noaddr {