E.g. traffic entering zone_lan_forward must match "-i br-lan". That is, forward policy of zone X applies to those traffics from zone X and to be forwarded to other zones The iptables target for zone policy enforcement should be zone_NAME_src_POLICY to match "-i br-lan", not zone_NAME_dest_POLICY that matches "-o br-lan"
Fixes FS#2525 Signed-off-by: Yousong Zhou <[email protected]> --- zones.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zones.c b/zones.c index 310583d..f268615 100644 --- a/zones.c +++ b/zones.c @@ -317,11 +317,11 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p) resolve_cthelpers(state, e, zone); fw3_setbit(zone->flags[0], fw3_to_src_target(zone->policy_input)); - fw3_setbit(zone->flags[0], zone->policy_forward); + fw3_setbit(zone->flags[0], fw3_to_src_target(zone->policy_forward)); fw3_setbit(zone->flags[0], zone->policy_output); fw3_setbit(zone->flags[1], fw3_to_src_target(zone->policy_input)); - fw3_setbit(zone->flags[1], zone->policy_forward); + fw3_setbit(zone->flags[1], fw3_to_src_target(zone->policy_forward)); fw3_setbit(zone->flags[1], zone->policy_output); list_add_tail(&zone->list, &state->zones); @@ -659,7 +659,7 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, fw3_ipt_rule_append(r, "zone_%s_input", zone->name); r = fw3_ipt_rule_new(handle); - fw3_ipt_rule_target(r, "zone_%s_dest_%s", zone->name, + fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name, fw3_flag_names[zone->policy_forward]); fw3_ipt_rule_append(r, "zone_%s_forward", zone->name); _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
