default enable fullconenat in fw3

xueluofeng · Sep 22, 2018 · 0f4c3eb · 0f4c3eb
1 parent 1d9f109
commit 0f4c3eb
Show file tree

Hide file tree

Showing 10 changed files with 35 additions and 182 deletions.
diff --git a/include/target.mk b/include/target.mk
@@ -18,7 +18,7 @@ iptables-mod-nat-extra kmod-nf-nathelper kmod-nf-nathelper-extra kmod-ipt-raw km
 default-settings ipset-lists luci luci-app-ddns luci-app-sqm luci-app-upnp luci-app-adbyby-plus luci-app-autoreboot \
 luci-app-filetransfer luci-app-ssr-pro luci-app-usb-printer luci-app-vsftpd ddns-scripts_aliyun luci-app-xlnetacc \
 luci-app-pptp-server luci-app-ipsec-vpnd luci-app-vlmcsd luci-app-wifischedule luci-app-wol  \
-luci-app-sfe luci-app-flowoffload luci-app-nlbwmon luci-app-fullconenat
+luci-app-sfe luci-app-flowoffload luci-app-nlbwmon
 # For nas targets
 DEFAULT_PACKAGES.nas:=block-mount fdisk lsblk mdadm
 # For router targets

diff --git a/package/lean/luci-app-fullconenat/Makefile b/package/lean/luci-app-fullconenat/Makefile
diff --git a/package/lean/luci-app-fullconenat/luasrc/controller/fullconenat.lua b/package/lean/luci-app-fullconenat/luasrc/controller/fullconenat.lua
diff --git a/package/lean/luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua b/package/lean/luci-app-fullconenat/luasrc/model/cbi/fullconenat.lua
diff --git a/package/lean/luci-app-fullconenat/po/zh-cn/fullconenat.po b/package/lean/luci-app-fullconenat/po/zh-cn/fullconenat.po
diff --git a/package/lean/luci-app-fullconenat/root/etc/config/fullconenat b/package/lean/luci-app-fullconenat/root/etc/config/fullconenat
diff --git a/package/lean/luci-app-fullconenat/root/etc/init.d/fullconenat b/package/lean/luci-app-fullconenat/root/etc/init.d/fullconenat
diff --git a/package/lean/luci-app-fullconenat/root/etc/uci-defaults/fullconenat b/package/lean/luci-app-fullconenat/root/etc/uci-defaults/fullconenat
diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile
@@ -28,9 +28,19 @@ define Package/firewall
   SECTION:=net
   CATEGORY:=Base system
   TITLE:=OpenWrt C Firewall
-  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat +PACKAGE_firewall-FULLCONENAT:iptables-mod-fullconenat
 endef
 
+define Package/firewall/config
+if PACKAGE_firewall
+	config PACKAGE_firewall-FULLCONENAT
+		bool "Use FULLCONENAT"
+		default y
+endif		
+endef
+
+TARGET_CFLAGS += $(if $(CONFIG_PACKAGE_firewall-FULLCONENAT),-DUSE_FULLCONENAT,)
+
 define Package/firewall/description
  This package provides a config-compatible C implementation of the UCI firewall.
 endef

diff --git a/package/network/config/firewall/patches/fullconenat.patch b/package/network/config/firewall/patches/fullconenat.patch
@@ -0,0 +1,23 @@
+diff --git a/zones.c b/zones.c
+index 505ab20..44500d5 100644
+--- a/zones.c
++++ b/zones.c
+@@ -708,8 +708,18 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ 				{
+ 					r = fw3_ipt_rule_new(handle);
+ 					fw3_ipt_rule_src_dest(r, msrc, mdest);
++#ifdef USE_FULLCONENAT
++					fw3_ipt_rule_target(r, "FULLCONENAT");
++#else
+ 					fw3_ipt_rule_target(r, "MASQUERADE");
++#endif
+ 					fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
++#ifdef USE_FULLCONENAT
++					r = fw3_ipt_rule_new(handle);
++					fw3_ipt_rule_src_dest(r, msrc, mdest);
++					fw3_ipt_rule_target(r, "FULLCONENAT");
++					fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
++#endif
+ 				}
+ 			}
+ 		}