index 85a3750..9fac9b1 100644 --- a/defaults.c +++ b/defaults.c @@ -46,7 +46,9 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("synflood_protect", bool, defaults, syn_flood), FW3_OPT("synflood_rate", limit, defaults, syn_flood_rate), FW3_OPT("synflood_burst", int, defaults, syn_flood_rate.burst), - + + FW3_OPT("fullcone", bool, defaults, fullcone), + FW3_OPT("tcp_syncookies", bool, defaults, tcp_syncookies), FW3_OPT("tcp_ecn", int, defaults, tcp_ecn), FW3_OPT("tcp_window_scaling", bool, defaults, tcp_window_scaling), diff --git a/options.h b/options.h index 6edd174..c02eb97 100644 --- a/options.h +++ b/options.h @@ -267,6 +267,7 @@ struct fw3_defaults bool drop_invalid; bool syn_flood; + bool fullcone; struct fw3_limit syn_flood_rate; bool tcp_syncookies; diff --git a/zones.c b/zones.c index 2aa7473..57eead0 100644 --- a/zones.c +++ b/zones.c @@ -627,6 +627,7 @@ print_zone_rule(struct fw3_ipt_handle *h struct fw3_address *msrc; struct fw3_address *mdest; struct fw3_ipt_rule *r; + struct fw3_defaults *defs = &state->defaults; if (!fw3_is_family(zone, handle->family)) return; @@ -712,8 +713,22 @@ print_zone_rule(struct fw3_ipt_handle *h { r = fw3_ipt_rule_new(handle); fw3_ipt_rule_src_dest(r, msrc, mdest); - fw3_ipt_rule_target(r, "MASQUERADE"); - fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name); + /*FIXME: Workaround for FULLCONE-NAT*/ + if(defs->fullcone) + { + warn("%s will enable FULLCONE-NAT", zone->name); + fw3_ipt_rule_target(r, "FULLCONENAT"); + fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name); + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_src_dest(r, msrc, mdest); + fw3_ipt_rule_target(r, "FULLCONENAT"); + fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name); + } + else + { + fw3_ipt_rule_target(r, "MASQUERADE"); + fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name); + } } } }