Modify

Opened 9 years ago

Closed 9 years ago

#2535 closed defect (fixed)

NAT should only apply to RFC1918 addresses, not global addresses

Reported by: openwrt@… Owned by: florian
Priority: normal Milestone:
Component: packages Version:
Keywords: Cc:

Description

The default firewall script NATs all IP addresses, even publicly allocated ones. If you're using public addresses, you probably want them to go through the router unchanged; this patch sets that up.

Attachments (2)

nat-rfc1918.diff (886 bytes) - added by openwrt@… 9 years ago.
no-nat.diff (1.3 KB) - added by openwrt@… 9 years ago.
Untested patch to add an "option nat" to /etc/config/network

Download all attachments as: .zip

Change History (9)

Changed 9 years ago by openwrt@…

comment:1 Changed 9 years ago by florian

  • Owner changed from developers to florian
  • Status changed from new to assigned

comment:2 Changed 9 years ago by florian

  • Resolution set to fixed
  • Status changed from assigned to closed

Fixed with [9460], thanks !

comment:3 Changed 9 years ago by anonymous

  • Resolution fixed deleted
  • Status changed from closed to reopened

Changeset 9461 reintroduces this bug. My LAN has globally routable addresses, and I do not want OpenWRT masquerading them.

comment:4 Changed 9 years ago by florian

  • Resolution set to wontfix
  • Status changed from reopened to closed

We have been discussing that with Kaloz and the decision was to only masquerade LAN, any other setting (unbridged Wi-Fi, public addresses behind LAN ...) should be manually tuned.

Changed 9 years ago by openwrt@…

Untested patch to add an "option nat" to /etc/config/network

comment:5 Changed 9 years ago by anonymous

  • Resolution wontfix deleted
  • Status changed from closed to reopened

How about this as an alternative (testing in progress now): NAT the LAN by default. Provide a config option in the config interface lan stanza, to allow you to disable NAT.

The config option is option nat false; it defaults to true, since the default network config uses private addresses, but it's configurable as needed in a config file, rather than by editing scripts.

comment:6 Changed 9 years ago by anonymous

Patch tested and functional; option nat set to true or omitted causes the LAN to be NATed. option nat set to false disables NAT on the LAN.

This generalises if the firewall script ever chooses to support multiple LAN or LAN-like interfaces.

comment:7 Changed 9 years ago by florian

  • Resolution set to fixed
  • Status changed from reopened to closed

Applied in [9503], thanks !

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.