Firewall configuration (plugin) for port forwarding
It is common and expected by users to have easy to use firewall configuration. Primary usage of that is port forwarding.
This can be either new plugin or if it makes sense it can be part of core.
We need port forwarding such as:
config redirect option target DNAT option src wan option dest lan option proto tcp option src_dport 22 option dest_ip 192.168.1.20 option dest_port 22 option enabled 1
In our case it is easier as it is always going to be
lan. We have to just allow configuration of
udp or both),
dest_ip. I am not sure if we even have to support
dest_port (user can do redirect of that type in luci or on target machine) but it should be easy to do and just frontend has to solve how to explain it to user so it is not confusing.
We should also think about including DMZ (probably almost the same way as we have guest network but with LAN access to DMZ) with this feature.
As for some kind of basic version following features are required:
create fw rule in uci based on user input (
destination_portso it is able to accept ranges (see
src_portspecification in https://openwrt.org/docs/guide-user/firewall/firewall_configuration#options5)
accept only destination ips which are specified in
/etc/config/dhcp(see (https://gitlab.nic.cz/turris/foris-controller/foris-controller/-/blob/master/foris_controller_modules/lan/schema/lan.json#L119 or https://gitlab.nic.cz/turris/foris-controller/foris-controller/-/blob/master/foris_controller/schemas/definitions/common.json#L20 )
protooption - by default if no
protois used both tcp and udp are used. If
protois set only
tcp/udpredirects will be used.