2 files changed, 27 insertions, 2 deletions

diff --git a/package/firewall/files/lib/core_init.sh b/package/firewall/files/lib/core_init.sh
index 42124b39b..185fffb98 100644
--- a/package/firewall/files/lib/core_init.sh
+++ b/package/firewall/files/lib/core_init.sh
@@ -245,9 +245,17 @@ fw_load_zone() {
 	if [ "$zone_masq" == 1 ]; then
 		local msrc mdst
 		for msrc in ${zone_masq_src:-0.0.0.0/0}; do
-			fw_get_negation msrc '-s' "$msrc"
+			case "$msrc" in
+				*.*) fw_get_negation msrc '-s' "$msrc" ;;
+				*)   fw_get_subnet4 msrc '-s' "$msrc" ;;
+			esac
+
 			for mdst in ${zone_masq_dest:-0.0.0.0/0}; do
-				fw_get_negation mdst '-d' "$mdst"
+				case "$mdst" in
+					*.*) fw_get_negation mdst '-d' "$mdst" ;;
+					*)   fw_get_subnet4 mdst '-d' "$mdst" ;;
+				esac
+
 				fw add $mode n ${chain}_nat MASQUERADE $ { $msrc $mdst }
 			done
 		done
diff --git a/package/firewall/files/lib/fw.sh b/package/firewall/files/lib/fw.sh
index 16a39b6a6..19dddef44 100644
--- a/package/firewall/files/lib/fw.sh
+++ b/package/firewall/files/lib/fw.sh
@@ -227,3 +227,20 @@ fw_get_negation() {
 		export -n -- "$_var=! $_flag ${_ipaddr#!}" || \
 		export -n -- "$_var=${_ipaddr:+$_flag $_ipaddr}"
 }
+
+fw_get_subnet4() {
+	local _var="$1"
+	local _flag="$2"
+	local _name="$3"
+
+	local _ipaddr="$(uci_get_state network "${_name#!}" ipaddr)"
+	local _netmask="$(uci_get_state network "${_name#!}" netmask)"
+
+	case "$_ipaddr" in
+		*.*.*.*)
+			[ "${_name#!}" != "$_name" ] && \
+				export -n -- "$_var=! $_flag $_ipaddr/${_netmask:-255.255.255.255}" || \
+				export -n -- "$_var=$_flag $_ipaddr/${_netmask:-255.255.255.255}"
+		;;
+	esac
+}