rules.pl: Fix SNAT over VPN.
Commit Message
This commit adds flags which will are applied if SNAT should be used on
the red address or any configured alias.
They prevent doing the SNAT when tranismitting packet through a VPN over the red interface.
Fixes #12162.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
config/firewall/rules.pl | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
Comments
Hello,
I just tested this patch on our main firewall in Hanover and the problem is resolved.
It is not the most beautiful piece of code, but it does the job.
-Michael
Tested-by: Michael Tremer <michael.tremer@ipfire.org>
> On 20 Feb 2020, at 16:24, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
>
> This commit adds flags which will are applied if SNAT should be used on
> the red address or any configured alias.
>
> They prevent doing the SNAT when tranismitting packet through a VPN over the red interface.
>
> Fixes #12162.
>
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> config/firewall/rules.pl | 19 +++++++++++++++++--
> 1 file changed, 17 insertions(+), 2 deletions(-)
>
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 86db47367..6129af861 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -479,16 +479,31 @@ sub buildrules {
>
> # Source NAT
> } elsif ($NAT_MODE eq "SNAT") {
> + my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" );
> my @nat_options = @options;
>
> + # Get addresses for the configured firewall interfaces.
> + my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
> +
> + # Check if the nat_address is one of the local addresses.
> + foreach my $local_address (@local_addresses) {
> + if ($nat_address eq $local_address) {
> + # Clear SNAT options.
> + @snat_options = ();
> +
> + # Finish loop.
> + last;
> + }
> + }
> +
> push(@nat_options, @destination_intf_options);
> push(@nat_options, @source_options);
> push(@nat_options, @destination_options);
>
> if ($LOG) {
> - run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
> + run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
> }
> - run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
> + run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address");
> }
> }
>
> --
> 2.25.0
>
@@ -479,16 +479,31 @@ sub buildrules {
# Source NAT
} elsif ($NAT_MODE eq "SNAT") {
+ my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" );
my @nat_options = @options;
+ # Get addresses for the configured firewall interfaces.
+ my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
+
+ # Check if the nat_address is one of the local addresses.
+ foreach my $local_address (@local_addresses) {
+ if ($nat_address eq $local_address) {
+ # Clear SNAT options.
+ @snat_options = ();
+
+ # Finish loop.
+ last;
+ }
+ }
+
push(@nat_options, @destination_intf_options);
push(@nat_options, @source_options);
push(@nat_options, @destination_options);
if ($LOG) {
- run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
}
- run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
+ run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address");
}
}