BUG10994: SNAT rules are missing the outgoing interface
Message ID | 1449500252-18922-1-git-send-email-alexander.marx@ipfire.org |
---|---|
State | Accepted |
Commit | 306098a49811868e2ffc4e19ce8cd62f69a2e9f3 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.tremer.info [172.28.1.200]) by septima.ipfire.org (Postfix) with ESMTP id E229F615ED for <patchwork@ipfire.org>; Mon, 7 Dec 2015 15:57:41 +0100 (CET) Received: from hedwig.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id B7165D4A; Mon, 7 Dec 2015 15:57:41 +0100 (CET) Received: from EDV.kappeln2011.lan (ip1f11b49c.dynamic.kabel-deutschland.de [31.17.180.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id CE091B89; Mon, 7 Dec 2015 15:57:37 +0100 (CET) From: Alexander Marx <alexander.marx@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] BUG10994: SNAT rules are missing the outgoing interface Date: Mon, 7 Dec 2015 15:57:32 +0100 Message-Id: <1449500252-18922-1-git-send-email-alexander.marx@ipfire.org> X-Mailer: git-send-email 1.9.1 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Message
Alexander Marx
Dec. 8, 2015, 1:57 a.m. UTC
When creating SNAT rules, the outgoing interface is not set. As a side
effect, traffic that should be send unnatted to a vpn tunnel can be
natted which is a BUG.
With this patch the SNAT rules are getting a outgoing interface
according to the configuration. When selecting the RED Target network,
all SNAT rules will be configured with "-o red0". Otherwise if "all" is
selected, there is no interface in the rule, which matches all networks.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
---
config/firewall/rules.pl | 4 ++++
1 file changed, 4 insertions(+)
Comments
Is there any evidence that this was tested by somebody else but you? -Michael On Mon, 2015-12-07 at 15:57 +0100, Alexander Marx wrote: > When creating SNAT rules, the outgoing interface is not set. As a > side > effect, traffic that should be send unnatted to a vpn tunnel can be > natted which is a BUG. > With this patch the SNAT rules are getting a outgoing interface > according to the configuration. When selecting the RED Target > network, > all SNAT rules will be configured with "-o red0". Otherwise if "all" > is > selected, there is no interface in the rule, which matches all > networks. > > Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> > --- > config/firewall/rules.pl | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl > index daa9565..8b0c6dd 100644 > --- a/config/firewall/rules.pl > +++ b/config/firewall/rules.pl > @@ -467,6 +467,10 @@ sub buildrules { > } elsif ($NAT_MODE > eq "SNAT") { > my > @nat_options = @options; > > + if > ($destination_intf) { > + push > (@nat_options, ("-o", $destination_intf)); > + } > + > push(@nat_op > tions, @source_options); > push(@nat_op > tions, @destination_options); >
Hi Michael, i've tested it and it works as expected. Regards Matthias > Am 10.12.2015 um 17:37 schrieb Michael Tremer <michael.tremer@ipfire.org>: > > Is there any evidence that this was tested by somebody else but you? > > -Michael > >> On Mon, 2015-12-07 at 15:57 +0100, Alexander Marx wrote: >> When creating SNAT rules, the outgoing interface is not set. As a >> side >> effect, traffic that should be send unnatted to a vpn tunnel can be >> natted which is a BUG. >> With this patch the SNAT rules are getting a outgoing interface >> according to the configuration. When selecting the RED Target >> network, >> all SNAT rules will be configured with "-o red0". Otherwise if "all" >> is >> selected, there is no interface in the rule, which matches all >> networks. >> >> Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> >> --- >> config/firewall/rules.pl | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl >> index daa9565..8b0c6dd 100644 >> --- a/config/firewall/rules.pl >> +++ b/config/firewall/rules.pl >> @@ -467,6 +467,10 @@ sub buildrules { >> } elsif ($NAT_MODE >> eq "SNAT") { >> my >> @nat_options = @options; >> >> + if >> ($destination_intf) { >> + push >> (@nat_options, ("-o", $destination_intf)); >> + } >> + >> push(@nat_op >> tions, @source_options); >> push(@nat_op >> tions, @destination_options);
Matthias, the men who had the issue tested it and it solved his problems best, Alex Am 10.12.2015 um 17:37 schrieb Michael Tremer: > Is there any evidence that this was tested by somebody else but you? > > -Michael > > On Mon, 2015-12-07 at 15:57 +0100, Alexander Marx wrote: >> When creating SNAT rules, the outgoing interface is not set. As a >> side >> effect, traffic that should be send unnatted to a vpn tunnel can be >> natted which is a BUG. >> With this patch the SNAT rules are getting a outgoing interface >> according to the configuration. When selecting the RED Target >> network, >> all SNAT rules will be configured with "-o red0". Otherwise if "all" >> is >> selected, there is no interface in the rule, which matches all >> networks. >> >> Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> >> --- >> config/firewall/rules.pl | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl >> index daa9565..8b0c6dd 100644 >> --- a/config/firewall/rules.pl >> +++ b/config/firewall/rules.pl >> @@ -467,6 +467,10 @@ sub buildrules { >> } elsif ($NAT_MODE >> eq "SNAT") { >> my >> @nat_options = @options; >> >> + if >> ($destination_intf) { >> + push >> (@nat_options, ("-o", $destination_intf)); >> + } >> + >> push(@nat_op >> tions, @source_options); >> push(@nat_op >> tions, @destination_options); >>