From patchwork Thu Feb 20 16:24:23 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Schantl <stefan.schantl@ipfire.org>
X-Patchwork-Id: 2799
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 48Ng0V3MDhz3whT
	for <patchwork@web04.haj.ipfire.org>; Thu, 20 Feb 2020 16:24:42 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 48Ng0T06NTzdb;
	Thu, 20 Feb 2020 16:24:40 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201909ed25519; t=1582215881;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=ev7Ya8gavfq2bAnFZrqf7UyS0/AOGwJlhSrDv50ngOM=;
	b=rxBuq/xirN0Z8n/qBK+3VzcQFbS1MYdFoqn4UBBkoJc3fmopxUrVGwy2l4Fe9e0gexO5pm
	0ZX+CebMKnHPvlBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
	t=1582215881; h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=ev7Ya8gavfq2bAnFZrqf7UyS0/AOGwJlhSrDv50ngOM=;
	b=h7CbNY+yvBoOEe7B46738NV+dZmBu43oYMpsRR4Ayvn7Kj3TLC788u3/O+/GwXKHZ0gQgv
	RxdC71pDsyV/Y6Vrm1FeR6q8LJL5tZa/0Zf0jTGXAPTqYn2pJJf+vE1EZ7vq+aV12CTDYK
	44cYzIZnOWsBdzX+L3FXapuHHRyv+Lj95TrfD5njkYD0/zcKmdpUm2cLkqDhRMyOCi8W8F
	AOeehtEhImyM3RnT2h7zU0na0F4GQa6YzKRm2K0IydaCJZXv1+y37sxWa/DtH6OgUGdnaf
	AzJ7N69NPSxwwCO973SxXdiJfQ/bjkJ6T3cHnpM/5WopEb0+aUlterLXcwqtrw==
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 48Ng0K3HKzz2xqq;
	Thu, 20 Feb 2020 16:24:33 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48Ng0H1vSkz2xn1
 for <development@lists.ipfire.org>; Thu, 20 Feb 2020 16:24:31 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 48Ng0G4RWszdb;
 Thu, 20 Feb 2020 16:24:30 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909ed25519; t=1582215870;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=ev7Ya8gavfq2bAnFZrqf7UyS0/AOGwJlhSrDv50ngOM=;
 b=tmjaNZUeH+xkLIvS4ri+3C6Pco1EWTfSNVEv4P+3UgN25FAftuMP249wtAyTTxGV4oMU9w
 IA/86dvW48no+yDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
 t=1582215870;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding;
 bh=ev7Ya8gavfq2bAnFZrqf7UyS0/AOGwJlhSrDv50ngOM=;
 b=VhVM7BqoGUcGIMiPVpPGeYJ7lnVUkUY0VkqAd3WQiQ2IAJ9AmAkUpCVfFjwQhmiwiqZcMu
 jL8njXFqyOkcdHNkV1TnlXTVJdnqQljGRjeE7zvDi12e46D5oj+Se+rwRHAOwHpa+Pt4Ig
 3y81l3T48XnLyOQtlqnO9kw6R1HFmrt4U4uVyoP/NBVGN8CH5xY9Wx671PwSNtKaZUcopU
 A3ztp1Rr+ZqTfxi9yTADoq2Ns3PVXVoRou1fug54q5SUyembONAUfX6m15Zce851ja2FUG
 +TtxW4fo0kI51Z48krvT+EXc27c3i5Mg+aGY66QeLFtH5MAus6qiiY61mrIlRA==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] rules.pl: Fix SNAT over VPN.
Date: Thu, 20 Feb 2020 17:24:23 +0100
Message-Id: <20200220162423.3571-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.mailfrom=stefan.schantl@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This commit adds flags which will are applied if SNAT should be used on
the red address or any configured alias.

They prevent doing the SNAT when tranismitting packet through a VPN over the red interface.

Fixes #12162.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/firewall/rules.pl | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 86db47367..6129af861 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -479,16 +479,31 @@ sub buildrules {
 
 						# Source NAT
 						} elsif ($NAT_MODE eq "SNAT") {
+							my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" );
 							my @nat_options = @options;
 
+							# Get addresses for the configured firewall interfaces.
+							my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
+
+							# Check if the nat_address is one of the local addresses.
+							foreach my $local_address (@local_addresses) {
+								if ($nat_address eq $local_address) {
+									# Clear SNAT options.
+									@snat_options = ();
+
+									# Finish loop.
+									last;
+								}
+							}
+
 							push(@nat_options, @destination_intf_options);
 							push(@nat_options, @source_options);
 							push(@nat_options, @destination_options);
 
 							if ($LOG) {
-								run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
+								run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
 							}
-							run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
+							run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address");
 						}
 					}