diff mbox series

[2/3] firewall: Explicitely don't NAT any aliases

Message ID 20250331151745.3067362-2-michael.tremer@ipfire.org
State Staged
Commit 1c1ff05cdc37fe9ccabda9413c270935c3a45478
Headers
Series [1/3] firewall: Collect all networks that should not be NATed in an array |

Commit Message

Michael Tremer March 31, 2025, 3:17 p.m. UTC 
  It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall  |  5 +++++
 src/initscripts/system/functions | 15 +++++++++++++++
 2 files changed, 20 insertions(+)
diff mbox series

Patch

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 6d9c00282..6befa9fc3 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -495,6 +495,11 @@  iptables_red_up() {
 			NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
 		fi
 
+		local alias
+		for alias in $(get_aliases); do
+			NO_MASQ_NETWORKS+=( "${alias}" )
+		done
+
 		local network
 		for network in ${NO_MASQ_NETWORKS[@]}; do
 			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions
index e486cc085..94c9236d3 100644
--- a/src/initscripts/system/functions
+++ b/src/initscripts/system/functions
@@ -935,3 +935,18 @@  readhash() {
 		printf -v "${array}[${key}]" "%s" "${val}"
 	done < "${file}"
 }
+
+# Returns all enabled aliases
+get_aliases() {
+	local address
+	local enabled
+	local rest
+
+	local IFS=,
+
+	while read -r address enabled rest; do
+		if [ "${enabled}" = "on" ]; then
+			echo "${address}"
+		fi
+	done < /var/ipfire/ethernet/aliases
+}