From patchwork Mon Mar 31 15:17:44 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 8585
Return-Path: <development+bounces-182-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZRFBF5G6sz3xGq
	for <patchwork@web04.haj.ipfire.org>; Mon, 31 Mar 2025 15:17:57 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRFBC3gmQz4mX
	for <patchwork@ipfire.org>; Mon, 31 Mar 2025 15:17:55 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRFBC2xrvz336C
	for <patchwork@ipfire.org>; Mon, 31 Mar 2025 15:17:55 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRFB83M29z2xS5
	for <development@lists.ipfire.org>; Mon, 31 Mar 2025 15:17:52 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits)
	 client-signature ECDSA (secp384r1))
	(Client CN "michael.haj.ipfire.org", Issuer "E5" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRFB76pXvzNV;
	Mon, 31 Mar 2025 15:17:51 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
	id 4ZRFB75Nt2zTgc4; Mon, 31 Mar 2025 15:17:51 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Cc: Michael Tremer <michael.tremer@ipfire.org>
Subject: [PATCH 2/3] firewall: Explicitely don't NAT any aliases
Date: Mon, 31 Mar 2025 15:17:44 +0000
Message-Id: <20250331151745.3067362-2-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.39.5
In-Reply-To: <20250331151745.3067362-1-michael.tremer@ipfire.org>
References: <20250331151745.3067362-1-michael.tremer@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0

It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall  |  5 +++++
 src/initscripts/system/functions | 15 +++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 6d9c00282..6befa9fc3 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -495,6 +495,11 @@ iptables_red_up() {
 			NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
 		fi
 
+		local alias
+		for alias in $(get_aliases); do
+			NO_MASQ_NETWORKS+=( "${alias}" )
+		done
+
 		local network
 		for network in ${NO_MASQ_NETWORKS[@]}; do
 			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions
index e486cc085..94c9236d3 100644
--- a/src/initscripts/system/functions
+++ b/src/initscripts/system/functions
@@ -935,3 +935,18 @@ readhash() {
 		printf -v "${array}[${key}]" "%s" "${val}"
 	done < "${file}"
 }
+
+# Returns all enabled aliases
+get_aliases() {
+	local address
+	local enabled
+	local rest
+
+	local IFS=,
+
+	while read -r address enabled rest; do
+		if [ "${enabled}" = "on" ]; then
+			echo "${address}"
+		fi
+	done < /var/ipfire/ethernet/aliases
+}