From 02724e742755bbde859e9c5cd133940b2a547774 Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Sat, 6 Jul 2024 23:27:54 +0000
Subject: [PATCH] LoxiLB: enable firewall SNAT for green network

when loxilb is enabled and started, enable the
firewall SNAT for green network so green network
could have initiate outgoing traffic like internet
access.

we can achieve this by restoring firewall SNAT setting
from default /var/ipfire/loxilb/FWconfig.txt when loxilb
start up with --config-path=/var/ipfire/loxilb thanks
to the enhancement addressed in issue:

https://github.com/loxilb-io/loxilb/issues/706

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 config/cfgroot/loxilb-FWconfig.txt | 1 +
 lfs/configroot                     | 1 +
 src/initscripts/system/loxilb      | 8 +++++++-
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 config/cfgroot/loxilb-FWconfig.txt

diff --git a/config/cfgroot/loxilb-FWconfig.txt b/config/cfgroot/loxilb-FWconfig.txt
new file mode 100644
index 000000000..5aced859f
--- /dev/null
+++ b/config/cfgroot/loxilb-FWconfig.txt
@@ -0,0 +1 @@
+{"fwAttr":[{"opts":{"counter":"0:0","doSnat":true,"toIP":"REDIP"},"ruleArguments":{"destinationIP":"0.0.0.0/0","portName":"green0","sourceIP":"0.0.0.0/0"}}]}
diff --git a/lfs/configroot b/lfs/configroot
index b939c5df2..b52eee538 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -104,6 +104,7 @@ $(TARGET) :
 	cp $(DIR_SRC)/config/cfgroot/udp_ports			$(CONFIG_ROOT)/ddos/udp_ports
 	cp $(DIR_SRC)/config/cfgroot/dns-ddos-settings		$(CONFIG_ROOT)/ddos/dns-ddos-settings
 	cp $(DIR_SRC)/config/cfgroot/loxilb-settings		$(CONFIG_ROOT)/loxilb/settings
+	cp $(DIR_SRC)/config/cfgroot/loxilb-FWconfig.txt	$(CONFIG_ROOT)/loxilb/FWconfig.txt
 	cp $(DIR_SRC)/config/cfgroot/time-settings		$(CONFIG_ROOT)/time/settings
 	cp $(DIR_SRC)/config/cfgroot/logging-settings		$(CONFIG_ROOT)/logging/settings
 	cp $(DIR_SRC)/config/cfgroot/ethernet-vlans		$(CONFIG_ROOT)/ethernet/vlans
diff --git a/src/initscripts/system/loxilb b/src/initscripts/system/loxilb
index 0f49ac837..bae57d9ae 100755
--- a/src/initscripts/system/loxilb
+++ b/src/initscripts/system/loxilb
@@ -37,13 +37,19 @@ case "$1" in
 			mkdir -p /opt/loxilb/dp/
 			mount -t bpf bpf /opt/loxilb/dp/
 
-			loadproc -b loxilb --blacklist="eth[0-9]"
+			#enable egress firewall SNAT for green network
+			redip=$(< /var/ipfire/red/local-ipaddress)
+			sed -i "s/\"REDIP\"/\"$redip\"/" /var/ipfire/loxilb/FWconfig.txt
+
+			loadproc -b loxilb --config-path="/var/ipfire/loxilb/" --blacklist="eth[0-9]"
 		fi
 		;;
 
 	stop)
 		boot_mesg "Stopping loxilb..."
 		if [ "$ENABLE_LOXILB" == "off" ]; then
+			#remove egress firewall SNAT for green network
+			loxicmd delete firewall --firewallRule="portName:green0"
 			killproc loxilb
 		fi
 		;;