From 0f4e6612dfd8e2ba674a16b79afbecfa5489cb6b Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Wed, 2 Jul 2025 21:29:21 +0000
Subject: [PATCH] firewall: Collect all networks that should not be NATed in an
 array

    commit 8fa1831bff7e1d76eb83b145976211aa703062e1
    Author: Michael Tremer <michael.tremer@ipfire.org>
    Date:   Mon Mar 31 16:31:43 2025 +0200

        firewall: Collect all networks that should not be NATed in an array

        No functional changes.

        Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

    firewall: Explicitely don't NAT any aliases

        It seems that there is a problem with local connections that have
        preselected an outgoing interface. That will work just fine, but
        ultimately the packet will be NATed back to the primary RED IP address.
        To prevent this, we are adding some extra rules that skip the MASQUERADE
        target.

        Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 src/initscripts/system/firewall | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ebcf3f227..8b1e1316f 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -484,22 +484,27 @@ iptables_red_up() {
 			iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
 		fi
 
-		local NO_MASQ_NETWORKS
+		local NO_MASQ_NETWORKS=()
 
 		if [ "${MASQUERADE_GREEN}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${GREEN_NETADDRESS}/${GREEN_NETMASK}" )
 		fi
 
 		if [ "${MASQUERADE_BLUE}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${BLUE_NETADDRESS}/${BLUE_NETMASK}" )
 		fi
 
 		if [ "${MASQUERADE_ORANGE}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
 		fi
 
+		local alias
+		for alias in $(get_aliases); do
+			NO_MASQ_NETWORKS+=( "${alias}" )
+		done
+
 		local network
-		for network in ${NO_MASQ_NETWORKS}; do
+		for network in ${NO_MASQ_NETWORKS[@]}; do
 			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
 		done