firewall: Collect all networks that should not be NATed in an array

commit 8fa1831bff7e1d76eb83b145976211aa703062e1
    Author: Michael Tremer <michael.tremer@ipfire.org>
    Date:   Mon Mar 31 16:31:43 2025 +0200

        firewall: Collect all networks that should not be NATed in an array

        No functional changes.

        Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

    firewall: Explicitely don't NAT any aliases

        It seems that there is a problem with local connections that have
        preselected an outgoing interface. That will work just fine, but
        ultimately the packet will be NATed back to the primary RED IP address.
        To prevent this, we are adding some extra rules that skip the MASQUERADE
        target.

        Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>

src/initscripts/system/firewall

@@ -484,22 +484,27 @@ iptables_red_up() {
 			iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
 		fi
 
-		local NO_MASQ_NETWORKS
+		local NO_MASQ_NETWORKS=()
 
 		if [ "${MASQUERADE_GREEN}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${GREEN_NETADDRESS}/${GREEN_NETMASK}" )
 		fi
 
 		if [ "${MASQUERADE_BLUE}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${BLUE_NETADDRESS}/${BLUE_NETMASK}" )
 		fi
 
 		if [ "${MASQUERADE_ORANGE}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
 		fi
 
+		local alias
+		for alias in $(get_aliases); do
+			NO_MASQ_NETWORKS+=( "${alias}" )
+		done
+
 		local network
-		for network in ${NO_MASQ_NETWORKS}; do
+		for network in ${NO_MASQ_NETWORKS[@]}; do
 			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
 		done