webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-17 06:23:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: Fix SNAT rules that use a default network as source

Browse Source 
In the POSTROUTING chain using -i intf0 does not work at all.
We now only use the -s parameter to figure out if the rule applied.
The filter chain still uses -i and -o to match patches not only
by the network address, but also by the incoming/outgoing interface.
This commit is contained in:
Michael Tremer
2015-01-22 16:06:25 +01:00
parent 325a846a10
commit 1b34f6cd64
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
config/firewall/rules.pl
View File

@@ -368,20 +368,12 @@ sub buildrules {
push(@source_options, ("-s", $source));
}
if ($source_intf) {
push(@source_options, ("-i", $source_intf));
}
# Prepare destination options.
my @destination_options = ();
if ($destination) {
push(@destination_options, ("-d", $destination));
}
if ($destination_intf) {
push(@destination_options, ("-o", $destination_intf));
}
# Add time constraint options.
push(@options, @time_options);
@@ -476,6 +468,17 @@ sub buildrules {
}
}
# Add source and destination interface to the filter rules.
# These are supposed to help filtering forged packets that originate
# from BLUE with an IP address from GREEN for instance.
if ($source_intf) {
push(@source_options, ("-i", $source_intf));
}
if ($destination_intf) {
push(@destination_options, ("-o", $destination_intf));
}
push(@options, @source_options);
push(@options, @destination_options);