firewall: Collect all networks that should not be NATed in an array

commit 8fa1831bff7e1d76eb83b145976211aa703062e1 Author: Michael Tremer <michael.tremer@ipfire.org> Date: Mon Mar 31 16:31:43 2025 +0200 firewall: Collect all networks that should not be NATed in an array No functional changes. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> firewall: Explicitely don't NAT any aliases It seems that there is a problem with local connections that have preselected an outgoing interface. That will work just fine, but ultimately the packet will be NATed back to the primary RED IP address. To prevent this, we are adding some extra rules that skip the MASQUERADE target. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
2026-04-09 10:35:53 +02:00 · 2025-06-25 09:50:58 -07:00
parent 799edff664
commit 79a6662ca7
2 changed files with 25 additions and 5 deletions
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -515,22 +515,27 @@ iptables_red_up() {
 			iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
 		fi

-		local NO_MASQ_NETWORKS
+		local NO_MASQ_NETWORKS=()

 		if [ "${MASQUERADE_GREEN}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${GREEN_NETADDRESS}/${GREEN_NETMASK}" )
 		fi

 		if [ "${MASQUERADE_BLUE}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${BLUE_NETADDRESS}/${BLUE_NETMASK}" )
 		fi

 		if [ "${MASQUERADE_ORANGE}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
 		fi

+		local alias
+		for alias in $(get_aliases); do
+			NO_MASQ_NETWORKS+=( "${alias}" )
+		done
+
 		local network
-		for network in ${NO_MASQ_NETWORKS}; do
+		for network in ${NO_MASQ_NETWORKS[@]}; do
 			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
 		done

--- a/src/initscripts/system/functions
+++ b/src/initscripts/system/functions
@@ -938,3 +938,18 @@ readhash() {
 		printf -v "${array}[${key}]" "%s" "${val}"
 	done < "${file}"
 }
+
+# Returns all enabled aliases
+get_aliases() {
+	local address
+	local enabled
+	local rest
+
+	local IFS=,
+
+	while read -r address enabled rest; do
+		if [ "${enabled}" = "on" ]; then
+			echo "${address}"
+		fi
+	done < /var/ipfire/ethernet/aliases
+}