From 79a6662ca7b08add9b00ee70036ca8decf6ea68f Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Wed, 25 Jun 2025 09:50:58 -0700
Subject: [PATCH] firewall: Collect all networks that should not be NATed in an
 array

commit 8fa1831bff7e1d76eb83b145976211aa703062e1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Mon Mar 31 16:31:43 2025 +0200

    firewall: Collect all networks that should not be NATed in an array

    No functional changes.

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Explicitely don't NAT any aliases

    It seems that there is a problem with local connections that have
    preselected an outgoing interface. That will work just fine, but
    ultimately the packet will be NATed back to the primary RED IP address.
    To prevent this, we are adding some extra rules that skip the MASQUERADE
    target.

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 src/initscripts/system/firewall  | 15 ++++++++++-----
 src/initscripts/system/functions | 15 +++++++++++++++
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 9422ecf57..db96d0ab2 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -515,22 +515,27 @@ iptables_red_up() {
 			iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
 		fi
 
-		local NO_MASQ_NETWORKS
+		local NO_MASQ_NETWORKS=()
 
 		if [ "${MASQUERADE_GREEN}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${GREEN_NETADDRESS}/${GREEN_NETMASK}" )
 		fi
 
 		if [ "${MASQUERADE_BLUE}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${BLUE_NETADDRESS}/${BLUE_NETMASK}" )
 		fi
 
 		if [ "${MASQUERADE_ORANGE}" = "off" ]; then
-			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
+			NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
 		fi
 
+		local alias
+		for alias in $(get_aliases); do
+			NO_MASQ_NETWORKS+=( "${alias}" )
+		done
+
 		local network
-		for network in ${NO_MASQ_NETWORKS}; do
+		for network in ${NO_MASQ_NETWORKS[@]}; do
 			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
 		done
 
diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions
index 125aa1dc6..8b0b07e29 100644
--- a/src/initscripts/system/functions
+++ b/src/initscripts/system/functions
@@ -938,3 +938,18 @@ readhash() {
 		printf -v "${array}[${key}]" "%s" "${val}"
 	done < "${file}"
 }
+
+# Returns all enabled aliases
+get_aliases() {
+	local address
+	local enabled
+	local rest
+
+	local IFS=,
+
+	while read -r address enabled rest; do
+		if [ "${enabled}" = "on" ]; then
+			echo "${address}"
+		fi
+	done < /var/ipfire/ethernet/aliases
+}