webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

firewall: Collect all networks that should not be NATed in an array

Browse Source 
commit 8fa1831bff7e1d76eb83b145976211aa703062e1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Mon Mar 31 16:31:43 2025 +0200

    firewall: Collect all networks that should not be NATed in an array

    No functional changes.

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Explicitely don't NAT any aliases

    It seems that there is a problem with local connections that have
    preselected an outgoing interface. That will work just fine, but
    ultimately the packet will be NATed back to the primary RED IP address.
    To prevent this, we are adding some extra rules that skip the MASQUERADE
    target.

    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
This commit is contained in:
Vincent Li
2025-06-25 09:50:58 -07:00
parent 799edff664
commit 79a6662ca7
2 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/initscripts/system/firewall
View File

@@ -515,22 +515,27 @@ iptables_red_up() {
iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
fi
local NO_MASQ_NETWORKS
local NO_MASQ_NETWORKS=()
if [ "${MASQUERADE_GREEN}" = "off" ]; then
NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
NO_MASQ_NETWORKS+=( "${GREEN_NETADDRESS}/${GREEN_NETMASK}" )
fi
if [ "${MASQUERADE_BLUE}" = "off" ]; then
NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
NO_MASQ_NETWORKS+=( "${BLUE_NETADDRESS}/${BLUE_NETMASK}" )
fi
if [ "${MASQUERADE_ORANGE}" = "off" ]; then
NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
fi
local alias
for alias in $(get_aliases); do
NO_MASQ_NETWORKS+=( "${alias}" )
done
local network
for network in ${NO_MASQ_NETWORKS}; do
for network in ${NO_MASQ_NETWORKS[@]}; do
iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
done

15
src/initscripts/system/functions
View File

@@ -938,3 +938,18 @@ readhash() {
printf -v "${array}[${key}]" "%s" "${val}"
done < "${file}"
}
# Returns all enabled aliases
get_aliases() {
local address
local enabled
local rest
local IFS=,
while read -r address enabled rest; do
if [ "${enabled}" = "on" ]; then
echo "${address}"
fi
done < /var/ipfire/ethernet/aliases
}