Merge remote-tracking branch 'amarx/BUG10615' into next

[people/pmueller/ipfire-2.x.git] / config / firewall / rules.pl

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 30d3a3c3db4724bcdc2f74d3a49bee878d8e4d9d..eb75a242a85e68e95033f8c0c4ac24df6f82f5af 100755 (executable)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -322,22 +322,26 @@ sub buildrules {
                                next unless ($src);
 
                                # Sanitize source.
-                               my $source = $src;
+                               my $source = @$src[0];
                                if ($source ~~ @ANY_ADDRESSES) {
                                        $source = "";
                                }
 
+                               my $source_intf = @$src[1];
+
                                foreach my $dst (@destinations) {
                                        # Skip invalid rules.
                                        next unless (defined $dst);
                                        next if (!$dst || ($dst eq "none"));
 
                                        # Sanitize destination.
-                                       my $destination = $dst;
+                                       my $destination = @$dst[0];
                                        if ($destination ~~ @ANY_ADDRESSES) {
                                                $destination = "";
                                        }
 
+                                       my $destination_intf = @$dst[1];
+
                                        # Array with iptables arguments.
                                        my @options = ();
 
@@ -354,12 +358,20 @@ sub buildrules {
                                                push(@source_options, ("-s", $source));
                                        }
 
+                                       if ($source_intf) {
+                                               push(@source_options, ("-i", $source_intf));
+                                       }
+
                                        # Prepare destination options.
                                        my @destination_options = ();
                                        if ($destination) {
                                                push(@destination_options, ("-d", $destination));
                                        }
 
+                                       if ($destination_intf) {
+                                               push(@destination_options, ("-o", $destination_intf));
+                                       }
+
                                        # Add time constraint options.
                                        push(@options, @time_options);
 
@@ -396,7 +408,7 @@ sub buildrules {
                                                        # Make port-forwardings useable from the internal networks.
                                                        my @internal_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
                                                        unless ($nat_address ~~ @internal_addresses) {
-                                                               &add_dnat_mangle_rules($nat_address, @nat_options);
+                                                               &add_dnat_mangle_rules($nat_address, $source_intf, @nat_options);
                                                        }
 
                                                        push(@nat_options, @source_options);
@@ -713,6 +725,7 @@ sub get_dnat_target_port {
 
 sub add_dnat_mangle_rules {
        my $nat_address = shift;
+       my $interface = shift;
        my @options = @_;
 
        my $mark = 0;
@@ -723,6 +736,8 @@ sub add_dnat_mangle_rules {
                next unless (exists $defaultNetworks{$zone . "_NETADDRESS"});
                next unless (exists $defaultNetworks{$zone . "_NETMASK"});
 
+               next if ($interface && $interface ne $defaultNetworks{$zone . "_DEV"});
+
                my @mangle_options = @options;
 
                my $netaddress = $defaultNetworks{$zone . "_NETADDRESS"};