From 983d471f93f7e71be27d94a416112e18842678e0 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 6 Aug 2014 14:37:21 +0200
Subject: [PATCH] firewall-no-nat: Use network masks to identify the subnets.

In the POSTROUTING chains of the NAT table, there is
no more information about on which interface the packet
has arrived (green0, etc.).
---
 src/initscripts/init.d/firewall | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index a49dcdee6d..e53c5b54ad 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -340,23 +340,23 @@ iptables_red() {
 			MASQUERADE_GREEN="off"
 		fi
 
-		local NO_MASQ_DEVICES
+		local NO_MASQ_NETWORKS
 
 		if [ "${MASQUERADE_GREEN}" = "off" ]; then
-			NO_MASQ_DEVICES="${NO_MASQ_DEVICES} ${GREEN_DEV}"
+			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
 		fi
 
 		if [ "${MASQUERADE_BLUE}" = "off" ]; then
-			NO_MASQ_DEVICES="${NO_MASQ_DEVICES} ${BLUE_DEV}"
+			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
 		fi
 
 		if [ "${MASQUERADE_ORANGE}" = "off" ]; then
-			NO_MASQ_DEVICES="${NO_MASQ_DEVICES} ${ORANGE_DEV}"
+			NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
 		fi
 
-		local device
-		for device in ${NO_MASQ_DEVICES}; do
-			iptables -t nat -A REDNAT -i "${device}" -o "${IFACE}" -j RETURN
+		local network
+		for network in ${NO_MASQ_NETWORKS}; do
+			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
 		done
 
 		# Masquerade everything else
-- 
2.39.2