firewall: Explicitely don't NAT any aliases

It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 6d9c00282e9eb9e089f207c0c99f228137cb609f..6befa9fc39147628e8a6381f6f027bbc430eecbe 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -495,6 +495,11 @@ iptables_red_up() {
                        NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
                fi
 
+               local alias
+               for alias in $(get_aliases); do
+                       NO_MASQ_NETWORKS+=( "${alias}" )
+               done
+
                local network
                for network in ${NO_MASQ_NETWORKS[@]}; do
                        iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN

diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions
index e486cc085f52ac36bca64dfded5ac3baab538d45..94c9236d3f7182a25eeb5039ba9a7d82f1bf3ea8 100644 (file)
--- a/src/initscripts/system/functions
+++ b/src/initscripts/system/functions
@@ -935,3 +935,18 @@ readhash() {
                printf -v "${array}[${key}]" "%s" "${val}"
        done < "${file}"
 }
+
+# Returns all enabled aliases
+get_aliases() {
+       local address
+       local enabled
+       local rest
+
+       local IFS=,
+
+       while read -r address enabled rest; do
+               if [ "${enabled}" = "on" ]; then
+                       echo "${address}"
+               fi
+       done < /var/ipfire/ethernet/aliases
+}