From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 22 Jan 2015 15:06:25 +0000 (+0100)
Subject: firewall: Fix SNAT rules that use a default network as source
X-Git-Tag: v2.17-core87~40
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1b34f6cd64a7344220e69822175b26849caaa823;p=ipfire-2.x.git

firewall: Fix SNAT rules that use a default network as source

In the POSTROUTING chain using -i intf0 does not work at all.
We now only use the -s parameter to figure out if the rule applied.
The filter chain still uses -i and -o to match patches not only
by the network address, but also by the incoming/outgoing interface.
---

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index a475e2d60e..97b8897af8 100755
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -368,20 +368,12 @@ sub buildrules {
 						push(@source_options, ("-s", $source));
 					}
 
-					if ($source_intf) {
-						push(@source_options, ("-i", $source_intf));
-					}
-
 					# Prepare destination options.
 					my @destination_options = ();
 					if ($destination) {
 						push(@destination_options, ("-d", $destination));
 					}
 
-					if ($destination_intf) {
-						push(@destination_options, ("-o", $destination_intf));
-					}
-
 					# Add time constraint options.
 					push(@options, @time_options);
 
@@ -476,6 +468,17 @@ sub buildrules {
 						}
 					}
 
+					# Add source and destination interface to the filter rules.
+					# These are supposed to help filtering forged packets that originate
+					# from BLUE with an IP address from GREEN for instance.
+					if ($source_intf) {
+						push(@source_options, ("-i", $source_intf));
+					}
+
+					if ($destination_intf) {
+						push(@destination_options, ("-o", $destination_intf));
+					}
+
 					push(@options, @source_options);
 					push(@options, @destination_options);