From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 31 Mar 2025 14:35:26 +0000 (+0200)
Subject: firewall: Explicitely don't NAT any aliases
X-Git-Tag: v2.29-core194~13^2~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c1ff05cdc37fe9ccabda9413c270935c3a45478;p=ipfire-2.x.git

firewall: Explicitely don't NAT any aliases

It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 6d9c00282..6befa9fc3 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -495,6 +495,11 @@ iptables_red_up() {
 			NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
 		fi
 
+		local alias
+		for alias in $(get_aliases); do
+			NO_MASQ_NETWORKS+=( "${alias}" )
+		done
+
 		local network
 		for network in ${NO_MASQ_NETWORKS[@]}; do
 			iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions
index e486cc085..94c9236d3 100644
--- a/src/initscripts/system/functions
+++ b/src/initscripts/system/functions
@@ -935,3 +935,18 @@ readhash() {
 		printf -v "${array}[${key}]" "%s" "${val}"
 	done < "${file}"
 }
+
+# Returns all enabled aliases
+get_aliases() {
+	local address
+	local enabled
+	local rest
+
+	local IFS=,
+
+	while read -r address enabled rest; do
+		if [ "${enabled}" = "on" ]; then
+			echo "${address}"
+		fi
+	done < /var/ipfire/ethernet/aliases
+}