From 1a8ccf99577c890a95e368ab8f6aa35af1b98210 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 31 Mar 2025 16:35:26 +0200 Subject: [PATCH] firewall: Explicitely don't NAT any aliases It seems that there is a problem with local connections that have preselected an outgoing interface. That will work just fine, but ultimately the packet will be NATed back to the primary RED IP address. To prevent this, we are adding some extra rules that skip the MASQUERADE target. Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 5 +++++ src/initscripts/system/functions | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 6d9c00282..6befa9fc3 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -495,6 +495,11 @@ iptables_red_up() { NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" ) fi + local alias + for alias in $(get_aliases); do + NO_MASQ_NETWORKS+=( "${alias}" ) + done + local network for network in ${NO_MASQ_NETWORKS[@]}; do iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions index e486cc085..94c9236d3 100644 --- a/src/initscripts/system/functions +++ b/src/initscripts/system/functions @@ -935,3 +935,18 @@ readhash() { printf -v "${array}[${key}]" "%s" "${val}" done < "${file}" } + +# Returns all enabled aliases +get_aliases() { + local address + local enabled + local rest + + local IFS=, + + while read -r address enabled rest; do + if [ "${enabled}" = "on" ]; then + echo "${address}" + fi + done < /var/ipfire/ethernet/aliases +} -- 2.39.5