From c4b7692ad942d883dbea8f078b2a5c0c1de125f2 Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Thu, 20 Feb 2020 17:24:23 +0100 Subject: [PATCH] rules.pl: Fix SNAT over VPN. This commit adds flags which will are applied if SNAT should be used on the red address or any configured alias. They prevent doing the SNAT when tranismitting packet through a VPN over the red interface. Fixes #12162. Signed-off-by: Stefan Schantl Tested-by: Michael Tremer Signed-off-by: Arne Fitzenreiter --- config/firewall/rules.pl | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 86db47367a..6129af8610 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -479,16 +479,31 @@ sub buildrules { # Source NAT } elsif ($NAT_MODE eq "SNAT") { + my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" ); my @nat_options = @options; + # Get addresses for the configured firewall interfaces. + my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1); + + # Check if the nat_address is one of the local addresses. + foreach my $local_address (@local_addresses) { + if ($nat_address eq $local_address) { + # Clear SNAT options. + @snat_options = (); + + # Finish loop. + last; + } + } + push(@nat_options, @destination_intf_options); push(@nat_options, @source_options); push(@nat_options, @destination_options); if ($LOG) { - run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); + run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); } - run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address"); + run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address"); } } -- 2.39.5