BUG10994: SNAT rules are missing the outgoing interface

When creating SNAT rules, the outgoing interface is not set. As a side
effect, traffic that should be send unnatted to a vpn tunnel can be
natted which is a BUG.
With this patch the SNAT rules are getting a outgoing interface
according to the configuration. When selecting the RED Target network,
all SNAT rules will be configured with "-o red0". Otherwise if "all" is
selected, there is no interface in the rule, which matches all networks.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index daa95651bbecaf02d70bf143856dd6546f082c29..8b0c6ddc8e69ac06339c39e3a1aec11ca47f445f 100644 (file)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -467,6 +467,10 @@ sub buildrules {
                                                } elsif ($NAT_MODE eq "SNAT") {
                                                        my @nat_options = @options;
 
+                                                       if ($destination_intf) {
+                                                               push(@nat_options, ("-o", $destination_intf));
+                                                       }
+
                                                        push(@nat_options, @source_options);
                                                        push(@nat_options, @destination_options);