Merge branch 'switch-to-libloc' into next-switch-to-libloc

[people/pmueller/ipfire-2.x.git] / config / firewall / rules.pl

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 57abbdf057d1645b522bc8af51b550326fcfdde3..40a2632005ceb09f238cd6b7e614463b2634ca74 100644 (file)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -505,16 +505,31 @@ sub buildrules {
 
                                                # Source NAT
                                                } elsif ($NAT_MODE eq "SNAT") {
+                                                       my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" );
                                                        my @nat_options = @options;
 
+                                                       # Get addresses for the configured firewall interfaces.
+                                                       my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
+
+                                                       # Check if the nat_address is one of the local addresses.
+                                                       foreach my $local_address (@local_addresses) {
+                                                               if ($nat_address eq $local_address) {
+                                                                       # Clear SNAT options.
+                                                                       @snat_options = ();
+
+                                                                       # Finish loop.
+                                                                       last;
+                                                               }
+                                                       }
+
                                                        push(@nat_options, @destination_intf_options);
                                                        push(@nat_options, @source_options);
                                                        push(@nat_options, @destination_options);
 
                                                        if ($LOG) {
-                                                               run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
+                                                               run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
                                                        }
-                                                       run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
+                                                       run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address");
                                                }
                                        }
 
@@ -522,7 +537,7 @@ sub buildrules {
                                        push(@options, @destination_options);
 
                                        # Insert firewall rule.
-                                       if ($LOG && !$NAT) {
+                                       if ($LOG) {
                                                run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '");
                                        }
                                        run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target");
@@ -533,7 +548,7 @@ sub buildrules {
                                                # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
                                                # for the firewall, too.
                                                if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
-                                                       if ($LOG && !$NAT) {
+                                                       if ($LOG) {
                                                                run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
                                                        }
                                                        run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target");
@@ -541,7 +556,7 @@ sub buildrules {
 
                                                # Likewise.
                                                if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
-                                                       if ($LOG && !$NAT) {
+                                                       if ($LOG) {
                                                                run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
                                                        }
                                                        run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target");