From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRFBC71J4z3369 for ; Mon, 31 Mar 2025 15:17:55 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRFB83M29z2xS5 for ; Mon, 31 Mar 2025 15:17:52 +0000 (UTC) Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "michael.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRFB76pXvzNV; Mon, 31 Mar 2025 15:17:51 +0000 (UTC) Received: by michael.haj.ipfire.org (Postfix, from userid 0) id 4ZRFB75Nt2zTgc4; Mon, 31 Mar 2025 15:17:51 +0000 (UTC) From: Michael Tremer To: development@lists.ipfire.org Cc: Michael Tremer Subject: [PATCH 2/3] firewall: Explicitely don't NAT any aliases Date: Mon, 31 Mar 2025 15:17:44 +0000 Message-Id: <20250331151745.3067362-2-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250331151745.3067362-1-michael.tremer@ipfire.org> References: <20250331151745.3067362-1-michael.tremer@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit It seems that there is a problem with local connections that have preselected an outgoing interface. That will work just fine, but ultimately the packet will be NATed back to the primary RED IP address. To prevent this, we are adding some extra rules that skip the MASQUERADE target. Signed-off-by: Michael Tremer --- src/initscripts/system/firewall | 5 +++++ src/initscripts/system/functions | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 6d9c00282..6befa9fc3 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -495,6 +495,11 @@ iptables_red_up() { NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" ) fi + local alias + for alias in $(get_aliases); do + NO_MASQ_NETWORKS+=( "${alias}" ) + done + local network for network in ${NO_MASQ_NETWORKS[@]}; do iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions index e486cc085..94c9236d3 100644 --- a/src/initscripts/system/functions +++ b/src/initscripts/system/functions @@ -935,3 +935,18 @@ readhash() { printf -v "${array}[${key}]" "%s" "${val}" done < "${file}" } + +# Returns all enabled aliases +get_aliases() { + local address + local enabled + local rest + + local IFS=, + + while read -r address enabled rest; do + if [ "${enabled}" = "on" ]; then + echo "${address}" + fi + done < /var/ipfire/ethernet/aliases +} -- 2.39.5