* [PATCH 1/3] firewall: Collect all networks that should not be NATed in an array
@ 2025-03-31 15:17 Michael Tremer
2025-03-31 15:17 ` [PATCH 2/3] firewall: Explicitely don't NAT any aliases Michael Tremer
2025-03-31 15:17 ` [PATCH 3/3] aliases.cgi: Reload firewall after updating aliases Michael Tremer
0 siblings, 2 replies; 3+ messages in thread
From: Michael Tremer @ 2025-03-31 15:17 UTC (permalink / raw)
To: development; +Cc: Michael Tremer
No functional changes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
src/initscripts/system/firewall | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 139d94aa0..6d9c00282 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -481,22 +481,22 @@ iptables_red_up() {
iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN
fi
- local NO_MASQ_NETWORKS
+ local NO_MASQ_NETWORKS=()
if [ "${MASQUERADE_GREEN}" = "off" ]; then
- NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${GREEN_NETADDRESS}/${GREEN_NETMASK}"
+ NO_MASQ_NETWORKS+=( "${GREEN_NETADDRESS}/${GREEN_NETMASK}" )
fi
if [ "${MASQUERADE_BLUE}" = "off" ]; then
- NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${BLUE_NETADDRESS}/${BLUE_NETMASK}"
+ NO_MASQ_NETWORKS+=( "${BLUE_NETADDRESS}/${BLUE_NETMASK}" )
fi
if [ "${MASQUERADE_ORANGE}" = "off" ]; then
- NO_MASQ_NETWORKS="${NO_MASQ_NETWORKS} ${ORANGE_NETADDRESS}/${ORANGE_NETMASK}"
+ NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
fi
local network
- for network in ${NO_MASQ_NETWORKS}; do
+ for network in ${NO_MASQ_NETWORKS[@]}; do
iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
done
--
2.39.5
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 2/3] firewall: Explicitely don't NAT any aliases
2025-03-31 15:17 [PATCH 1/3] firewall: Collect all networks that should not be NATed in an array Michael Tremer
@ 2025-03-31 15:17 ` Michael Tremer
2025-03-31 15:17 ` [PATCH 3/3] aliases.cgi: Reload firewall after updating aliases Michael Tremer
1 sibling, 0 replies; 3+ messages in thread
From: Michael Tremer @ 2025-03-31 15:17 UTC (permalink / raw)
To: development; +Cc: Michael Tremer
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
src/initscripts/system/firewall | 5 +++++
src/initscripts/system/functions | 15 +++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 6d9c00282..6befa9fc3 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -495,6 +495,11 @@ iptables_red_up() {
NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" )
fi
+ local alias
+ for alias in $(get_aliases); do
+ NO_MASQ_NETWORKS+=( "${alias}" )
+ done
+
local network
for network in ${NO_MASQ_NETWORKS[@]}; do
iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN
diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions
index e486cc085..94c9236d3 100644
--- a/src/initscripts/system/functions
+++ b/src/initscripts/system/functions
@@ -935,3 +935,18 @@ readhash() {
printf -v "${array}[${key}]" "%s" "${val}"
done < "${file}"
}
+
+# Returns all enabled aliases
+get_aliases() {
+ local address
+ local enabled
+ local rest
+
+ local IFS=,
+
+ while read -r address enabled rest; do
+ if [ "${enabled}" = "on" ]; then
+ echo "${address}"
+ fi
+ done < /var/ipfire/ethernet/aliases
+}
--
2.39.5
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 3/3] aliases.cgi: Reload firewall after updating aliases
2025-03-31 15:17 [PATCH 1/3] firewall: Collect all networks that should not be NATed in an array Michael Tremer
2025-03-31 15:17 ` [PATCH 2/3] firewall: Explicitely don't NAT any aliases Michael Tremer
@ 2025-03-31 15:17 ` Michael Tremer
1 sibling, 0 replies; 3+ messages in thread
From: Michael Tremer @ 2025-03-31 15:17 UTC (permalink / raw)
To: development; +Cc: Michael Tremer
This is requried to update any REDNAT rules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
html/cgi-bin/aliases.cgi | 3 +++
1 file changed, 3 insertions(+)
diff --git a/html/cgi-bin/aliases.cgi b/html/cgi-bin/aliases.cgi
index def03ff9b..aa1ea4cb6 100644
--- a/html/cgi-bin/aliases.cgi
+++ b/html/cgi-bin/aliases.cgi
@@ -615,6 +615,9 @@ sub SortDataFile
sub BuildConfiguration {
# Restart service associated with this
&General::system('/usr/local/bin/setaliases');
+
+ # Reload the firewall for REDNAT rules
+ &General::firewall_reload();
}
#
--
2.39.5
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-03-31 15:17 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-03-31 15:17 [PATCH 1/3] firewall: Collect all networks that should not be NATed in an array Michael Tremer
2025-03-31 15:17 ` [PATCH 2/3] firewall: Explicitely don't NAT any aliases Michael Tremer
2025-03-31 15:17 ` [PATCH 3/3] aliases.cgi: Reload firewall after updating aliases Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox