From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] rules.pl: Fix SNAT over VPN.
Date: Sun, 23 Feb 2020 14:28:23 +0000
Message-ID: <4FDF00FD-A040-426E-959A-F501055346DF@ipfire.org>
In-Reply-To: <20200220162423.3571-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5305137476068364558=="
List-Id: <development.lists.ipfire.org>

--===============5305137476068364558==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

I just tested this patch on our main firewall in Hanover and the problem is r=
esolved.

It is not the most beautiful piece of code, but it does the job.

-Michael

Tested-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 20 Feb 2020, at 16:24, Stefan Schantl <stefan.schantl(a)ipfire.org> wrot=
e:
>=20
> This commit adds flags which will are applied if SNAT should be used on
> the red address or any configured alias.
>=20
> They prevent doing the SNAT when tranismitting packet through a VPN over th=
e red interface.
>=20
> Fixes #12162.
>=20
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/firewall/rules.pl | 19 +++++++++++++++++--
> 1 file changed, 17 insertions(+), 2 deletions(-)
>=20
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 86db47367..6129af861 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -479,16 +479,31 @@ sub buildrules {
>=20
> 						# Source NAT
> 						} elsif ($NAT_MODE eq "SNAT") {
> +							my @snat_options =3D ( "-m", "policy", "--dir", "out", "--pol", "no=
ne" );
> 							my @nat_options =3D @options;
>=20
> +							# Get addresses for the configured firewall interfaces.
> +							my @local_addresses =3D &fwlib::get_internal_firewall_ip_addresses(=
1);
> +
> +							# Check if the nat_address is one of the local addresses.
> +							foreach my $local_address (@local_addresses) {
> +								if ($nat_address eq $local_address) {
> +									# Clear SNAT options.
> +									@snat_options =3D ();
> +
> +									# Finish loop.
> +									last;
> +								}
> +							}
> +
> 							push(@nat_options, @destination_intf_options);
> 							push(@nat_options, @source_options);
> 							push(@nat_options, @destination_options);
>=20
> 							if ($LOG) {
> -								run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit=
_options -j LOG --log-prefix 'SNAT '");
> +								run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_opti=
ons @log_limit_options -j LOG --log-prefix 'SNAT '");
> 							}
> -							run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --t=
o-source $nat_address");
> +							run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_optio=
ns -j SNAT --to-source $nat_address");
> 						}
> 					}
>=20
> --=20
> 2.25.0
>=20


--===============5305137476068364558==--