Hello,
I just tested this patch on our main firewall in Hanover and the problem is resolved.
It is not the most beautiful piece of code, but it does the job.
-Michael
Tested-by: Michael Tremer michael.tremer@ipfire.org
On 20 Feb 2020, at 16:24, Stefan Schantl stefan.schantl@ipfire.org wrote:
This commit adds flags which will are applied if SNAT should be used on the red address or any configured alias.
They prevent doing the SNAT when tranismitting packet through a VPN over the red interface.
Fixes #12162.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 86db47367..6129af861 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -479,16 +479,31 @@ sub buildrules {
# Source NAT } elsif ($NAT_MODE eq "SNAT") {
my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" ); my @nat_options = @options;
# Get addresses for the configured firewall interfaces.
my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1);
# Check if the nat_address is one of the local addresses.
foreach my $local_address (@local_addresses) {
if ($nat_address eq $local_address) {
# Clear SNAT options.
@snat_options = ();
# Finish loop.
last;
}
}
push(@nat_options, @destination_intf_options); push(@nat_options, @source_options); push(@nat_options, @destination_options); if ($LOG) {
run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '");
run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); }
run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address");
run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address"); } }
-- 2.25.0