This commit adds flags which will are applied if SNAT should be used on the red address or any configured alias.
They prevent doing the SNAT when tranismitting packet through a VPN over the red interface.
Fixes #12162.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 86db47367..6129af861 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -479,16 +479,31 @@ sub buildrules {
# Source NAT } elsif ($NAT_MODE eq "SNAT") { + my @snat_options = ( "-m", "policy", "--dir", "out", "--pol", "none" ); my @nat_options = @options;
+ # Get addresses for the configured firewall interfaces. + my @local_addresses = &fwlib::get_internal_firewall_ip_addresses(1); + + # Check if the nat_address is one of the local addresses. + foreach my $local_address (@local_addresses) { + if ($nat_address eq $local_address) { + # Clear SNAT options. + @snat_options = (); + + # Finish loop. + last; + } + } + push(@nat_options, @destination_intf_options); push(@nat_options, @source_options); push(@nat_options, @destination_options);
if ($LOG) { - run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); + run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '"); } - run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options -j SNAT --to-source $nat_address"); + run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options -j SNAT --to-source $nat_address"); } }