When creating SNAT rules, the outgoing interface is not set. As a side effect, traffic that should be send unnatted to a vpn tunnel can be natted which is a BUG. With this patch the SNAT rules are getting a outgoing interface according to the configuration. When selecting the RED Target network, all SNAT rules will be configured with "-o red0". Otherwise if "all" is selected, there is no interface in the rule, which matches all networks.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org --- config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index daa9565..8b0c6dd 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -467,6 +467,10 @@ sub buildrules { } elsif ($NAT_MODE eq "SNAT") { my @nat_options = @options;
+ if ($destination_intf) { + push(@nat_options, ("-o", $destination_intf)); + } + push(@nat_options, @source_options); push(@nat_options, @destination_options);
Is there any evidence that this was tested by somebody else but you?
-Michael
On Mon, 2015-12-07 at 15:57 +0100, Alexander Marx wrote:
When creating SNAT rules, the outgoing interface is not set. As a side effect, traffic that should be send unnatted to a vpn tunnel can be natted which is a BUG. With this patch the SNAT rules are getting a outgoing interface according to the configuration. When selecting the RED Target network, all SNAT rules will be configured with "-o red0". Otherwise if "all" is selected, there is no interface in the rule, which matches all networks.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index daa9565..8b0c6dd 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -467,6 +467,10 @@ sub buildrules { } elsif ($NAT_MODE eq "SNAT") { my @nat_options = @options;
if
($destination_intf) {
push
(@nat_options, ("-o", $destination_intf));
}
push(@nat_op
tions, @source_options); push(@nat_op tions, @destination_options);
Hi Michael, i've tested it and it works as expected.
Regards Matthias
Am 10.12.2015 um 17:37 schrieb Michael Tremer michael.tremer@ipfire.org:
Is there any evidence that this was tested by somebody else but you?
-Michael
On Mon, 2015-12-07 at 15:57 +0100, Alexander Marx wrote: When creating SNAT rules, the outgoing interface is not set. As a side effect, traffic that should be send unnatted to a vpn tunnel can be natted which is a BUG. With this patch the SNAT rules are getting a outgoing interface according to the configuration. When selecting the RED Target network, all SNAT rules will be configured with "-o red0". Otherwise if "all" is selected, there is no interface in the rule, which matches all networks.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index daa9565..8b0c6dd 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -467,6 +467,10 @@ sub buildrules { } elsif ($NAT_MODE eq "SNAT") { my @nat_options = @options;
if
($destination_intf) {
push
(@nat_options, ("-o", $destination_intf));
}
push(@nat_op
tions, @source_options); push(@nat_op tions, @destination_options);
Matthias, the men who had the issue tested it and it solved his problems
best,
Alex
Am 10.12.2015 um 17:37 schrieb Michael Tremer:
Is there any evidence that this was tested by somebody else but you?
-Michael
On Mon, 2015-12-07 at 15:57 +0100, Alexander Marx wrote:
When creating SNAT rules, the outgoing interface is not set. As a side effect, traffic that should be send unnatted to a vpn tunnel can be natted which is a BUG. With this patch the SNAT rules are getting a outgoing interface according to the configuration. When selecting the RED Target network, all SNAT rules will be configured with "-o red0". Otherwise if "all" is selected, there is no interface in the rule, which matches all networks.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index daa9565..8b0c6dd 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -467,6 +467,10 @@ sub buildrules { } elsif ($NAT_MODE eq "SNAT") { my @nat_options = @options;
if
($destination_intf) {
push
(@nat_options, ("-o", $destination_intf));
}
push(@nat_op
tions, @source_options); push(@nat_op tions, @destination_options);