It seems that there is a problem with local connections that have preselected an outgoing interface. That will work just fine, but ultimately the packet will be NATed back to the primary RED IP address. To prevent this, we are adding some extra rules that skip the MASQUERADE target.
Signed-off-by: Michael Tremer <[email protected]> --- src/initscripts/system/firewall | 5 +++++ src/initscripts/system/functions | 15 +++++++++++++++ 2 files changed, 20 insertions(+) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 6d9c00282..6befa9fc3 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -495,6 +495,11 @@ iptables_red_up() { NO_MASQ_NETWORKS+=( "${ORANGE_NETADDRESS}/${ORANGE_NETMASK}" ) fi + local alias + for alias in $(get_aliases); do + NO_MASQ_NETWORKS+=( "${alias}" ) + done + local network for network in ${NO_MASQ_NETWORKS[@]}; do iptables -t nat -A REDNAT -s "${network}" -o "${IFACE}" -j RETURN diff --git a/src/initscripts/system/functions b/src/initscripts/system/functions index e486cc085..94c9236d3 100644 --- a/src/initscripts/system/functions +++ b/src/initscripts/system/functions @@ -935,3 +935,18 @@ readhash() { printf -v "${array}[${key}]" "%s" "${val}" done < "${file}" } + +# Returns all enabled aliases +get_aliases() { + local address + local enabled + local rest + + local IFS=, + + while read -r address enabled rest; do + if [ "${enabled}" = "on" ]; then + echo "${address}" + fi + done < /var/ipfire/ethernet/aliases +} -- 2.39.5
