[FS#248] Firewall configuration: multiple negative masq_dest options do not work
LEDE Bugs
lede-bugs at lists.infradead.org
Tue Oct 25 15:00:48 PDT 2016
A new Flyspray task has been opened. Details are below.
User who did this - Daniel Miranda (danielkza)
Attached to Project - LEDE Project
Summary - Firewall configuration: multiple negative masq_dest options do not work
Task Type - Feature Request
Category - Base system
Status - Unconfirmed
Assigned To -
Operating System - All
Severity - Low
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - LEDE r1783
Adding multiple exclusion masq_dest options in a firewall zone configuration does not work.
Multiple MASQUERADE rules - each one excluding only one of the destinations - are created, in effect excluding nothing at all, since any address ignored by one rule will not be ignored by the others.
Exclusion rules should be translated to early entries in the zone_*_postrouting chain with a RETURN action instead. For example, with the following configuration:
list masq_dest 172.31.0.0/16
list masq_dest 172.32.0.0/16
The chain currently is set up as:
Chain zone_wan_postrouting (1 references)
target prot opt source destination
postrouting_wan_rule all -- anywhere anywhere ID:66773300 /* user chain for postrouting */
MASQUERADE all -- anywhere !172.31.0.0/16 ID:66773300
MASQUERADE all -- anywhere !172.32.0.0/16 ID:66773300
When it should be setup as:
Chain zone_wan_postrouting (1 references)
target prot opt source destination
RETURN all -- anywhere 172.32.0.0/16
RETURN all -- anywhere 172.31.0.0/16
postrouting_wan_rule all -- anywhere anywhere ID:66773300 /* user chain for postrouting */
MASQUERADE all -- anywhere anywhere ID:66773300
More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=248
More information about the lede-bugs
mailing list