You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding multiple exclusion masq_dest options in a firewall zone configuration does not work.
Multiple MASQUERADE rules - each one excluding only one of the destinations - are created, in effect excluding nothing at all, since any address ignored by one rule will not be ignored by the others.
Exclusion rules should be translated to early entries in the zone_*_postrouting chain with a RETURN action instead. For example, with the following configuration:
list masq_dest 172.31.0.0/16
list masq_dest 172.32.0.0/16
The chain currently is set up as:
Chain zone_wan_postrouting (1 references)
target prot opt source destination
postrouting_wan_rule all -- anywhere anywhere ID:66773300 /* user chain for postrouting */
MASQUERADE all -- anywhere !172.31.0.0/16 ID:66773300
MASQUERADE all -- anywhere !172.32.0.0/16 ID:66773300
When it should be setup as:
Chain zone_wan_postrouting (1 references)
target prot opt source destination
RETURN all -- anywhere 172.32.0.0/16
RETURN all -- anywhere 172.31.0.0/16
postrouting_wan_rule all -- anywhere anywhere ID:66773300 /* user chain for postrouting */
MASQUERADE all -- anywhere anywhere ID:66773300
The text was updated successfully, but these errors were encountered:
config zone
option name test
option device foo0
option masq 1
list masq_src !1.1.1.1
list masq_src !1.1.2.2
list masq_src 1.1.3.3
list masq_src 1.1.4.4
list masq_dest !2.2.1.1
list masq_dest !2.2.2.2
list masq_dest 2.2.3.3
list masq_dest 2.2.4.4
... will yield the following rules now:
iptables -t nat -A zone_test_postrouting -s 1.1.1.1/255.255.255.255 -m id --id 0x66773300 -j RETURN
iptables -t nat -A zone_test_postrouting -s 1.1.2.2/255.255.255.255 -m id --id 0x66773300 -j RETURN
iptables -t nat -A zone_test_postrouting -d 2.2.1.1/255.255.255.255 -m id --id 0x66773300 -j RETURN
iptables -t nat -A zone_test_postrouting -d 2.2.2.2/255.255.255.255 -m id --id 0x66773300 -j RETURN
iptables -t nat -A zone_test_postrouting -s 1.1.3.3/255.255.255.255 -d 2.2.3.3/255.255.255.255 -m id --id 0x66773300 -j MASQUERADE
iptables -t nat -A zone_test_postrouting -s 1.1.3.3/255.255.255.255 -d 2.2.4.4/255.255.255.255 -m id --id 0x66773300 -j MASQUERADE
iptables -t nat -A zone_test_postrouting -s 1.1.4.4/255.255.255.255 -d 2.2.3.3/255.255.255.255 -m id --id 0x66773300 -j MASQUERADE
iptables -t nat -A zone_test_postrouting -s 1.1.4.4/255.255.255.255 -d 2.2.4.4/255.255.255.255 -m id --id 0x66773300 -j MASQUERADE
danielkza:
LEDE r1783
Adding multiple exclusion masq_dest options in a firewall zone configuration does not work.
Multiple MASQUERADE rules - each one excluding only one of the destinations - are created, in effect excluding nothing at all, since any address ignored by one rule will not be ignored by the others.
Exclusion rules should be translated to early entries in the zone_*_postrouting chain with a RETURN action instead. For example, with the following configuration:
list masq_dest 172.31.0.0/16
list masq_dest 172.32.0.0/16
The chain currently is set up as:
Chain zone_wan_postrouting (1 references)
target prot opt source destination
postrouting_wan_rule all -- anywhere anywhere ID:66773300 /* user chain for postrouting */
MASQUERADE all -- anywhere !172.31.0.0/16 ID:66773300
MASQUERADE all -- anywhere !172.32.0.0/16 ID:66773300
When it should be setup as:
Chain zone_wan_postrouting (1 references) target prot opt source destination RETURN all -- anywhere 172.32.0.0/16 RETURN all -- anywhere 172.31.0.0/16 postrouting_wan_rule all -- anywhere anywhere ID:66773300 /* user chain for postrouting */ MASQUERADE all -- anywhere anywhere ID:66773300
The text was updated successfully, but these errors were encountered: