Bug #3053
Port forward to orange network doesn't work
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.5 | NEEDINFO: | No |
Description
In a system with 3 interfaces (green + red + orange) it's not possible to create a port forward to an host inside the orange zone.
Steps to reproduce- Create a host object inside the orange network
- Create a port forward to the host
- The traffic is not correctly routed to the host since the generated rules assumes the host is in green zone
For example, given the host 1.2.3.4 in the orange zone and the port forward of port 80, generated rule is:
DNAT net loc:1.2.3.4:80 tcp 80
Expected behavior
Traffic should be routed to host and generated rule should be something like:
DNAT net orang:1.2.3.4:80 tcp 80
Associated revisions
Template: enable port forward to all zones. Refs #3035
History
#1 Updated by Giacomo Sanchietti over 6 years ago
- Category set to nethserver-firewall-base
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
- Affected version set to v6.5
Proposed (and tested) patch:
--- /etc/e-smith/templates/etc/shorewall/rules/50pf 2015-01-28 09:52:13.000000000 +0100 +++ /etc/e-smith/templates-custom/etc/shorewall/rules/50pf 2015-02-19 11:27:27.219335281 +0100 @@ -42,18 +42,19 @@ } else { $oriDst = "\t-"; } - if ($dst eq '') { - $dstHost = "$dstHost"; - } else { - $dstHost = "$dstHost:$dst"; + $target_port = ''; + if ($dst ne '') { + $target_port = ":$dst"; } - $OUT.="#\n# PF $oriDst:$src -> $dstHost $allow_cmt \n#\n"; + $target_host = $fw->getZone($dstHost); + $OUT.="#\n# PF $oriDst:$src -> $dstHost$target_port $allow_cmt \n#\n"; $OUT.="?COMMENT $description\n"; if ($nfqueue eq 'enabled') { - $OUT.="DNAT-\tnet$allow\t$dstHost\t$proto\t$src$srcHost$oriDst\n"; - $OUT.="NFQBY\tnet$allow\tloc\t$proto\t$dst$srcHost$oriDst\n"; + $OUT.="DNAT-\tnet$allow\t$dstHost$target_port\t$proto\t$src$srcHost$oriDst\n"; + @z = split(/:/,$target_host); + $OUT.="NFQBY\tnet$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n"; } else { - $OUT.="DNAT\tnet$allow\tloc:$dstHost\t$proto\t$src$srcHost$oriDst\n"; + $OUT.="DNAT\tnet$allow\t$target_host$target_port\t$proto\t$src$srcHost$oriDst\n"; } } }
#2 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#4 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
Package in nethserver-testing:
- nethserver-firewall-base-2.2.3-1.8.geda1ea6.ns6.noarch.rpm
- Check the bug is not reproducible
#5 Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
See below. PF to orange now is correct:
[root@ns65 ~]# diff oldrules /etc/shorewall/rules < DNAT net:1.2.3.4 loc:172.16.1.2:4545 tcp 5454 - - --- > DNAT net:1.2.3.4 orang:172.16.1.2:4545 tcp 5454 - -
#6 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver-base:
- nethserver-firewall-base-2.3.0-1.ns6.noarch.rpm