Bug ID | 1140566 |
---|---|
Summary | firewalld: rich masquerading rules don't work |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | All |
OS | openSUSE Factory |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | martin.wilck@suse.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
I wanted to create a rich rule to enable masquerading only for packets with a certain source address: # firewall-cmd --zone nat --list-all work (active) target: default icmp-block-inversion: no interfaces: tun0 sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.30.0/24" masquerade This is what iptables-save shows: -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o tun0 -g POST_work -A POST_work -j POST_work_allow -A POST_work_allow ! -o lo -j MASQUERADE As you can see, the last rule does not filter by source address, which was the whole purpose of the rich rule instead of "--add-masquerade". This is fixed by upstream commit bd784bf "fw_zone: fix rich rule masquerading", which is included in firewalld 0.6.4. With that fix, the rule is correctly generated: -A POST_work_allow -s 192.168.30.0/24 ! -o lo -j MASQUERADE Please push that version (already in security:netfilter) to factory.