Bug ID 1140566
Summary firewalld: rich masquerading rules don't work
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware All
OS openSUSE Factory
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter martin.wilck@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

I wanted to create a rich rule to enable masquerading only for packets with
a certain source address:

# firewall-cmd --zone nat --list-all
work (active)
  target: default
  icmp-block-inversion: no
  interfaces: tun0
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="192.168.30.0/24" masquerade

This is what iptables-save shows:

-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o tun0 -g POST_work
-A POST_work -j POST_work_allow
-A POST_work_allow ! -o lo -j MASQUERADE

As you can see, the last rule does not filter by source address, which was the
whole purpose of the rich rule instead of "--add-masquerade".

This is fixed by upstream commit bd784bf "fw_zone: fix rich rule masquerading",
which is included in firewalld 0.6.4.

With that fix, the rule is correctly generated:

-A POST_work_allow -s 192.168.30.0/24 ! -o lo -j MASQUERADE

Please push that version (already in security:netfilter) to factory.

You are receiving this mail because: