Bug 11977

Hello,

In the case where static roads are known on the green0 side by Ipfire and you want to filter on these networks, the firewall rules are duplicated in 3 specific cases.

1/
When a FORWARD rule has as its source a host or a network known since green0 and as a red0 interface output, we have an unnecessary rule that is added to INPUTWF.

2/
When a SNAT rule has as its source a host or network known from green0 with an IP redirection from green0 and as an output to a host of the same network known from green0, we have an unnecessary rule that is added to INPUTFW

3
When a DNAT rule with any network source and output to the firewall with a redirection of the destination IP to a host on the network known since green0, we have an unnecessary rule that is added to OUTGOINGFW.

An email was sent to the Ipfire development team to detail the 3 bugs. Below is a diagram to understand the infrastructure.

The objective is that Ipfire can filter/NAT on a network known since green0 without creating unwanted rules.


+-----------------------------+
| +----------+                |
| |          |                |
| |  SRV     | +--+           |
| |          |    |           |
| +----------+    |           |      192.168.X.0/24
|                 |           |      +----------->           +----------->
|  192.168.X.0/24 |           |          no NAT                   NAT
|                 |           |
|                 |           |
| +----------+    |      +---------+                 +---------+        +----------+
| |          |    |      |         | 192.168.y.252/30|         |        |          |
| |  PC      | +--+--+   |         | +-------------+ | Ipfire  | +----+ | INTERNET |
| |          |           |         |                 |         |        |          |
| +----------+           +---------+                 +---------+        +----------+
|                             |
+-----------------------------+

With kind regards