rich masquerading: it works

[kiorky]

Just if i forget to catch you, @t-woerner

Using

firewall-cmd --add-rich-rule='rule family="ipv4" masquerade source address="10.5.0.0/16" destination not address="10.5.0.0/16"'

Will ensure following changes in the tables

NAT:
+-A POST_public_allow -s 10.5.0.0/16 ! -d 10.5.0.0/16 -j MASQUERADE
FILTER:
+-A FWDO_public_allow ! -s 10.5.0.0/16 -d 10.5.0.0/16 -j ACCEPT

Im inspecting what the second rule grants really, but it seems fine.

[kiorky]

Im wondering if the second rules is not mising --state RELATED,ESTABLISHED

[t-woerner]

The conntrack match for established and related is there already in the FORWARD chain and therefore not needed here. But it is lacking an additional "-m conntrack --ctstate NEW".

I will push a new patch for verification.

[t-woerner]

But on the other hand INVALID is also dropped early in the FORWARD chain (since 354dcab again), therefore the rule can only be hit by connections that are in NEW state.

[t-woerner]

Fixed in 36ccd63

[kiorky]

can we grab rich-masquerading-destination back to master ?

[kiorky]

thx ! merged, closing