Not masquerading loopback is broken

[georgmu]

When masquerading is enabled, firewalld creates the following entry to not masquerade loopback traffic:

-A POST_public_allow ! -i lo -j MASQUERADE

The problem is, that this rule does not work (at least for me, Fedora 23, linux 4.2.6).

Simple setup to reproduce:
shell 1: nc -v -l 5000
shell 2: nc 127.0.0.1 5000 <<< "foobar"

Output shell 1:

Ncat: Listening on :::5000
Ncat: Listening on 0.0.0.0:5000
Ncat: Connection from 10.0.0.55.
Ncat: Connection from 10.0.0.55:48680.
foobar

To further investigate the issue, I added a LOG target entry and here it is:

IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22617 DF PROTO=TCP SPT=48680 DPT=5000 WINDOW=43690 RES=0x00 SYN URGP=0

So, the IN property is not set (explanation could be that the packet is created on the host, so it was not received by any interface).

I think the best solution would be to change this to "-A POST_public_allow ! -o lo -j MASQUERADE" (checking destinaion != lo instead of source != lo)

[georgmu]

After changing the setting in fw_zone.py, the output is as expected:

Ncat: Listening on :::5000
Ncat: Listening on 0.0.0.0:5000
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:54530.
foobar

Should I write a pull request for that?

[georgmu]

http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-5.html#ss5.1 contains an explanation:

You can specify the incoming (-i' or--in-interface') or outgoing (-o' or--out-interface') interface to match, but which you can specify depends on which chain you are putting the rule into: at PREROUTING you can only select incoming interface, and at POSTROUTING you can only select outgoing interface. If you use the wrong one, iptables will give an error.

[t-woerner]

Thanks for finding this. Here is the fix:
t-woerner@6acdfa3