-
Notifications
You must be signed in to change notification settings - Fork 2
Description
Currently, we just assume that virtuals should be accessible by ALL sources, by simply not filtering the source at all:
Lines 528 to 529 in 5240273
| fmt_dnat = "%(cmd)s -t 'nat' -A 'MFWPREROUTING' -i '%(iface)s' -d '%(extaddr)s' " | |
| fmt_fltr = "%(cmd)s -t 'filter' -A 'MFWFORWARD' -i '%(iface)s' -d '%(intaddr)s' " |
This assumption does not always hold true though.
Question: Should we solve this by just adding a source column like we did in rules and just copy the same source matching code?
Lines 445 to 448 in 5240273
| if cmd.get("srcgeo"): | |
| fmt += "-m geoip --src-cc '%(srcgeo)s' " | |
| if cmd.get("srcaddr"): | |
| fmt += "-m set --match-set '%(srcaddr)s' src " |
Or should we go with what FortiGate does, and have the user explicitly write the rules to allow traffic to the virtual IP?
This distinction is interesting when specifying a source IP, because you might want to allow multiple distinct sources (like, two separate source zones). If we added a source column, you'd need to add two virtuals entries for those, which might cause problems (unless of course we just add the source filter to both the nat and the filter table entry).