ipv6 nat fix (trailofbits#1775)

SemaSandbox · Apr 25, 2020 · 27de760 · 27de760
1 parent 4f1b927
commit 27de760
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/roles/common/templates/rules.v6.j2 b/roles/common/templates/rules.v6.j2
@@ -35,7 +35,7 @@ COMMIT
 -A PREROUTING --in-interface {{ ansible_default_ipv6['interface'] }} -p udp --dport {{ wireguard_port_avoid }} -j REDIRECT --to-port {{ wireguard_port_actual }}
 {% endif %}
 # Allow traffic from the VPN network to the outside world, and replies
--A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out -j SNAT --to {{ ipv6_egress_ip | ipaddr('address') }}
+-A POSTROUTING -s {{ subnets|join(',') }} -m policy --pol none --dir out {{ '-j SNAT --to ' + ipv6_egress_ip | ipaddr('address') if alternative_ingress_ip else '-j MASQUERADE' }}
 
 COMMIT