Allow marking networks as "local"

[Matthijs Kooijman]

I have a setup with a dummy0 interface, which holds a bunch of addresses (for virtual servers). I can define this network in vuurmuur, and give my firewall an interface on it, but then it does not know that the network really only exists on the firewall itself. This causes vuurmuur to generate FORWARD rules, where I would really want OUTPUT rules.

For example, in the zone internal, I have the following network vservers:

ACTIVE="Yes"
NETWORK="10.42.0.0"
NETMASK="255.255.255.0"
INTERFACE="vservers-nic"

The vservers-nic interface is defined as:

ACTIVE="Yes"
IPADDRESS="10.42.0.1"
INTERFACE=""
VIRTUAL="No"
DEVICE="dummy0"

Now, I define a rule to allow the vservers to access the internet (ignoring the fact that we would also need NAT):

Accept service any from vservers.internal to world.inet

This makes vuurmuur generate the following rule:

/sbin/iptables -t filter -A FORWARD -i dummy0 -o eth0  -s \
  10.42.0.0/255.255.255.0  -d 0.0.0.0/0.0.0.0    -m state \
  --state NEW  -j NEWACCEPT

Which never triggers, since these packets are locally generated and thus never go through the FORWARD chain.

I would like the above the rule to result in some rule in the OUTPUT chain, like:

/sbin/iptables -t filter -A OUTPUT -o eth0 -s 10.42.0.0/255.255.255.0 \
  -d 0.0.0.0/0.0.0.0  -m state --state NEW -j NEWACCEPT

I can achieve something like this rule by using from firewall(any), but then the source address check is not there, meaning I cannot differentiate between traffic from the host and the different virtual servers.

A possible solution I can see here is marking networks as "local", meaning that any rules generated from them should be INPUT or OUTPUT. A local network would then have a status similar to the special firewall object.