From 919f25f85d53fa6b550241be36ab5f11cb9f5b24 Mon Sep 17 00:00:00 2001
From: Michael Rash <mbr@cipherdyne.org>
Date: Sat, 14 Dec 2013 19:41:00 -0500
Subject: [PATCH] [server] fw_initialize() vs. fw_config_init() bug fix for
 use_masquerade

---
 server/config_init.c      |  2 +-
 server/fw_util_iptables.c | 32 ++++++++++++++------------------
 2 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/server/config_init.c b/server/config_init.c
index 0ff30005..67a52209 100644
--- a/server/config_init.c
+++ b/server/config_init.c
@@ -448,7 +448,7 @@ validate_options(fko_srv_options_t *opts)
     */
     if(strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1) == 0)
     {
-        /* Note that fw_initialize() will set use_masquerade if necessary
+        /* Note that fw_config_init() will set use_masquerade if necessary
         */
         if(opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
         {
diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c
index 65bda34f..19c49dac 100644
--- a/server/fw_util_iptables.c
+++ b/server/fw_util_iptables.c
@@ -814,7 +814,6 @@ fw_config_init(fko_srv_options_t * const opts)
     */
     if(strncasecmp(opts->config[CONF_ENABLE_IPT_FORWARDING], "Y", 1)==0)
     {
-
         if(set_fw_chain_conf(IPT_FORWARD_ACCESS, opts->config[CONF_IPT_FORWARD_ACCESS]) != 1)
             return 0;
 
@@ -825,19 +824,25 @@ fw_config_init(fko_srv_options_t * const opts)
         */
         if(strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1)==0)
         {
-            if(opts->fw_config->use_masquerade == 1)
+            if(opts->config[CONF_SNAT_TRANSLATE_IP] == NULL
+                    || ! is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
             {
+                fwc.use_masquerade = 1;
                 if(set_fw_chain_conf(IPT_MASQUERADE_ACCESS, opts->config[CONF_IPT_MASQUERADE_ACCESS]) != 1)
                     return 0;
             }
-            else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
-              && (is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP])))
-            {
-                if(set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]) != 1)
-                    return 0;
-            }
             else
-                return 0;
+            {
+                if(is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
+                {
+                    if(set_fw_chain_conf(IPT_SNAT_ACCESS, opts->config[CONF_IPT_SNAT_ACCESS]) != 1)
+                        return 0;
+                }
+                else
+                {
+                    return 0;
+                }
+            }
         }
     }
 
@@ -882,15 +887,6 @@ fw_initialize(const fko_srv_options_t * const opts)
         }
     }
 
-    if(strncasecmp(opts->config[CONF_ENABLE_IPT_SNAT], "Y", 1) == 0)
-    {
-        if(opts->config[CONF_SNAT_TRANSLATE_IP] == NULL
-                || ! is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
-        {
-            opts->fw_config->use_masquerade = 1;
-        }
-    }
-
     /* See if iptables offers the '-C' argument (older versions don't).  If not,
      * then switch to parsing iptables -L output to find rules.
     */