Correct blacklisting in simple configurations

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-24 11:16:31 -07:00
parent 03161ed57d
commit 0768235278

View File

@ -1861,20 +1861,13 @@ sub generate_matrix() {
progress_message2 'Generating Rule Matrix...';
#
# Special processing for complex configurations
# Special processing for complex and blacklisting configurations
#
for my $zone ( @zones ) {
my $zoneref = find_zone( $zone );
next if @zones <= 2 && ! $zoneref->{options}{complex};
#
# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
#
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst};
add_jump $frwd_ref , $blackref, 0, $state, 0, -1;
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
}
@ -1892,6 +1885,15 @@ sub generate_matrix() {
}
}
next if @zones <= 2 && ! $zoneref->{options}{complex};
#
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
#
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
add_jump $frwd_ref , $filter_table->{blacklist}, 0, $state, 0, -1 if $zoneref->{options}{in}{blacklist};
if ( have_ipsec ) {
#
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the