From 0ecf0703dc9400fd35943ad0042e4b9c857abbfc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Mar 2024 12:26:59 -0800 Subject: [PATCH] Correct classic blacklisting - No filtering in the OUTPUT chain - Correct ipsec filtering Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 554e6226f..81a9707cb 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1106,12 +1106,11 @@ sub add_common_rules ( $ ) { } if ( $setting & DBL_CLASSIC ) { - add_ijump_extended( $input_option_chainref, j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state ); - add_ijump_extended( $forward_option_chainref, j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state ); - add_ijump_extended( $output_option_chainref, j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state ) if $setting & DBL_DST; + add_ijump_extended( $input_option_chainref, j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state, @in_policy ); + add_ijump_extended( $forward_option_chainref, j => $classic_target_chain, $origin{DYNAMIC_BLACKLIST}, @state, @in_policy ); } - } # Exclusion + } # Dynamic Blacklisting # # Finish FASTACCEPT # @@ -1120,8 +1119,9 @@ sub add_common_rules ( $ ) { add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = ''; } } + } #Not loopback interface - } + } # Interface Loop # # Delete 'sfilter' chains unless there are referenced to them #