Add per-interface OUTPUT chains

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4728 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-15 02:41:01 +01:00 · 2006-10-24 15:07:18 +00:00 · 2006-10-24 15:07:18 +00:00 · 113058b78c
commit 113058b78c
parent 60144960fc
3 changed files with 19 additions and 6 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -6,6 +6,8 @@ Changes in 3.3.4

 3)  Add COMBINE_JUMPS option.

+4)  Add an output chain for each interface.
+
 Changes in 3.3.3

 1)  Fix excluding in SUBNET column.
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -3629,7 +3629,7 @@ __EOF__
 		    do_iptables -A $(forward_chain $interface) -p udp -o $interface --dport 67:68 -j ACCEPT
            fi
 	    run_iptables -A $(input_chain $interface) -p udp --dport 67:68 -j ACCEPT
-	    run_iptables -A OUTPUT -o $interface      -p udp --dport 67:68 -j ACCEPT
+	    run_iptables -A $(out_chain $interface)   -p udp --dport 67:68 -j ACCEPT
 	done
    fi
    #
@ -3948,7 +3948,7 @@ __EOF__

 	    run_iptables -A $(input_chain $interface)   -j $chain
 	    run_iptables -A $(forward_chain $interface) -j $(dynamic_fwd $interface)
-	    run_iptables -A OUTPUT -o $interface        -j $(dynamic_out $interface)
+	    run_iptables -A $(out_chain $interface)     -j $(dynamic_out $interface)
 	done
    fi
    #
@ -4232,10 +4232,10 @@ activate_rules()

 	    if [ -n "$chain1" ]; then
 		if [ -n "$exclusions" ]; then
-		    run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j ${zone}_output
+		    run_iptables2 -A $(out_chain $interface) $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j ${zone}_output
 		    run_iptables -A ${zone}_output -j $chain1
 		else
-		    run_iptables2 -A OUTPUT -o $interface $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
+		    run_iptables2 -A $(out_chain $interface) $(match_dest_hosts $networks) $(match_ipsec_out $zone $host) -j $chain1
 		fi
 	    fi
 	    #
@ -4269,8 +4269,8 @@ activate_rules()

 	if [ -n "$chain1" ]; then
 	    for interface in $need_broadcast ; do
-		run_iptables -A OUTPUT -o $interface -d 255.255.255.255 -j $chain1
-		run_iptables -A OUTPUT -o $interface -d 224.0.0.0/4     -j $chain1
+		run_iptables -A $(out_chain $interface) -d 255.255.255.255 -j $chain1
+		run_iptables -A $(out_chain $interface) -d 224.0.0.0/4     -j $chain1
 	    done
 	fi
 	#
@ -4507,6 +4507,7 @@ activate_rules()
    for interface in $ALL_INTERFACES ; do
 	run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
 	run_iptables -A INPUT   -i $interface -j $(input_chain $interface)
+	run_iptables -A OUTPUT  -o $interface -j $(out_chain $interface)
 	addnatjump POSTROUTING $(masq_chain $interface) -o $interface
    done
    #
@ -5386,6 +5387,8 @@ __EOF__
 	    createchain $chain no
 	    run_iptables -A $chain $state -j dynamic
 	done
+
+	createchain $(out_chain $interface) no
    done

    if strip_file_and_lib_load proxyarp proxyarp; then
--- a/Shorewall/lib.config
+++ b/Shorewall/lib.config
@ -782,6 +782,14 @@ first_chains() #$1 = interface
   echo ${c}_fwd ${c}_in
 }

+#
+# Out Chain to an interface
+#
+out_chain() # $1 = interface
+{
+   echo $(chain_base $1)_out
+}
+
 #
 # Horrible hack to work around an iptables limitation
 #