diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index bf9448217..161830e44 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -68,7 +68,7 @@ our %EXPORT_TAGS = ( SET NO_RESTRICT PREROUTE_RESTRICT - DESTIFAC_DISALLOW + DESTIFACE_DISALLOW INPUT_RESTRICT OUTPUT_RESTRICT POSTROUTE_RESTRICT @@ -261,13 +261,13 @@ our %targets; # # expand_rule() restrictions # -use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule - PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d
using main routing table - INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed - OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed - POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s
using main routing table - ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed - DESTIFAC_DISALLOW => 32, # Don't allow dest interface +use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule + PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d
using main routing table + INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed + OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed + POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s
using main routing table + ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed + DESTIFACE_DISALLOW => 32, # Don't allow dest interface }; our $iprangematch; @@ -3434,14 +3434,14 @@ sub expand_rule( $$$$$$$$$$;$ ) # # Dest interface -- must use routing table # - fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & DESTIFAC_DISALLOW; + fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & DESTIFACE_DISALLOW; fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface ); push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' ); $rule .= '-d $dest '; } else { fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; - fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFAC_DISALLOW; + fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFACE_DISALLOW; if ( $iiface ) { my $bridge = port_to_bridge( $diface ); diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 83adbe48a..0357cde39 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -296,7 +296,7 @@ sub process_tc_rule( ) { fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre'; } - $restriction = DESTIFAC_DISALLOW; + $restriction = DESTIFACE_DISALLOW; ensure_mangle_chain($target);