diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index b380155fb..940ce6886 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -186,13 +186,12 @@ our %EXPORT_TAGS = ( input_chain input_option_chain zone_input_chain - use_input_chain + use_interface_chain output_chain output_option_chain prerouting_chain postrouting_chain zone_output_chain - use_output_chain masq_chain syn_flood_chain mac_chain @@ -2444,10 +2443,11 @@ sub zone_input_chain($) { } # -# Returns true if we're to use the interface's input chain +# Returns true if we're to use the interface's input or chain, depending on the second argument +# (use_input_chain or use_output_chain). # -sub use_input_chain($$) { - my ( $interface, $chainref ) = @_; +sub use_interface_chain($$) { + my ( $interface, $which ) = @_; my $interfaceref = find_interface($interface); my $nets = $interfaceref->{nets}; # @@ -2475,17 +2475,11 @@ sub use_input_chain($$) { # the zone has multiple interfaces # and this interface has option rules # - return 1 if $interfaceref->{options}{use_input_chain} && keys %{ zone_interfaces( $zone ) } > 1; + return 1 if $interfaceref->{options}{$which} && keys %{ zone_interfaces( $zone ) } > 1; # # Interface associated with a single zone -- use the zone's input chain if it has one # - return 0 if $chainref; - # - # Use the ->fw rules chain if it is referenced. - # - $chainref = $filter_table->{rules_chain( $zone, firewall_zone )}; - - ! ( $chainref->{referenced} || $chainref->{is_policy} ) + return 0; } # @@ -2522,41 +2516,6 @@ sub zone_output_chain($) { $_[0] . '_output'; } -# -# Returns true if we're to use the interface's output chain -# -sub use_output_chain($$) { - my ( $interface, $chainref) = @_; - my $interfaceref = find_interface($interface); - my $nets = $interfaceref->{nets}; - # - # We must use the interfaces's chain if the interface is associated with multiple Zones - # - return 1 if ( keys %{interface_zones $interface} ) > 1; - # - # Use interface's chain if there are multiple nets on the interface - # - return 1 if $nets > 1; - # - # Use interface's chain if it is a bridge with ports - # - return 1 if $interfaceref->{ports}; - # - # Don't need it if it isn't associated with any zone - # - return 0 unless $nets; - # - # Interface associated with a single zone -- use the zone's output chain if it has one - # - return 0 if $chainref; - # - # Use the fw-> rules chain if it is referenced. - # - $chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )}; - - ! ( $chainref->{referenced} || $chainref->{is_policy} ) -} - # # Masquerade Chain for an interface # @@ -5404,8 +5363,8 @@ sub do_ratelimit( $$ ) { my @rates = split_list3 $rates, 'rate'; if ( @rates == 2 ) { - $rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s:/; - $rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d:/; + $rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s(?:\/\d+)?:/; + $rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d(?:\/\d+)?:/; } elsif ( @rates > 2 ) { fatal error "Only two rates may be specified"; } diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 21722656f..0ba4ac69b 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1724,9 +1724,9 @@ sub add_interface_jumps { add_ijump( $filter_table->{input_chain $bridge }, j => $inputref , imatch_source_dev( $interface, 1 ) - ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref; + ) unless $input_jump_added{$interface} || ! use_interface_chain( $interface, 'use_input_chain' ); - unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) { + unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) { add_ijump( $filter_table->{output_chain $bridge} , j => $outputref , imatch_dest_dev( $interface, 1 ) ) @@ -1735,10 +1735,10 @@ sub add_interface_jumps { } else { add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge}; - add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++; - add_ijump( $filter_table->{INPUT} , j => $inputref , imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref ) && ! $input_jump_added{$interface}++; + add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++; + add_ijump( $filter_table->{INPUT} , j => $inputref , imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++; - if ( use_output_chain $interface, $outputref ) { + if ( use_interface_chain( $interface, 'use_output_chain' ) ) { add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++; } } @@ -1927,7 +1927,7 @@ sub add_output_jumps( $$$$$$$$ ) { my @ipsec_out_match = match_ipsec_out $zone , $hostref; my @zone_interfaces = keys %{zone_interfaces( $zone )}; - if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) { + if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) { # # - There are vserver zones (so OUTPUT will have multiple source; or # - We must use the interface output chain; or @@ -2061,7 +2061,7 @@ sub add_input_jumps( $$$$$$$$$ ) { my @source = imatch_source_net $net; my @ipsec_in_match = match_ipsec_in $zone , $hostref; - if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) { + if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) { # # - There are vserver zones (so INPUT will have multiple destinations; or # - We must use the interface input chain; or diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index cc88c03e5..3be59c522 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -1917,18 +1917,18 @@ sub setup_providers() { push_indent; + emit "undo_routing"; + emit "restore_default_route $config{USE_DEFAULT_RT}"; + if ( $pseudoproviders ) { emit ''; emit "start_$providers{$_}->{what}_$_" for @providers; - emit ''; } - emit "undo_routing"; - emit "restore_default_route $config{USE_DEFAULT_RT}"; - my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}}; if ( $config{NULL_ROUTE_RFC1918} ) { + emit ''; setup_null_routing; emit "\nrun_ip route flush cache" unless $standard_routes; } diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 9e356c68a..c1f5b3cf3 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -244,9 +244,25 @@ DNAT net:address loc:local-IP-address Answer: That is usually the - result of one of four things: + result of one of five things: + + You are trying to redirect a UDP port and there is already a + conntrack table entry for the flow, created via an ACCEPT + rule. + + Example: + + DNAT loc:192.168.0.2 dmz:192.168.1.3 udp 53 + + Assuming that you have installed the + conntrack package, you can delete all such + conntrack table entries using: + + conntrack -D -s 192.168.0.2 -p udp --dport 53 + + You are trying to test from inside your firewall (no, that won't work -- see ).