Merge branch '5.2.1'

This commit is contained in:
Tom Eastep 2018-12-15 09:56:14 -08:00
commit 3239fb3eb9
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
4 changed files with 37 additions and 62 deletions

View File

@ -186,13 +186,12 @@ our %EXPORT_TAGS = (
input_chain
input_option_chain
zone_input_chain
use_input_chain
use_interface_chain
output_chain
output_option_chain
prerouting_chain
postrouting_chain
zone_output_chain
use_output_chain
masq_chain
syn_flood_chain
mac_chain
@ -2444,10 +2443,11 @@ sub zone_input_chain($) {
}
#
# Returns true if we're to use the interface's input chain
# Returns true if we're to use the interface's input or chain, depending on the second argument
# (use_input_chain or use_output_chain).
#
sub use_input_chain($$) {
my ( $interface, $chainref ) = @_;
sub use_interface_chain($$) {
my ( $interface, $which ) = @_;
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
#
@ -2475,17 +2475,11 @@ sub use_input_chain($$) {
# the zone has multiple interfaces
# and this interface has option rules
#
return 1 if $interfaceref->{options}{use_input_chain} && keys %{ zone_interfaces( $zone ) } > 1;
return 1 if $interfaceref->{options}{$which} && keys %{ zone_interfaces( $zone ) } > 1;
#
# Interface associated with a single zone -- use the zone's input chain if it has one
#
return 0 if $chainref;
#
# Use the <zone>->fw rules chain if it is referenced.
#
$chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
! ( $chainref->{referenced} || $chainref->{is_policy} )
return 0;
}
#
@ -2522,41 +2516,6 @@ sub zone_output_chain($) {
$_[0] . '_output';
}
#
# Returns true if we're to use the interface's output chain
#
sub use_output_chain($$) {
my ( $interface, $chainref) = @_;
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
#
# We must use the interfaces's chain if the interface is associated with multiple Zones
#
return 1 if ( keys %{interface_zones $interface} ) > 1;
#
# Use interface's chain if there are multiple nets on the interface
#
return 1 if $nets > 1;
#
# Use interface's chain if it is a bridge with ports
#
return 1 if $interfaceref->{ports};
#
# Don't need it if it isn't associated with any zone
#
return 0 unless $nets;
#
# Interface associated with a single zone -- use the zone's output chain if it has one
#
return 0 if $chainref;
#
# Use the fw-><zone> rules chain if it is referenced.
#
$chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
! ( $chainref->{referenced} || $chainref->{is_policy} )
}
#
# Masquerade Chain for an interface
#
@ -5404,8 +5363,8 @@ sub do_ratelimit( $$ ) {
my @rates = split_list3 $rates, 'rate';
if ( @rates == 2 ) {
$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s:/;
$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d:/;
$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s(?:\/\d+)?:/;
$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d(?:\/\d+)?:/;
} elsif ( @rates > 2 ) {
fatal error "Only two rates may be specified";
}

View File

@ -1724,9 +1724,9 @@ sub add_interface_jumps {
add_ijump( $filter_table->{input_chain $bridge },
j => $inputref ,
imatch_source_dev( $interface, 1 )
) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
) unless $input_jump_added{$interface} || ! use_interface_chain( $interface, 'use_input_chain' );
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
add_ijump( $filter_table->{output_chain $bridge} ,
j => $outputref ,
imatch_dest_dev( $interface, 1 ) )
@ -1736,9 +1736,9 @@ sub add_interface_jumps {
add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
add_ijump( $filter_table->{INPUT} , j => $inputref , imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref ) && ! $input_jump_added{$interface}++;
add_ijump( $filter_table->{INPUT} , j => $inputref , imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;
if ( use_output_chain $interface, $outputref ) {
if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
}
}
@ -1927,7 +1927,7 @@ sub add_output_jumps( $$$$$$$$ ) {
my @ipsec_out_match = match_ipsec_out $zone , $hostref;
my @zone_interfaces = keys %{zone_interfaces( $zone )};
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
#
# - There are vserver zones (so OUTPUT will have multiple source; or
# - We must use the interface output chain; or
@ -2061,7 +2061,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
my @source = imatch_source_net $net;
my @ipsec_in_match = match_ipsec_in $zone , $hostref;
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
#
# - There are vserver zones (so INPUT will have multiple destinations; or
# - We must use the interface input chain; or

View File

@ -1917,18 +1917,18 @@ sub setup_providers() {
push_indent;
emit "undo_routing";
emit "restore_default_route $config{USE_DEFAULT_RT}";
if ( $pseudoproviders ) {
emit '';
emit "start_$providers{$_}->{what}_$_" for @providers;
emit '';
}
emit "undo_routing";
emit "restore_default_route $config{USE_DEFAULT_RT}";
my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
if ( $config{NULL_ROUTE_RFC1918} ) {
emit '';
setup_null_routing;
emit "\nrun_ip route flush cache" unless $standard_routes;
}

View File

@ -244,9 +244,25 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
work</title>
<para><emphasis role="bold">Answer:</emphasis> That is usually the
result of one of four things:</para>
result of one of five things:</para>
<itemizedlist>
<listitem>
<para>You are trying to redirect a UDP port and there is already a
conntrack table entry for the flow, created via an ACCEPT
rule.</para>
<para>Example:</para>
<programlisting> DNAT loc:192.168.0.2 dmz:192.168.1.3 udp 53</programlisting>
<para>Assuming that you have installed the
<emphasis>conntrack</emphasis> package, you can delete all such
conntrack table entries using:</para>
<programlisting> conntrack -D -s 192.168.0.2 -p udp --dport 53</programlisting>
</listitem>
<listitem>
<para>You are trying to test from inside your firewall (no, that
won't work -- see <xref linkend="faq2"/>).</para>