mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-29 11:04:03 +01:00
Merge branch '5.2.1'
This commit is contained in:
commit
3239fb3eb9
@ -186,13 +186,12 @@ our %EXPORT_TAGS = (
|
||||
input_chain
|
||||
input_option_chain
|
||||
zone_input_chain
|
||||
use_input_chain
|
||||
use_interface_chain
|
||||
output_chain
|
||||
output_option_chain
|
||||
prerouting_chain
|
||||
postrouting_chain
|
||||
zone_output_chain
|
||||
use_output_chain
|
||||
masq_chain
|
||||
syn_flood_chain
|
||||
mac_chain
|
||||
@ -2444,10 +2443,11 @@ sub zone_input_chain($) {
|
||||
}
|
||||
|
||||
#
|
||||
# Returns true if we're to use the interface's input chain
|
||||
# Returns true if we're to use the interface's input or chain, depending on the second argument
|
||||
# (use_input_chain or use_output_chain).
|
||||
#
|
||||
sub use_input_chain($$) {
|
||||
my ( $interface, $chainref ) = @_;
|
||||
sub use_interface_chain($$) {
|
||||
my ( $interface, $which ) = @_;
|
||||
my $interfaceref = find_interface($interface);
|
||||
my $nets = $interfaceref->{nets};
|
||||
#
|
||||
@ -2475,17 +2475,11 @@ sub use_input_chain($$) {
|
||||
# the zone has multiple interfaces
|
||||
# and this interface has option rules
|
||||
#
|
||||
return 1 if $interfaceref->{options}{use_input_chain} && keys %{ zone_interfaces( $zone ) } > 1;
|
||||
return 1 if $interfaceref->{options}{$which} && keys %{ zone_interfaces( $zone ) } > 1;
|
||||
#
|
||||
# Interface associated with a single zone -- use the zone's input chain if it has one
|
||||
#
|
||||
return 0 if $chainref;
|
||||
#
|
||||
# Use the <zone>->fw rules chain if it is referenced.
|
||||
#
|
||||
$chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
|
||||
|
||||
! ( $chainref->{referenced} || $chainref->{is_policy} )
|
||||
return 0;
|
||||
}
|
||||
|
||||
#
|
||||
@ -2522,41 +2516,6 @@ sub zone_output_chain($) {
|
||||
$_[0] . '_output';
|
||||
}
|
||||
|
||||
#
|
||||
# Returns true if we're to use the interface's output chain
|
||||
#
|
||||
sub use_output_chain($$) {
|
||||
my ( $interface, $chainref) = @_;
|
||||
my $interfaceref = find_interface($interface);
|
||||
my $nets = $interfaceref->{nets};
|
||||
#
|
||||
# We must use the interfaces's chain if the interface is associated with multiple Zones
|
||||
#
|
||||
return 1 if ( keys %{interface_zones $interface} ) > 1;
|
||||
#
|
||||
# Use interface's chain if there are multiple nets on the interface
|
||||
#
|
||||
return 1 if $nets > 1;
|
||||
#
|
||||
# Use interface's chain if it is a bridge with ports
|
||||
#
|
||||
return 1 if $interfaceref->{ports};
|
||||
#
|
||||
# Don't need it if it isn't associated with any zone
|
||||
#
|
||||
return 0 unless $nets;
|
||||
#
|
||||
# Interface associated with a single zone -- use the zone's output chain if it has one
|
||||
#
|
||||
return 0 if $chainref;
|
||||
#
|
||||
# Use the fw-><zone> rules chain if it is referenced.
|
||||
#
|
||||
$chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
|
||||
|
||||
! ( $chainref->{referenced} || $chainref->{is_policy} )
|
||||
}
|
||||
|
||||
#
|
||||
# Masquerade Chain for an interface
|
||||
#
|
||||
@ -5404,8 +5363,8 @@ sub do_ratelimit( $$ ) {
|
||||
my @rates = split_list3 $rates, 'rate';
|
||||
|
||||
if ( @rates == 2 ) {
|
||||
$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s:/;
|
||||
$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d:/;
|
||||
$rates[0] = 's:' . $rates[0] unless $rates[0] =~ /^s(?:\/\d+)?:/;
|
||||
$rates[1] = 'd:' . $rates[1] unless $rates[1] =~ /^d(?:\/\d+)?:/;
|
||||
} elsif ( @rates > 2 ) {
|
||||
fatal error "Only two rates may be specified";
|
||||
}
|
||||
|
@ -1724,9 +1724,9 @@ sub add_interface_jumps {
|
||||
add_ijump( $filter_table->{input_chain $bridge },
|
||||
j => $inputref ,
|
||||
imatch_source_dev( $interface, 1 )
|
||||
) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
|
||||
) unless $input_jump_added{$interface} || ! use_interface_chain( $interface, 'use_input_chain' );
|
||||
|
||||
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
|
||||
unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
|
||||
add_ijump( $filter_table->{output_chain $bridge} ,
|
||||
j => $outputref ,
|
||||
imatch_dest_dev( $interface, 1 ) )
|
||||
@ -1736,9 +1736,9 @@ sub add_interface_jumps {
|
||||
add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
|
||||
|
||||
add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
|
||||
add_ijump( $filter_table->{INPUT} , j => $inputref , imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref ) && ! $input_jump_added{$interface}++;
|
||||
add_ijump( $filter_table->{INPUT} , j => $inputref , imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;
|
||||
|
||||
if ( use_output_chain $interface, $outputref ) {
|
||||
if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
|
||||
add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
|
||||
}
|
||||
}
|
||||
@ -1927,7 +1927,7 @@ sub add_output_jumps( $$$$$$$$ ) {
|
||||
my @ipsec_out_match = match_ipsec_out $zone , $hostref;
|
||||
my @zone_interfaces = keys %{zone_interfaces( $zone )};
|
||||
|
||||
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
|
||||
if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
|
||||
#
|
||||
# - There are vserver zones (so OUTPUT will have multiple source; or
|
||||
# - We must use the interface output chain; or
|
||||
@ -2061,7 +2061,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
|
||||
my @source = imatch_source_net $net;
|
||||
my @ipsec_in_match = match_ipsec_in $zone , $hostref;
|
||||
|
||||
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
|
||||
if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
|
||||
#
|
||||
# - There are vserver zones (so INPUT will have multiple destinations; or
|
||||
# - We must use the interface input chain; or
|
||||
|
@ -1917,18 +1917,18 @@ sub setup_providers() {
|
||||
|
||||
push_indent;
|
||||
|
||||
emit "undo_routing";
|
||||
emit "restore_default_route $config{USE_DEFAULT_RT}";
|
||||
|
||||
if ( $pseudoproviders ) {
|
||||
emit '';
|
||||
emit "start_$providers{$_}->{what}_$_" for @providers;
|
||||
emit '';
|
||||
}
|
||||
|
||||
emit "undo_routing";
|
||||
emit "restore_default_route $config{USE_DEFAULT_RT}";
|
||||
|
||||
my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
|
||||
|
||||
if ( $config{NULL_ROUTE_RFC1918} ) {
|
||||
emit '';
|
||||
setup_null_routing;
|
||||
emit "\nrun_ip route flush cache" unless $standard_routes;
|
||||
}
|
||||
|
18
docs/FAQ.xml
18
docs/FAQ.xml
@ -244,9 +244,25 @@ DNAT net:<emphasis>address</emphasis> loc:<emphasis>local-IP-address</empha
|
||||
work</title>
|
||||
|
||||
<para><emphasis role="bold">Answer:</emphasis> That is usually the
|
||||
result of one of four things:</para>
|
||||
result of one of five things:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>You are trying to redirect a UDP port and there is already a
|
||||
conntrack table entry for the flow, created via an ACCEPT
|
||||
rule.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<programlisting> DNAT loc:192.168.0.2 dmz:192.168.1.3 udp 53</programlisting>
|
||||
|
||||
<para>Assuming that you have installed the
|
||||
<emphasis>conntrack</emphasis> package, you can delete all such
|
||||
conntrack table entries using:</para>
|
||||
|
||||
<programlisting> conntrack -D -s 192.168.0.2 -p udp --dport 53</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>You are trying to test from inside your firewall (no, that
|
||||
won't work -- see <xref linkend="faq2"/>).</para>
|
||||
|
Loading…
Reference in New Issue
Block a user