diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 093e0cf3f..832e09a01 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -235,12 +235,12 @@ our %targets = ('ACCEPT' => STANDARD, # # expand_rule() restrictions # -use constant { NO_RESTRICT => 0, # Both -i and -o may be used in the rule - PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d <address list> using main routing table - INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed - OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed +use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and -o may be used in the rule + PREROUTE_RESTRICT => 1, # PREROUTING chain rule - -o converted to -d <address list> using main routing table + INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed + OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table - ALL_RESTRICT => 12 # INPUT_RESTRICT + OUTPUT_RESTRICT (fw->fw rule - neither -i nor -o allowed) + ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed }; # # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ... diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 157592dbb..299b291a6 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -1428,7 +1428,7 @@ sub generate_matrix() { for my $host ( @$exclusions ) { my ( $interface, $net ) = split /:/, $host; - my $rule = match_source_dev( $interface ) . "-s $net -j RETURN"; + my $rule = match_source_dev( $interface ) . match_source_net( $net ) . "-j RETURN"; add_rule $frwd_ref , $rule; add_rule $in_ref , $rule; add_rule $out_ref , $rule; @@ -1649,7 +1649,7 @@ sub generate_matrix() { } $chain = $chain1; - } else { + } elsif ( $chain ne 'ACCEPT' ) { insert_exclusions $chainref , $exclusions1; } }