Fix for DNAT/REDIRECT nested-zone mess

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8048 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -8,6 +8,8 @@ Changes in 4.1.4
 
 3)  Don't fully populate /etc/shorewall under Cygwin
 
+4)  Fix part of the DNAT/REDIRECT fiasco.
+
 Changes in 4.1.3
 
 1)  Fix NFLOG/ULOG upcasing problem.

Shorewall-common/releasenotes.txt

@@ -23,6 +23,38 @@ Problems corrected in Shorewall 4.1.4.
 2)  The compilation date recorded in the firewall.conf file produced by
     Shorewall-perl was previously mangled.
 
+3)  Previously, the following situation would result in unexpected
+    behavior.
+
+    /etc/shorewall/zones:
+
+	#ZONE	     TYPE
+	fw	     firewall
+	net	     ipv4
+	loc	     ipv4
+	dmz	     ipv4
+
+    /etc/shorewall/interfaces:
+
+	#ZONE        INTERFACE    BROADCAST      OPTIONS
+	net	     ppp0
+	loc	     eth1
+	loc	     ppp+
+	dmz	     eth2
+
+    /etc/shorewall/rules:
+
+	#ACTION   SOURCE     DEST     PROTO    DEST
+	#                                      PORT(S)
+	ACCEPT    net        dmz      tcp      80
+	REDIRECT  loc        3128     tcp      80
+
+    The web server in the dmz (implied by the first rule) is
+    inaccessible from the 'net' zone because the REDIRECT rule 
+    redirects all traffic arriving on 'ppp+' to local port 3128.
+
+    Shorewall 4.1.4 includes a fix for this problem.
+
 Other changes in Shorewall 4.1.4.
 
 1)  When installing on Cygwin, /etc/shorewall is no longer fully

Shorewall-perl/Shorewall/Chains.pm

@@ -91,6 +91,7 @@ our %EXPORT_TAGS = (
 				       first_chains
 				       ensure_chain
 				       ensure_mangle_chain
+				       ensure_nat_chain
 				       new_standard_chain
 				       new_builtin_chain
 				       new_nat_chain
@@ -679,6 +680,16 @@ sub ensure_mangle_chain($) {
     $chainref;
 }
 
+sub ensure_nat_chain($) {
+    my $chain = $_[0];
+
+    my $chainref = ensure_chain 'nat', $chain;
+
+    $chainref->{referenced} = 1;
+
+    $chainref;
+}
+
 #
 # Add a builtin chain
 #

Shorewall-perl/Shorewall/Rules.pm

@@ -1482,7 +1482,8 @@ sub generate_matrix() {
     my %chain_exclusions;
     my %policy_exclusions;
     my @interfaces = ( all_interfaces );
-
+    my $preroutingref = ensure_chain 'nat', 'dnat';
+    my @returnstack;
     #
     # Special processing for complex zones
     #
@@ -1590,7 +1591,14 @@ sub generate_matrix() {
 
 			my $source = match_source_net $net;
 
-			addnatjump 'PREROUTING' , dnat_chain $zone, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
+			my $chainref = $nat_table->{dnat_chain $zone};
+
+			if ( $chainref->{referenced} ) {
+			    add_rule $preroutingref, $_ for ( @returnstack );
+			    @returnstack = ();
+			    add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j ', $chainref->{name} );
+			    push @returnstack, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' );
+			}
 
 			if ( $chain2 ) {
 			    if ( @$exclusions ) {
@@ -1796,6 +1804,8 @@ sub generate_matrix() {
 	addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface );
     }
 
+    addnatjump 'PREROUTING', 'dnat', '';
+
     if ( $config{DYNAMIC_ZONES} ) {
 	for my $interface ( @interfaces ) {
 	    addnatjump 'PREROUTING' , dynamic_in( $interface ), match_source_dev( $interface );

docs/MultiISP.xml

@@ -939,8 +939,8 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
       <orderedlist numeration="loweralpha">
         <listitem>
           <para>Only ethernet (or ethernet-like) interfaces can be used. For
-          inbound traffic, the MAC addresses of the gateway routers is used to
-          determine which provider a packet was received through. Note that
+          inbound traffic, the MAC addresses of the gateway routers are used
+          to determine which provider a packet was received through. Note that
           only routed traffic can be categorized using this technique.</para>
         </listitem>