diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index d0e8a9a66..592a96e5c 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -620,6 +620,11 @@ sub insert_rule1($$$) $rule .= "-m comment --comment \"$comment\"" if $comment; $rule = join( ' ', '-A', $rule ); + if ( $number < 0 ) { + $chainref->{frozen}++; + $number = 0; + } + splice( @{$chainref->{rules}}, $number, 0, $rule ); trace( $chainref, 'I', ++$number, $rule ) if $debug; @@ -1040,8 +1045,8 @@ sub ensure_chain($$) # optional 5th argument causes long port lists to be split. The optional 6th # argument, if passed, gives the 0-relative index where the jump is to be inserted. # -sub add_jump( $$$;$$$$ ) { - my ( $fromref, $to, $goto_ok, $predicate, $expandports, $index, $freeze ) = @_; +sub add_jump( $$$;$$$ ) { + my ( $fromref, $to, $goto_ok, $predicate, $expandports, $index ) = @_; $predicate |= ''; @@ -1074,8 +1079,6 @@ sub add_jump( $$$;$$$$ ) { } else { add_rule ($fromref, join( '', $predicate, "-$param $to" ), $expandports || 0 ); } - - $fromref->{frozen}++ if $freeze; } # diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 314b178fc..b4b681dd9 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1874,20 +1874,20 @@ sub generate_matrix() { if ( $zoneref->{options}{in}{blacklist} ) { my $blackref = $filter_table->{blacklst}; - add_jump $frwd_ref , $blackref, 0, $state, 0, undef, 1; - add_jump ensure_filter_chain( rules_chain( $zone, firewall_zone ), 1 ) , $blackref , 0, $state, 0, 0, 1; + add_jump $frwd_ref , $blackref, 0, $state, 0, -1; + add_jump ensure_filter_chain( rules_chain( $zone, firewall_zone ), 1 ) , $blackref , 0, $state, 0, -1; } if ( $zoneref->{options}{out}{blacklist} ) { my $blackref = $filter_table->{blackout}; - add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, 0, 1; + add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, -1; for my $zone1 ( @zones ) { my $ruleschain = rules_chain( $zone1, $zone ); my $ruleschainref = $filter_table->{$ruleschain}; if ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) { - add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, 0 , 1 ); + add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 ); } } }