Correct the behavior of rpfilter when FASTACCEPT=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-03-31 07:28:30 -07:00
parent 72869adcd6
commit 58700b2301

View File

@ -843,26 +843,28 @@ sub add_common_rules ( $ ) {
my $interfaceref = find_interface $interface; my $interfaceref = find_interface $interface;
unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} || $interfaceref->{physical} eq 'lo' ) { unless ( $interfaceref->{physical} eq 'lo' ) {
unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
my @filters = @{$interfaceref->{filter}}; my @filters = @{$interfaceref->{filter}};
$chainref = $filter_table->{forward_option_chain $interface}; $chainref = $filter_table->{forward_option_chain $interface};
if ( @filters ) { if ( @filters ) {
add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters; add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
} elsif ( $interfaceref->{bridge} eq $interface ) { } elsif ( $interfaceref->{bridge} eq $interface ) {
add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++ add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
unless( $config{ROUTE_FILTER} eq 'on' || unless( $config{ROUTE_FILTER} eq 'on' ||
$interfaceref->{options}{routeback} || $interfaceref->{options}{routeback} ||
$interfaceref->{options}{routefilter} || $interfaceref->{options}{routefilter} ||
$interfaceref->{physical} eq '+' ); $interfaceref->{physical} eq '+' );
} }
if ( @filters ) { if ( @filters ) {
$chainref = $filter_table->{input_option_chain $interface}; $chainref = $filter_table->{input_option_chain $interface};
add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters; add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
}
} }
for ( option_chains( $interface ) ) { for ( option_chains( $interface ) ) {