From 092da7ce67802848079d5575570db26c7aa6373d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 7 Oct 2011 15:07:09 -0700 Subject: [PATCH 1/4] Add proxyndp to 'pairs' documentation Signed-off-by: Tom Eastep --- docs/configuration_file_basics.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 5a811ca57..af1f1c203 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -634,7 +634,7 @@ ACCEPT net:\ - proxyarp + proxyarp and proxyndp address,interface,external,haveroute,persistent From 04c2007d53ba4687c09dc6622a4d8c4a7a86a0f3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 8 Oct 2011 07:03:01 -0700 Subject: [PATCH 2/4] Resolve merge conflicts Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 34 ++++++++++++------------------- 1 file changed, 13 insertions(+), 21 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 2d70d3b9d..94487066b 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1771,8 +1771,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//; } - if ( $inaction ) { - $targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY ) + if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) { + $targets{$inaction} |= NATRULE if $inaction; + fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW'; } # # Take care of irregular syntax and targets @@ -1934,9 +1935,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { # $chainref = ensure_rules_chain $chain; # - # Don't let the rules in this chain be moved elsewhere - # - dont_move $chainref; + # Don't let the rules in this chain be moved elsewhere + # + dont_move $chainref; } } # @@ -2142,11 +2143,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { my $chn; if ( $inaction ) { - $nonat_chain = ensure_chain 'nat', $chain; + $nonat_chain = ensure_chain( 'nat', $chain ); } elsif ( $sourceref->{type} == FIREWALL ) { $nonat_chain = $nat_table->{OUTPUT}; } else { - $nonat_chain = ensure_chain 'nat', dnat_chain $sourcezone; + $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) ); my @interfaces = keys %{zone_interfaces $sourcezone}; @@ -2187,6 +2188,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { } } + dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN'; + expand_rule( $nonat_chain , PREROUTE_RESTRICT , $rule , @@ -2198,19 +2201,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { $log_action , '', ); - # - # Possible optimization if the rule just generated was a simple jump to the nonat chain - # - if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) { - # - # It was -- delete that rule - # - pop @{$nonat_chain->{rules}}; - # - # And move the rules from the nonat chain to the zone dnat chain - # - move_rules ( $chn, $nonat_chain ); - } } # @@ -2221,6 +2211,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { if ( $actiontype & ACTION ) { $action = $usedactions{$normalized_target}{name}; $loglevel = ''; + } else { + dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN'; } if ( $origdest ) { @@ -2235,7 +2227,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) { verify_audit( $action ) if $actiontype & AUDIT; - expand_rule( ensure_chain( 'filter', $chain ) , + expand_rule( $chainref , $restriction , $rule , $source , From e322e60d737b21df39442fc186094987b7b45852 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 8 Oct 2011 12:32:29 -0700 Subject: [PATCH 3/4] Fix 'fallback' --- Shorewall/Perl/Shorewall/Providers.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index f551b4746..71fcd47e8 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -581,6 +581,8 @@ sub add_a_provider( $$ ) { emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number); emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing); } + + $default = 0; } unless ( $local ) { From b5963c678333b0e71ef8a2e918630c54bd4a0874 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 8 Oct 2011 17:01:18 -0700 Subject: [PATCH 4/4] Fix alternate nat handling --- Shorewall/Perl/Shorewall/Nat.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index bec89ed9a..bd62a0ab5 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -377,7 +377,7 @@ sub setup_nat() { while ( read_a_line ) { - my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 1, interface => 1, internal => 2, allints => 3, localnat => 4 }; + my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, localnat => 4 }; if ( $external eq 'COMMENT' ) { process_comment;