diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index c9bd94b64..1fe7662b5 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -610,7 +610,9 @@ sub add_reference ( $$ ) { # Chain reference , Rule Number, Rule # # In the first function, the rule number is zero-relative. In the second function, -# the rule number is one-relative. +# the rule number is one-relative. In the first function, if the rule number is < 0, then +# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be +# inserted at the front of the chain and the chain's 'blacklist' member is incremented. # sub insert_rule1($$$) { @@ -692,7 +694,7 @@ sub increment_reference_count( $$ ) { # # The rules generated by interface options are added to the interfaces's input chain and # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to -# the head of a rules chain (behind any blacklist rules already there). +# the head of a rules chain (behind any blacklist rule already there). sub move_rules( $$ ) { my ($chain1, $chain2 ) = @_; @@ -759,6 +761,11 @@ sub copy_rules( $$ ) { my $last = pop @$rules2; # Delete the jump to chain1 + if ( $blacklist2 && $blacklist1 ) { + shift @rules1; + assert( ! --$chain1->{blacklist} ); + $blacklist1 = 0; + } # # Chain2 is now a referent of all of Chain1's targets # @@ -767,14 +774,14 @@ sub copy_rules( $$ ) { } if ( $blacklist1 ) { - if ( $debug ) { - my $rule = @$rules2; - trace( $chain2, 'A', ++$rule, $_ ) for @rules1; - } + assert( $blacklist1 == 1 ); - splice @$rules2, $blacklist2, 0, splice( @rules1, 0, $blacklist1 ); + trace( $chain2, 'A', 1 , $rules1[0]) if $debug; - $chain2->{blacklist} += $blacklist1; + unshift @$rules2, shift @rules1; + + $chain1->{blacklist} = 0; + $chain2->{blacklist} = 1; } if ( $debug ) {