From 755983b38c76e704b922fe8f66310c74951b7c4b Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 12 Jan 2008 17:39:14 +0000
Subject: [PATCH] Make DNAT/MASQ short-circuit dependent on z->fw policy

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8050 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-perl/Shorewall/Rules.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index 232e5cab5..3ac24a36b 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -1484,6 +1484,7 @@ sub generate_matrix() {
     my @interfaces = ( all_interfaces );
     my $preroutingref = ensure_chain 'nat', 'dnat';
     my @returnstack;
+    my $fw = firewall_zone;
     #
     # Special processing for complex zones
     #
@@ -1597,7 +1598,7 @@ sub generate_matrix() {
 			    add_rule $preroutingref, $_ for ( @returnstack );
 			    @returnstack = ();
 			    add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j ', $chainref->{name} );
-			    push @returnstack, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' );
+			    push @returnstack, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) unless $filter_table->{"${zone}2${fw}"}->{policy} eq 'CONTINUE';
 			}
 
 			if ( $chain2 ) {
@@ -1830,7 +1831,6 @@ sub generate_matrix() {
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
     }
 
-    my $fw = firewall_zone;
     my $chainref = $filter_table->{"${fw}2${fw}"};
 
     add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );