extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Apply ctorigdstport fix to trunk

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9422 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-02-06 20:30:14 +00:00
parent 37988a5a31
commit 7e9e21dc00
2 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall-perl/Shorewall/Chains.pm
View File

@ -110,6 +110,7 @@ our %EXPORT_TAGS = (
source_exclusion source_exclusion
dest_exclusion dest_exclusion
clearrule clearrule
port_count
do_proto do_proto
mac_match mac_match
verify_mark verify_mark
@ -2251,7 +2252,7 @@ sub expand_rule( $$$$$$$$$$$ )
if ( $origdest ) { if ( $origdest ) {
if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) { if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
$origdest = ''; $origdest = '';
$rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1; $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
} elsif ( $origdest =~ /^detect:(.*)$/ ) { } elsif ( $origdest =~ /^detect:(.*)$/ ) {
# #
# Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
@ -2272,7 +2273,7 @@ sub expand_rule( $$$$$$$$$$$ )
push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional; push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
$rule .= '-m conntrack --ctorigdst $address '; $rule .= '-m conntrack --ctorigdst $address ';
$rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1; $rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
} else { } else {
my $interface = $interfaces[0]; my $interface = $interfaces[0];
my $variable = get_interface_address( $interface ); my $variable = get_interface_address( $interface );
@ -2280,7 +2281,7 @@ sub expand_rule( $$$$$$$$$$$ )
push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface ); push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface );
$rule .= "-m conntrack --ctorigdst $variable "; $rule .= "-m conntrack --ctorigdst $variable ";
$rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1; $rule .= "--ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
} }
$origdest = ''; $origdest = '';
@ -2306,11 +2307,11 @@ sub expand_rule( $$$$$$$$$$$ )
} }
} }
$rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1; $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
} }
} else { } else {
$oexcl = ''; $oexcl = '';
$rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport && port_count( $oport) == 1; $rule .= "-m conntrack --ctorigdstport $oport " if $capabilities{NEW_CONNTRACK_MATCH} && $oport;
} }
# #

7
Shorewall-perl/Shorewall/Rules.pm
View File

@ -1226,6 +1226,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
$server = $1; # May be empty $server = $1; # May be empty
$serverport = $3; # Not Empty due to RE $serverport = $3; # Not Empty due to RE
$origdstports = $ports; $origdstports = $ports;
if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
$origdstports = validate_port( $proto, $origdstports );
} else {
$origdstports = '';
}
if ( $serverport =~ /^(\d+)-(\d+)$/ ) { if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
# #
# Server Port Range # Server Port Range