From 9555a552c2e06a3f5040958fd2ddb931c4b16afb Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 9 Jun 2011 09:57:45 -0700 Subject: [PATCH] Fix FORWARD with ipsec dest Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 45 ++++++++++++++++++++++--------- Shorewall/Perl/Shorewall/Zones.pm | 3 --- 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index eafa7ea70..21d7ddd25 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -478,6 +478,7 @@ sub add_common_rules() { my $chainref; my $chainref1; my $target; + my $target1; my $rule; my $list; my $chain; @@ -497,16 +498,14 @@ sub add_common_rules() { setup_mss; - if ( $config{FASTACCEPT} ) { - add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT OUTPUT ); - } + add_rule( $filter_table->{OUTPUT} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) if ( $config{FASTACCEPT} ); my $policy = $config{SFILTER_DISPOSITION}; $level = $config{SFILTER_LOG_LEVEL}; my $audit = $policy =~ s/^A_//; - my $ipsec = have_ipsec ? '-m policy --pol none --dir in ' : ''; + my $ipsec = have_ipsec ? '-m policy --pol none --dir in ' : ''; - if ( $level || $audit ) { + if ( $level || $audit || $ipsec ) { $chainref = new_standard_chain 'sfilter'; log_rule $level , $chainref , $policy , '' if $level ne ''; @@ -516,10 +515,26 @@ sub add_common_rules() { add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1; $target = 'sfilter'; + + if ( $ipsec ) { + $chainref = new_standard_chain 'sfilter1'; + + add_rule ( $chainref, '-m policy --pol ipsec --dir out -j RETURN' ); + + log_rule $level , $chainref , $policy , '' if $level ne ''; + + add_rule( $chainref, '-j AUDIT --type ' . lc $policy ) if $audit; + + add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1; + + $target1 = 'sfilter1'; + } } elsif ( ( $target = $policy ) eq 'REJECT' ) { $target = 'reject'; } + $target1 = $target unless $target1; + for $interface ( grep $_ ne '%vserver%', all_interfaces ) { ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ); @@ -530,20 +545,26 @@ sub add_common_rules() { my @filters = @{$interfaceref->{filter}}; $chainref = $filter_table->{forward_chain $interface}; - $chainref1 = $filter_table->{input_chain $interface}; if ( @filters ) { - for ( @filters ) { - add_jump( $chainref , $target, 1, match_source_net( $_ ) . $ipsec ), $chainref->{filtered}++; - add_jump( $chainref1 , $target, 1, match_source_net( $_ ) . $ipsec ), $chainref1->{filtered}++; - } + add_jump( $chainref , $target1, 1, match_source_net( $_ ) . $ipsec ), $chainref->{filtered}++ for @filters; + } elsif ( $interfaceref->{bridge} eq $interface ) { + add_jump( $chainref , $target1, 1, match_dest_dev( $interface ) . $ipsec ), $chainref->{filtered}++ unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter}; + } + + add_rule( $chainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT}; + add_jump( $chainref, $dynamicref, 0, $state ), $chainref->{filtered}++ if $dynamicref; + + $chainref = $filter_table->{input_chain $interface}; + + if ( @filters ) { + add_jump( $chainref , $target, 1, match_source_net( $_ ) . $ipsec ), $chainref->{filtered}++ for @filters; } elsif ( $interfaceref->{bridge} eq $interface ) { add_jump( $chainref , $target, 1, match_dest_dev( $interface ) . $ipsec ), $chainref->{filtered}++ unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter}; } - add_rule( $chainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT}; + add_rule( $chainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT}; add_jump( $chainref, $dynamicref, 0, $state ), $chainref->{filtered}++ if $dynamicref; - } } diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 326026bc6..c46d0aa78 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1059,10 +1059,7 @@ sub process_interface( $$ ) { # $hostoptions{broadcast} = 1; } elsif ( $option eq 'sfilter' ) { - warning_message "sfilter is ineffective with FASTACCEPT=Yes" if $config{FASTACCEPT}; - $filterref = [ split_list $value, 'address' ]; - validate_net( $_, 1) for @{$filterref} } else { assert(0);