diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 6e835bf0f..b8f8b1631 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1410,7 +1410,7 @@ sub match_ipsec_out( $$ ) { sub log_rule_limit( $$$$$$$$ ) { my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, $predicates ) = @_; - my $prefix; + my $prefix = ''; $level = validate_level $level; # Do this here again because this function can be called directly from user exits. @@ -1423,38 +1423,48 @@ sub log_rule_limit( $$$$$$$$ ) { $predicates .= $limit if $limit; } - if ( $tag ) { - if ( $config{LOGTAGONLY} ) { - $chain = $tag; - $tag = ''; + if ( $config{LOGFORMAT} =~ /^\s*$/ ) { + if ( $level =~ '^ULOG' ) { + $prefix = "-j $level "; + } elsif ( $level =~ /^NFLOG/ ) { + $prefix = "-j $level "; } else { - $tag .= ' '; + $prefix = "-j LOG $globals{LOGPARMS}--log-level $level "; } } else { - $tag = '' unless defined $tag; + if ( $tag ) { + if ( $config{LOGTAGONLY} ) { + $chain = $tag; + $tag = ''; + } else { + $tag .= ' '; + } + } else { + $tag = '' unless defined $tag; + } + + $disposition =~ s/\s+.*//; + + if ( $globals{LOGRULENUMBERS} ) { + $prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag; + } else { + $prefix = (sprintf $config{LOGFORMAT} , $chain , $disposition) . $tag; + } + + if ( length $prefix > 29 ) { + $prefix = substr( $prefix, 0, 28 ) . ' '; + warning_message "Log Prefix shortened to \"$prefix\""; + } + + if ( $level =~ '^ULOG' ) { + $prefix = "-j $level --ulog-prefix \"$prefix\" "; + } elsif ( $level =~ /^NFLOG/ ) { + $prefix = "-j $level --nflog-prefix \"$prefix\" "; + } else { + $prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" "; + } } - $disposition =~ s/\s+.*//; - - if ( $globals{LOGRULENUMBERS} ) { - $prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag; - } else { - $prefix = (sprintf $config{LOGFORMAT} , $chain , $disposition) . $tag; - } - - if ( length $prefix > 29 ) { - $prefix = substr( $prefix, 0, 28 ) . ' '; - warning_message "Log Prefix shortened to \"$prefix\""; - } - - if ( $level =~ '^ULOG' ) { - $prefix = "-j $level --ulog-prefix \"$prefix\" "; - } elsif ( $level =~ /^NFLOG/ ) { - $prefix = "-j $level --nflog-prefix \"$prefix\" "; - } else { - $prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" "; - } - if ( $command eq 'add' ) { add_rule ( $chainref, $predicates . $prefix , 1 ); } else { diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index e66078ecc..f9fe0101b 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -1496,7 +1496,6 @@ sub generate_matrix() { my %policy_exclusions; my @interfaces = ( all_interfaces ); my $preroutingref = ensure_chain 'nat', 'dnat'; - my @returnstack; my $fw = firewall_zone; # # Special processing for complex zones @@ -1643,12 +1642,17 @@ sub generate_matrix() { my $source = match_source_net $net; if ( $dnatref->{referenced} ) { - add_rule $preroutingref, $_ for ( @returnstack ); - @returnstack = (); + # + # There are DNAT/REDIRECT rules with this zone as the source. + # Add a jump from this source network to this zone's DNAT/REDIRECT chain + # add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j ', $dnatref->{name} ); } - - push @returnstack, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested; + # + # If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source + # then add a RETURN jump for this source network. + # + add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested; if ( $chain2 ) { if ( @$exclusions ) {