Remove delayed insertion of RETURN rules in dnat chain

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8074 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-perl/Shorewall/Chains.pm

@@ -1410,7 +1410,7 @@ sub match_ipsec_out( $$ ) {
 sub log_rule_limit( $$$$$$$$ ) {
     my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, $predicates ) = @_;
 
-    my $prefix;
+    my $prefix = '';
 
     $level = validate_level $level; # Do this here again because this function can be called directly from user exits.
 
@@ -1423,38 +1423,48 @@ sub log_rule_limit( $$$$$$$$ ) {
 	$predicates .= $limit if $limit;
     }
 
-    if ( $tag ) {
+    if ( $config{LOGFORMAT} =~ /^\s*$/ ) {
-	if ( $config{LOGTAGONLY} ) {
+	if ( $level =~ '^ULOG' ) {
-	    $chain = $tag;
+	    $prefix = "-j $level ";
-	    $tag   = '';
+	} elsif  ( $level =~ /^NFLOG/ ) {
+	    $prefix = "-j $level ";
 	} else {
-	    $tag .= ' ';
+	    $prefix = "-j LOG $globals{LOGPARMS}--log-level $level ";
 	}
     } else {
-	$tag = '' unless defined $tag;
+	if ( $tag ) {
+	    if ( $config{LOGTAGONLY} ) {
+		$chain = $tag;
+		$tag   = '';
+	    } else {
+		$tag .= ' ';
+	    }
+	} else {
+	    $tag = '' unless defined $tag;
+	}
+
+	$disposition =~ s/\s+.*//;
+	
+	if ( $globals{LOGRULENUMBERS} ) {
+	    $prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag;
+	} else {
+	    $prefix = (sprintf $config{LOGFORMAT} , $chain , $disposition) . $tag;
+	}
+
+	if ( length $prefix > 29 ) {
+	    $prefix = substr( $prefix, 0, 28 ) . ' ';
+	    warning_message "Log Prefix shortened to \"$prefix\"";
+	}
+
+	if ( $level =~ '^ULOG' ) {
+	    $prefix = "-j $level --ulog-prefix \"$prefix\" ";
+	} elsif  ( $level =~ /^NFLOG/ ) {
+	    $prefix = "-j $level --nflog-prefix \"$prefix\" ";
+	} else {
+	    $prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
+	}
     }
 
-    $disposition =~ s/\s+.*//;
-
-    if ( $globals{LOGRULENUMBERS} ) {
-	$prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag;
-    } else {
-	$prefix = (sprintf $config{LOGFORMAT} , $chain , $disposition) . $tag;
-    }
-
-    if ( length $prefix > 29 ) {
-	$prefix = substr( $prefix, 0, 28 ) . ' ';
-	warning_message "Log Prefix shortened to \"$prefix\"";
-    }
-
-    if ( $level =~ '^ULOG' ) {
-	$prefix = "-j $level --ulog-prefix \"$prefix\" ";
-    } elsif  ( $level =~ /^NFLOG/ ) {
-	$prefix = "-j $level --nflog-prefix \"$prefix\" ";
-    } else {
-	$prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
-    }
-    
     if ( $command eq 'add' ) {
 	add_rule ( $chainref, $predicates . $prefix , 1 );
     } else {

Shorewall-perl/Shorewall/Rules.pm

@@ -1496,7 +1496,6 @@ sub generate_matrix() {
     my %policy_exclusions;
     my @interfaces = ( all_interfaces );
     my $preroutingref = ensure_chain 'nat', 'dnat';
-    my @returnstack;
     my $fw = firewall_zone;
     #
     # Special processing for complex zones
@@ -1643,12 +1642,17 @@ sub generate_matrix() {
 			my $source = match_source_net $net;
 
 			if ( $dnatref->{referenced} ) {
-			    add_rule $preroutingref, $_ for ( @returnstack );
+			    #
-			    @returnstack = ();
+			    # There are DNAT/REDIRECT rules with this zone as the source.
+			    # Add a jump from this source network to this zone's DNAT/REDIRECT chain
+			    #
 			    add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j ', $dnatref->{name} );
 			}
-
+			#
-			push @returnstack, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested;
+			# If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source
+			# then add a RETURN jump for this source network.
+			#
+			add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested;
 
 			if ( $chain2 ) {
 			    if ( @$exclusions ) {