From 9a42f57a6a21beb268d7e4eaf6f2e738d911a20c Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 27 Jul 2005 17:29:20 +0000
Subject: [PATCH] Allow 'ipsec' in /etc/shorewall/hosts to work in the presence
 of dynamic zones

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2419 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/firewall | 49 +++++++++++++++++++++++++++-------------------
 1 file changed, 29 insertions(+), 20 deletions(-)

diff --git a/Shorewall/firewall b/Shorewall/firewall
index 4d5b3d55d..1478abc9d 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -4220,28 +4220,31 @@ process_actions1() {
 				    fn=$(find_file $f1)
 				    
 				    if [ ! -f $TMP_DIR/$f1 ]; then
+					#
+					# We must only verify macros once to ensure that they don't invoke any non-standard actions
+					#
 					if [ -f $fn ]; then
 					    strip_file $f1 $fn
+					
+					    progress_message "   ..Expanding Macro $fn..."
+				    
+					    while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
+						expandv mtarget
+						temp="${mtarget%%:*}"
+						case "$temp" in
+						    ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM)
+							;;
+						    *)
+							rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec"
+							startup_error "Invalid TARGET in rule \"$rule\""
+						esac 
+					    done < $TMP_DIR/$f1
+					    
+					    progress_message "   ..End Macro"
 					else
 					    rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec"
 					    startup_error "Invalid TARGET in rule \"$rule\""
 					fi
-			
-					progress_message "   ..Expanding Macro $fn..."
-				    
-					while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
-					    expandv mtarget
-					    temp="${mtarget%%:*}"
-					    case "$temp" in
-						ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM)
-						    ;;
-						*)
-						    rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec"
-						    startup_error "Invalid TARGET in rule \"$rule\""
-					    esac 
-					done < $TMP_DIR/$f1
-					
-					progress_message "   ..End Macro"
 				    fi
 				fi
 				;;
@@ -7541,6 +7544,14 @@ activate_rules()
 	fi
     }    
 
+    # 
+    # Create a dynamic chain for a zone and jump to it from a second chain
+    #
+    create_zone_dyn_chain() # $1 = zone, $2 = second chain
+    {
+	createchain ${1}_dyn No
+	run_iptables -A $2 -j ${1}_dyn
+    }
     #
     # Add jumps to early SNAT chains
     #
@@ -7584,12 +7595,10 @@ activate_rules()
 
 		if [ -n "$is_ipsec" ]; then
 		    eval source_hosts=\$${zone}_hosts
-		    if [ -n "$DYNAMIC_ZONES" ]; then
-			createchain ${zone}_dyn No
-			run_iptables -A $frwd_chain -j ${zone}_dyn
-		    fi
+		    [ -n "$DYNAMIC_ZONES" ] && create_zone_dyn_chain $zone $frwd_chain
 		else
 		    eval source_hosts=\$${zone}_ipsec_hosts
+		    [ -n "$DYNAMIC_ZONES" -a -n "$source_hosts" ] && create_zone_dyn_chain $zone $frwd_chain
 		fi
 
 		for host in $source_hosts; do