From 9d288241da614e4ca4caea138cb597121259b1ce Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 2 Feb 2010 19:42:54 -0800 Subject: [PATCH] Fix issues in generate_matrix(). Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 12 ++++++++---- Shorewall/changelog.txt | 2 ++ 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index fe792b5e5..2609ddbb4 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1833,10 +1833,12 @@ sub generate_matrix() { my $nextchain = dest_exclusion( $exclusions, $chain1 ); my $outputref; my $interfacematch = ''; + my $use_output = 0; - if ( use_output_chain $interface ) { + if ( use_output_chain $interface || ( @{$filter_table->{output_chain $interface}->{rules}} && ! $filter_table->{$chain1} ) ) { $outputref = $filter_table->{output_chain $interface}; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; + $use_output = 1; } else { $outputref = $filter_table->{OUTPUT}; $interfacematch = match_dest_dev $interface; @@ -1847,7 +1849,7 @@ sub generate_matrix() { add_jump( $outputref , $nextchain, 0, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) ) if $hostref->{options}{broadcast}; - move_rules( $filter_table->{output_chain $interface} , $filter_table->{$chain1} ) unless use_output_chain $interface; + move_rules( $filter_table->{output_chain $interface} , $filter_table->{$chain1} ) unless $use_output; } clearrule; @@ -1884,10 +1886,12 @@ sub generate_matrix() { my $inputchainref; my $interfacematch = ''; + my $use_input; - if ( use_input_chain $interface ) { + if ( use_input_chain $interface || ! $chain2 || ( @{$filter_table->{input_chain $interface}->{rules}} && ! $filter_table->{$chain2} ) ) { $inputchainref = $filter_table->{input_chain $interface}; add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++; + $use_input = 1; } else { $inputchainref = $filter_table->{INPUT}; $interfacematch = match_source_dev $interface; @@ -1895,7 +1899,7 @@ sub generate_matrix() { if ( $chain2 ) { add_jump $inputchainref, source_exclusion( $exclusions, $chain2 ), 0, join( '', $interfacematch, $source, $ipsec_in_match ); - move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless use_input_chain $interface; + move_rules( $filter_table->{input_chain $interface} , $filter_table->{$chain2} ) unless $use_input; } if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) { diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c96b1b908..8a08d7927 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -16,6 +16,8 @@ Changes in Shorewall 4.4.7 8) Change default to ADD_IP_ALIASES=No +9) Correct defects in generate_matrix(). + Changes in Shorewall 4.4.6 1) Fix for rp_filter and kernel 2.6.31.