extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-13 13:16:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Insure that nested zone exclusions go in the proper place in raw PREROUTING

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-21 14:49:21 -08:00
parent 3040156981
commit b89e05740d
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -1867,10 +1867,13 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
# then add a RETURN jump for this source network. # then add a RETURN jump for this source network.
# #
if ( $nested ) { if ( $nested ) {
if ( $parenthasnat ) {
add_ijump $preroutingref, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match;
}
if ( $parenthasnotrack ) {
my $rawref = $raw_table->{PREROUTING}; my $rawref = $raw_table->{PREROUTING};
insert_ijump $rawref, j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
add_ijump $preroutingref, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat; }
insert_ijump $rawref , j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
} }
} }
@ -2073,7 +2076,7 @@ sub optimize1_zones( $$@ ) {
# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones). # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates. # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
# #
# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and # The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table, raw-table and
# nat-table rules. # nat-table rules.
# #
sub generate_matrix() { sub generate_matrix() {