From bfc755b0157a72665a03c861b27388001c595a72 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Fri, 27 May 2005 18:06:11 +0000
Subject: [PATCH] Put bandaid on 'shorewall add' code to improve rule ordering

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2186 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/firewall | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 1809c6668..ec78f9c6f 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -7769,13 +7769,14 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
         # Insert new rules into the filter table for the passed interface
         #
 	while read z1 z2 chain; do
+	    [ "$z1" = "$z2" ] && op="-I" || op="-A"
 	    if [ "$z1" = "$zone" ]; then
 		if [ "$z2" = "$FW" ]; then
-		    do_iptables -A $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain
+		    do_iptables $op $(dynamic_in $interface) $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j $chain
 		else
 		    source_chain=$(dynamic_fwd $interface)
 		    if is_ipsec_host $z1 $newhost ; then
-			do_iptables -A $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
+			do_iptables $op $source_chain $(match_source_hosts $host) $(match_ipsec_in $z1 $newhost) -j ${z1}_frwd
 		    else
 			eval dest_hosts=\"\$${z2}_hosts\"
 
@@ -7784,7 +7785,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
 			    hosts=${h#*:}
 			    
 			    if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
-				do_iptables -A $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
+				do_iptables $op $source_chain $(match_source_hosts $host) -o $iface $(match_dest_hosts $hosts) $(match_ipsec_out $z2 $h) -j $chain
 			    fi
 			done
 		    fi
@@ -7794,7 +7795,7 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
 		    #
 		    # Add a rule to the dynamic out chain for the interface
 		    #
-		    do_iptables -A $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
+		    do_iptables $op $(dynamic_out $interface) $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
 		else
 		    eval source_hosts=\"\$${z1}_hosts\"
 
@@ -7804,9 +7805,9 @@ add_to_zone() # $1...${n-1} = <interface>[:<hosts>] $n = zone
 
 			if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
 			    if is_ipsec_host $z1 $h; then
-				do_iptables -A ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
+				do_iptables $op ${z1}_dyn -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
 			    else
-				do_iptables -A $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
+				do_iptables $op $(dynamic_fwd $iface) $(match_source_hosts $hosts) -o $interface $(match_dest_hosts $host) $(match_ipsec_out $z2 $newhost) -j $chain
 			    fi
 			fi
 		    done