mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-20 05:11:03 +01:00
Handle raw table zones from VSERVERS
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
542f279544
commit
c6186571e5
@ -1310,6 +1310,7 @@ sub generate_source_rules( $$$;@ ) {
|
|||||||
sub handle_loopback_traffic() {
|
sub handle_loopback_traffic() {
|
||||||
my @zones = ( vserver_zones, firewall_zone );
|
my @zones = ( vserver_zones, firewall_zone );
|
||||||
my $natout = $nat_table->{OUTPUT};
|
my $natout = $nat_table->{OUTPUT};
|
||||||
|
my $rawout = $raw_table->{OUTPUT};
|
||||||
my $rulenum = 0;
|
my $rulenum = 0;
|
||||||
|
|
||||||
my $outchainref;
|
my $outchainref;
|
||||||
@ -1333,6 +1334,7 @@ sub handle_loopback_traffic() {
|
|||||||
my $z1ref = find_zone( $z1 );
|
my $z1ref = find_zone( $z1 );
|
||||||
my $type1 = $z1ref->{type};
|
my $type1 = $z1ref->{type};
|
||||||
my $natref = $nat_table->{dnat_chain $z1};
|
my $natref = $nat_table->{dnat_chain $z1};
|
||||||
|
my $notrackref = $raw_table->{notrack_chain( $z1 )};
|
||||||
#
|
#
|
||||||
# Add jumps in the 'output' chain to the rules chains
|
# Add jumps in the 'output' chain to the rules chains
|
||||||
#
|
#
|
||||||
@ -1342,10 +1344,32 @@ sub handle_loopback_traffic() {
|
|||||||
|
|
||||||
generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
|
generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
|
||||||
}
|
}
|
||||||
|
#
|
||||||
|
# Handle conntrack
|
||||||
|
#
|
||||||
|
if ( $notrackref ) {
|
||||||
|
add_ijump $rawout, j => $notrackref if $notrackref->{referenced};
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
for my $z2 ( @zones ) {
|
for my $z2 ( @zones ) {
|
||||||
generate_source_rules( $outchainref, $z1, $z2, @rule );
|
generate_source_rules( $outchainref, $z1, $z2, @rule );
|
||||||
}
|
}
|
||||||
|
#
|
||||||
|
# Handle conntrack rules
|
||||||
|
#
|
||||||
|
if ( $notrackref->{referenced} ) {
|
||||||
|
for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
|
||||||
|
my $exclusion = source_exclusion( $hostref->{exclusions}, $notrackref);
|
||||||
|
my @ipsec_match = match_ipsec_in $z1 , $hostref;
|
||||||
|
|
||||||
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
|
add_ijump( $rawout,
|
||||||
|
j => $exclusion ,
|
||||||
|
imatch_source_net $net,
|
||||||
|
@ipsec_match );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $natref && $natref->{referenced} ) {
|
if ( $natref && $natref->{referenced} ) {
|
||||||
@ -1960,12 +1984,6 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# NOTRACK from firewall
|
|
||||||
#
|
|
||||||
if ( ( my $notrackref = $raw_table->{notrack_chain(firewall_zone)}) ) {
|
|
||||||
add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced};
|
|
||||||
}
|
|
||||||
#
|
|
||||||
# Main source-zone matrix-generation loop
|
# Main source-zone matrix-generation loop
|
||||||
#
|
#
|
||||||
progress_message ' Entering main matrix-generation loop...';
|
progress_message ' Entering main matrix-generation loop...';
|
||||||
|
Loading…
Reference in New Issue
Block a user