Handle raw table zones from VSERVERS

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-07 14:51:58 -07:00
parent 542f279544
commit c6186571e5

View File

@ -1310,6 +1310,7 @@ sub generate_source_rules( $$$;@ ) {
sub handle_loopback_traffic() { sub handle_loopback_traffic() {
my @zones = ( vserver_zones, firewall_zone ); my @zones = ( vserver_zones, firewall_zone );
my $natout = $nat_table->{OUTPUT}; my $natout = $nat_table->{OUTPUT};
my $rawout = $raw_table->{OUTPUT};
my $rulenum = 0; my $rulenum = 0;
my $outchainref; my $outchainref;
@ -1333,6 +1334,7 @@ sub handle_loopback_traffic() {
my $z1ref = find_zone( $z1 ); my $z1ref = find_zone( $z1 );
my $type1 = $z1ref->{type}; my $type1 = $z1ref->{type};
my $natref = $nat_table->{dnat_chain $z1}; my $natref = $nat_table->{dnat_chain $z1};
my $notrackref = $raw_table->{notrack_chain( $z1 )};
# #
# Add jumps in the 'output' chain to the rules chains # Add jumps in the 'output' chain to the rules chains
# #
@ -1342,10 +1344,32 @@ sub handle_loopback_traffic() {
generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain; generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
} }
#
# Handle conntrack
#
if ( $notrackref ) {
add_ijump $rawout, j => $notrackref if $notrackref->{referenced};
}
} else { } else {
for my $z2 ( @zones ) { for my $z2 ( @zones ) {
generate_source_rules( $outchainref, $z1, $z2, @rule ); generate_source_rules( $outchainref, $z1, $z2, @rule );
} }
#
# Handle conntrack rules
#
if ( $notrackref->{referenced} ) {
for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
my $exclusion = source_exclusion( $hostref->{exclusions}, $notrackref);
my @ipsec_match = match_ipsec_in $z1 , $hostref;
for my $net ( @{$hostref->{hosts}} ) {
add_ijump( $rawout,
j => $exclusion ,
imatch_source_net $net,
@ipsec_match );
}
}
}
} }
if ( $natref && $natref->{referenced} ) { if ( $natref && $natref->{referenced} ) {
@ -1960,12 +1984,6 @@ sub generate_matrix() {
} }
} }
# #
# NOTRACK from firewall
#
if ( ( my $notrackref = $raw_table->{notrack_chain(firewall_zone)}) ) {
add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced};
}
#
# Main source-zone matrix-generation loop # Main source-zone matrix-generation loop
# #
progress_message ' Entering main matrix-generation loop...'; progress_message ' Entering main matrix-generation loop...';