Handle raw table zones from VSERVERS

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-07 14:51:58 -07:00
parent 88dabde9c9
commit ccf517307e

View File

@ -1342,6 +1342,7 @@ sub generate_source_rules( $$$;@ ) {
sub handle_loopback_traffic() {
my @zones = ( vserver_zones, firewall_zone );
my $natout = $nat_table->{OUTPUT};
my $rawout = $raw_table->{OUTPUT};
my $rulenum = 0;
my $outchainref;
@ -1365,6 +1366,7 @@ sub handle_loopback_traffic() {
my $z1ref = find_zone( $z1 );
my $type1 = $z1ref->{type};
my $natref = $nat_table->{dnat_chain $z1};
my $notrackref = $raw_table->{notrack_chain( $z1 )};
#
# Add jumps in the 'output' chain to the rules chains
#
@ -1374,10 +1376,32 @@ sub handle_loopback_traffic() {
generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
}
#
# Handle conntrack
#
if ( $notrackref ) {
add_ijump $rawout, j => $notrackref if $notrackref->{referenced};
}
} else {
for my $z2 ( @zones ) {
generate_source_rules( $outchainref, $z1, $z2, @rule );
}
#
# Handle conntrack rules
#
if ( $notrackref->{referenced} ) {
for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
my $exclusion = source_exclusion( $hostref->{exclusions}, $notrackref);
my @ipsec_match = match_ipsec_in $z1 , $hostref;
for my $net ( @{$hostref->{hosts}} ) {
add_ijump( $rawout,
j => $exclusion ,
imatch_source_net $net,
@ipsec_match );
}
}
}
}
if ( $natref && $natref->{referenced} ) {
@ -1995,12 +2019,6 @@ sub generate_matrix() {
}
}
#
# NOTRACK from firewall
#
if ( ( my $notrackref = $raw_table->{notrack_chain(firewall_zone)}) ) {
add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced};
}
#
# Main source-zone matrix-generation loop
#
progress_message ' Entering main matrix-generation loop...';