From ccf517307e27266ade79407f7d70589b43e533b8 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 7 Aug 2012 14:51:58 -0700
Subject: [PATCH] Handle raw table zones from VSERVERS

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Misc.pm | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 54ba5adfa..16f2d796f 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1342,6 +1342,7 @@ sub generate_source_rules( $$$;@ ) {
 sub handle_loopback_traffic() {
     my @zones   = ( vserver_zones, firewall_zone );
     my $natout  = $nat_table->{OUTPUT};
+    my $rawout  = $raw_table->{OUTPUT};
     my $rulenum = 0;
 
     my $outchainref;
@@ -1365,6 +1366,7 @@ sub handle_loopback_traffic() {
 	my $z1ref            = find_zone( $z1 );
 	my $type1            = $z1ref->{type};
 	my $natref           = $nat_table->{dnat_chain $z1};
+	my $notrackref       = $raw_table->{notrack_chain( $z1 )};
 	#
 	# Add jumps in the 'output' chain to the rules chains
 	#
@@ -1374,10 +1376,32 @@ sub handle_loopback_traffic() {
 
 		generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
 	    }
+	    #
+	    # Handle conntrack 
+	    #
+	    if ( $notrackref ) {
+		add_ijump $rawout, j => $notrackref if $notrackref->{referenced};
+	    }
 	} else {
 	    for my $z2 ( @zones ) {
 		generate_source_rules( $outchainref, $z1, $z2, @rule );
 	    }
+	    #
+	    # Handle conntrack rules
+	    #
+	    if ( $notrackref->{referenced} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
+		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
+
+		    for my $net ( @{$hostref->{hosts}} ) {
+			add_ijump( $rawout,
+				   j => $exclusion ,
+				   imatch_source_net $net,
+				   @ipsec_match );
+		    }
+		}
+	    }
 	}
 
 	if ( $natref && $natref->{referenced} ) {
@@ -1995,12 +2019,6 @@ sub generate_matrix() {
 	}
     }
     #
-    # NOTRACK from firewall
-    #
-    if ( ( my $notrackref = $raw_table->{notrack_chain(firewall_zone)}) ) {
-	add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced};
-    }
-    #
     # Main source-zone matrix-generation loop
     #
     progress_message '  Entering main matrix-generation loop...';