From e6755b7172405d9d34e98b5c1add79dc038c2ffc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 17 Oct 2009 10:59:41 -0700 Subject: [PATCH] Merge nested zone fix into master --- Shorewall/Perl/Shorewall/Rules.pm | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index fa34dad03..bd6ced866 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1579,6 +1579,9 @@ sub process_rules() { # Add jumps from the builtin chains to the interface-chains that are used by this configuration # sub add_interface_jumps { + our %input_jump_added; + our %output_jump_added; + our %forward_jump_added; # # Add Nat jumps # @@ -1599,10 +1602,10 @@ sub add_interface_jumps { # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT # for my $interface ( @_ ) { - add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface; - add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) if use_input_chain $interface; + add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface; + add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface; - if ( use_output_chain $interface ) { + unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) { add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ); } } @@ -1669,6 +1672,9 @@ sub generate_matrix() { my $notrackref = $raw_table->{notrack_chain $fw}; my @zones = non_firewall_zones; my $interface_jumps_added = 0; + our %input_jump_added = (); + our %output_jump_added = (); + our %forward_jump_added = (); # # Special processing for complex configurations @@ -1690,6 +1696,7 @@ sub generate_matrix() { if ( use_forward_chain( $interface ) ) { $sourcechainref = $filter_table->{forward_chain $interface}; + add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; } else { $sourcechainref = $filter_table->{FORWARD}; $interfacematch = match_source_dev $interface; @@ -1801,6 +1808,7 @@ sub generate_matrix() { if ( use_output_chain $interface ) { $outputref = $filter_table->{output_chain $interface}; + add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; } else { $outputref = $filter_table->{OUTPUT}; $interfacematch = match_dest_dev $interface; @@ -1849,6 +1857,7 @@ sub generate_matrix() { if ( use_input_chain $interface ) { $inputchainref = $filter_table->{input_chain $interface}; + add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++; } else { $inputchainref = $filter_table->{INPUT}; $interfacematch = match_source_dev $interface; @@ -1862,7 +1871,9 @@ sub generate_matrix() { if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) { my $ref = source_exclusion( $exclusions, $frwd_ref ); if ( use_forward_chain $interface ) { - add_jump $filter_table->{forward_chain $interface} , $ref, 0, join( '', $source, $ipsec_in_match ); + my $forwardref = $filter_table->{forward_chain $interface}; + add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match ); + add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; } else { add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match ); move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref ); @@ -1981,6 +1992,7 @@ sub generate_matrix() { if ( use_forward_chain $interface ) { $chain3ref = $filter_table->{forward_chain $interface}; + add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; } else { $chain3ref = $filter_table->{FORWARD}; $match_source_dev = match_source_dev $interface;