Allow interfaces in the DEST column of the conntrack file when the chain is OUTPUT.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-25 18:37:23 -08:00
parent e45fe53705
commit e7dee420ee
3 changed files with 5 additions and 9 deletions

View File

@ -6070,7 +6070,7 @@ sub verify_dest_interface( $$$$ ) {
fatal_error "Unknown Interface ($diface)" unless known_interface $diface;
if ( $restriction & PREROUTE_RESTRICT ) {
if ( $restriction & ( PREROUTE_RESTRICT | OUTPUT_RESTRICT ) ) {
#
# Dest interface -- must use routing table
#

View File

@ -55,7 +55,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
my $restriction = PREROUTE_RESTRICT;
if ( $chainref ) {
$restriction = DESTIFACE_DISALLOW if $chainref->{name} eq 'OUTPUT';
$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
} else {
#
# Entry in the conntrack file
@ -68,7 +68,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
}
$chainref = ensure_raw_chain( notrack_chain $zone );
$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
$restriction = OUTPUT_RESTRICT if $zoneref->{type} & (FIREWALL | VSERVER );
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
}

View File

@ -272,9 +272,7 @@
<term>O</term>
<listitem>
<para>The rule is added to the raw table OUTPUT chain. When
this <replaceable>chain-designator</replaceable> is used, an
interface may not be specified in the DEST column.</para>
<para>The rule is added to the raw table OUTPUT chain.</para>
</listitem>
</varlistentry>
@ -283,9 +281,7 @@
<listitem>
<para>The rule is added to the raw table PREROUTING and OUTPUT
chains. When this <replaceable>chain-designator</replaceable>
is used, an interface may not be specified in the DEST
column.</para>
chains.</para>
</listitem>
</varlistentry>
</variablelist>