From f004916055b3e5b44d711ba747f601105db0d7a5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 11 Sep 2010 14:10:05 -0700 Subject: [PATCH] Disallow a DEST interface in mangle OUTPUT rules --- Shorewall/Perl/Shorewall/Chains.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 540e0e79d..48b715a0b 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3354,6 +3354,7 @@ sub expand_rule( $$$$$$$$$$;$ ) } else { fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; + fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & OUTPUT_RESTRICT && $chainref->{table} eq 'mangle'; if ( $iiface ) { my $bridge = port_to_bridge( $diface );