From 3d84cec3a3b652dc9d2ed70426155d54a193bf97 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 12 Jan 2008 01:32:18 +0000
Subject: [PATCH] Fix for DNAT/REDIRECT nested-zone mess

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8048 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/changelog.txt     |  2 ++
 Shorewall-common/releasenotes.txt  | 32 ++++++++++++++++++++++++++++++
 Shorewall-perl/Shorewall/Chains.pm | 11 ++++++++++
 Shorewall-perl/Shorewall/Rules.pm  | 14 +++++++++++--
 docs/MultiISP.xml                  |  4 ++--
 5 files changed, 59 insertions(+), 4 deletions(-)

diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index aa272e268..dcecb8f59 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -8,6 +8,8 @@ Changes in 4.1.4
 
 3)  Don't fully populate /etc/shorewall under Cygwin
 
+4)  Fix part of the DNAT/REDIRECT fiasco.
+
 Changes in 4.1.3
 
 1)  Fix NFLOG/ULOG upcasing problem.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 78ac5b16c..42ccf2a29 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -23,6 +23,38 @@ Problems corrected in Shorewall 4.1.4.
 2)  The compilation date recorded in the firewall.conf file produced by
     Shorewall-perl was previously mangled.
 
+3)  Previously, the following situation would result in unexpected
+    behavior.
+
+    /etc/shorewall/zones:
+
+	#ZONE	     TYPE
+	fw	     firewall
+	net	     ipv4
+	loc	     ipv4
+	dmz	     ipv4
+
+    /etc/shorewall/interfaces:
+
+	#ZONE        INTERFACE    BROADCAST      OPTIONS
+	net	     ppp0
+	loc	     eth1
+	loc	     ppp+
+	dmz	     eth2
+
+    /etc/shorewall/rules:
+
+	#ACTION   SOURCE     DEST     PROTO    DEST
+	#                                      PORT(S)
+	ACCEPT    net        dmz      tcp      80
+	REDIRECT  loc        3128     tcp      80
+
+    The web server in the dmz (implied by the first rule) is
+    inaccessible from the 'net' zone because the REDIRECT rule 
+    redirects all traffic arriving on 'ppp+' to local port 3128.
+
+    Shorewall 4.1.4 includes a fix for this problem.
+
 Other changes in Shorewall 4.1.4.
 
 1)  When installing on Cygwin, /etc/shorewall is no longer fully
diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index 427c81dec..6e835bf0f 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -91,6 +91,7 @@ our %EXPORT_TAGS = (
 				       first_chains
 				       ensure_chain
 				       ensure_mangle_chain
+				       ensure_nat_chain
 				       new_standard_chain
 				       new_builtin_chain
 				       new_nat_chain
@@ -679,6 +680,16 @@ sub ensure_mangle_chain($) {
     $chainref;
 }
 
+sub ensure_nat_chain($) {
+    my $chain = $_[0];
+
+    my $chainref = ensure_chain 'nat', $chain;
+
+    $chainref->{referenced} = 1;
+
+    $chainref;
+}
+
 #
 # Add a builtin chain
 #
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index 89d7e20eb..232e5cab5 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -1482,7 +1482,8 @@ sub generate_matrix() {
     my %chain_exclusions;
     my %policy_exclusions;
     my @interfaces = ( all_interfaces );
-
+    my $preroutingref = ensure_chain 'nat', 'dnat';
+    my @returnstack;
     #
     # Special processing for complex zones
     #
@@ -1590,7 +1591,14 @@ sub generate_matrix() {
 
 			my $source = match_source_net $net;
 
-			addnatjump 'PREROUTING' , dnat_chain $zone, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
+			my $chainref = $nat_table->{dnat_chain $zone};
+
+			if ( $chainref->{referenced} ) {
+			    add_rule $preroutingref, $_ for ( @returnstack );
+			    @returnstack = ();
+			    add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j ', $chainref->{name} );
+			    push @returnstack, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' );
+			}
 
 			if ( $chain2 ) {
 			    if ( @$exclusions ) {
@@ -1796,6 +1804,8 @@ sub generate_matrix() {
 	addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface );
     }
 
+    addnatjump 'PREROUTING', 'dnat', '';
+
     if ( $config{DYNAMIC_ZONES} ) {
 	for my $interface ( @interfaces ) {
 	    addnatjump 'PREROUTING' , dynamic_in( $interface ), match_source_dev( $interface );
diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml
index 83d0e607f..6af695e01 100644
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -939,8 +939,8 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
       <orderedlist numeration="loweralpha">
         <listitem>
           <para>Only ethernet (or ethernet-like) interfaces can be used. For
-          inbound traffic, the MAC addresses of the gateway routers is used to
-          determine which provider a packet was received through. Note that
+          inbound traffic, the MAC addresses of the gateway routers are used
+          to determine which provider a packet was received through. Note that
           only routed traffic can be categorized using this technique.</para>
         </listitem>