Ensure that zone-specific rules come before 'all' rules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-21 14:20:30 -08:00
parent 952aed225d
commit 54dadcc546
2 changed files with 14 additions and 9 deletions

View File

@ -2492,7 +2492,7 @@ sub initialize_chain_table($) {
); );
for my $chain ( qw(OUTPUT PREROUTING) ) { for my $chain ( qw(OUTPUT PREROUTING) ) {
new_builtin_chain 'raw', $chain, 'ACCEPT'; new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
} }
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT'; new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
@ -2538,7 +2538,8 @@ sub initialize_chain_table($) {
); );
for my $chain ( qw(OUTPUT PREROUTING) ) { for my $chain ( qw(OUTPUT PREROUTING) ) {
new_builtin_chain 'raw', $chain, 'ACCEPT'; new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
} }
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT'; new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';

View File

@ -1482,10 +1482,11 @@ sub handle_loopback_traffic() {
my @ipsec_match = match_ipsec_in $z1 , $hostref; my @ipsec_match = match_ipsec_in $z1 , $hostref;
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_ijump( $rawout, insert_ijump( $rawout,
j => $exclusion , j => $exclusion ,
imatch_source_net $net, $rawout->{insert}++,
@ipsec_match ); imatch_source_net $net,
@ipsec_match );
} }
} }
} }
@ -1834,6 +1835,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
my $dnatref = $nat_table->{dnat_chain( $zone )}; my $dnatref = $nat_table->{dnat_chain( $zone )};
my $preroutingref = $nat_table->{PREROUTING}; my $preroutingref = $nat_table->{PREROUTING};
my $rawref = $raw_table->{PREROUTING};
my $notrackref = ensure_chain 'raw' , notrack_chain( $zone ); my $notrackref = ensure_chain 'raw' , notrack_chain( $zone );
my @ipsec_in_match = match_ipsec_in $zone , $hostref; my @ipsec_in_match = match_ipsec_in $zone , $hostref;
@ -1858,15 +1860,17 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
# There are notrack rules with this zone as the source. # There are notrack rules with this zone as the source.
# Add a jump from this source network to this zone's notrack chain # Add a jump from this source network to this zone's notrack chain
# #
add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match; insert_ijump $rawref, j => source_exclusion( $exclusions, $notrackref), $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
} }
# #
# If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
# then add a RETURN jump for this source network. # then add a RETURN jump for this source network.
# #
if ( $nested ) { if ( $nested ) {
add_ijump $preroutingref, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat; my $rawref = $raw_table->{PREROUTING};
add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
add_ijump $preroutingref, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
insert_ijump $rawref , j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
} }
} }