forked from extern/shorewall_code
Ensure that zone-specific rules come before 'all' rules.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
952aed225d
commit
54dadcc546
@ -2492,7 +2492,7 @@ sub initialize_chain_table($) {
|
|||||||
);
|
);
|
||||||
|
|
||||||
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
||||||
new_builtin_chain 'raw', $chain, 'ACCEPT';
|
new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
|
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
|
||||||
@ -2538,7 +2538,8 @@ sub initialize_chain_table($) {
|
|||||||
);
|
);
|
||||||
|
|
||||||
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
for my $chain ( qw(OUTPUT PREROUTING) ) {
|
||||||
new_builtin_chain 'raw', $chain, 'ACCEPT';
|
new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
|
new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
|
||||||
|
@ -1482,10 +1482,11 @@ sub handle_loopback_traffic() {
|
|||||||
my @ipsec_match = match_ipsec_in $z1 , $hostref;
|
my @ipsec_match = match_ipsec_in $z1 , $hostref;
|
||||||
|
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
add_ijump( $rawout,
|
insert_ijump( $rawout,
|
||||||
j => $exclusion ,
|
j => $exclusion ,
|
||||||
imatch_source_net $net,
|
$rawout->{insert}++,
|
||||||
@ipsec_match );
|
imatch_source_net $net,
|
||||||
|
@ipsec_match );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1834,6 +1835,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
|
|||||||
|
|
||||||
my $dnatref = $nat_table->{dnat_chain( $zone )};
|
my $dnatref = $nat_table->{dnat_chain( $zone )};
|
||||||
my $preroutingref = $nat_table->{PREROUTING};
|
my $preroutingref = $nat_table->{PREROUTING};
|
||||||
|
my $rawref = $raw_table->{PREROUTING};
|
||||||
my $notrackref = ensure_chain 'raw' , notrack_chain( $zone );
|
my $notrackref = ensure_chain 'raw' , notrack_chain( $zone );
|
||||||
my @ipsec_in_match = match_ipsec_in $zone , $hostref;
|
my @ipsec_in_match = match_ipsec_in $zone , $hostref;
|
||||||
|
|
||||||
@ -1858,15 +1860,17 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
|
|||||||
# There are notrack rules with this zone as the source.
|
# There are notrack rules with this zone as the source.
|
||||||
# Add a jump from this source network to this zone's notrack chain
|
# Add a jump from this source network to this zone's notrack chain
|
||||||
#
|
#
|
||||||
add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
|
insert_ijump $rawref, j => source_exclusion( $exclusions, $notrackref), $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
|
# If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
|
||||||
# then add a RETURN jump for this source network.
|
# then add a RETURN jump for this source network.
|
||||||
#
|
#
|
||||||
if ( $nested ) {
|
if ( $nested ) {
|
||||||
add_ijump $preroutingref, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
|
my $rawref = $raw_table->{PREROUTING};
|
||||||
add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
|
|
||||||
|
add_ijump $preroutingref, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
|
||||||
|
insert_ijump $rawref , j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user