From 59189d6324c4f657b8b25dc0f71f010271ef1c32 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 12 Jul 2010 11:52:56 -0700 Subject: [PATCH] Don't generate rules from link local net to vserver zones --- Shorewall/Perl/Shorewall/IPAddrs.pm | 6 +++--- Shorewall/Perl/Shorewall/Rules.pm | 8 +++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index e39df4d49..fa3e83697 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -91,9 +91,9 @@ our $validate_host; use constant { ALLIPv4 => '0.0.0.0/0' , ALLIPv6 => '::/0' , IPv4_MULTICAST => '224.0.0.0/4' , - IPv6_MULTICAST => 'FF00::/10' , - IPv6_LINKLOCAL => 'FF80::/10' , - IPv6_SITELOCAL => 'FFC0::/10' , + IPv6_MULTICAST => 'FF00::/8' , + IPv6_LINKLOCAL => 'FE80::/10' , + IPv6_SITELOCAL => 'FEC0::/10' , IPv6_LOOPBACK => '::1' , IPv6_LINK_ALLNODES => 'FF01::1' , IPv6_LINK_ALLRTRS => 'FF01::2' , diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 08b81ef44..49e9d34f6 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2042,9 +2042,11 @@ sub generate_matrix() { add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++; $use_input = 1; - for my $vzone ( @vservers ) { - my $target = rules_target( $zone, $vzone ); - generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target; + if ( uc $net ne IPv6_LINKLOCAL ) { + for my $vzone ( @vservers ) { + my $target = rules_target( $zone, $vzone ); + generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target; + } } } else { $inputchainref = $filter_table->{INPUT};