forked from extern/shorewall_code
Move nat POSTROUTING rules to SHOREWALL if DOCKER=Yes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
e66d9f6547
commit
663f82c158
@ -2994,6 +2994,11 @@ sub initialize_chain_table($) {
|
|||||||
# Create this chain early in case it is needed by Policy actions
|
# Create this chain early in case it is needed by Policy actions
|
||||||
#
|
#
|
||||||
new_standard_chain 'reject';
|
new_standard_chain 'reject';
|
||||||
|
|
||||||
|
if ( $config{DOCKER} ) {
|
||||||
|
my $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
|
||||||
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my $ruleref = transform_rule( $globals{LOGLIMIT} );
|
my $ruleref = transform_rule( $globals{LOGLIMIT} );
|
||||||
|
|||||||
@ -736,6 +736,7 @@ sub initialize( $;$$) {
|
|||||||
RPFILTER_LOG_TAG => '',
|
RPFILTER_LOG_TAG => '',
|
||||||
INVALID_LOG_TAG => '',
|
INVALID_LOG_TAG => '',
|
||||||
UNTRACKED_LOG_TAG => '',
|
UNTRACKED_LOG_TAG => '',
|
||||||
|
POSTROUTING => 'POSTROUTING',
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# From shorewall.conf file
|
# From shorewall.conf file
|
||||||
|
|||||||
@ -1508,13 +1508,15 @@ sub add_interface_jumps {
|
|||||||
# Add Nat jumps
|
# Add Nat jumps
|
||||||
#
|
#
|
||||||
for my $interface ( @_ ) {
|
for my $interface ( @_ ) {
|
||||||
addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
|
addnatjump $globals{POSTROUTING} , snat_chain( $interface ), imatch_dest_dev( $interface );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
addnatjump( 'POSTROUTING', 'SHOREWALL' ) if $config{DOCKER};
|
||||||
|
|
||||||
for my $interface ( @interfaces ) {
|
for my $interface ( @interfaces ) {
|
||||||
addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface );
|
addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface );
|
||||||
addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
|
addnatjump $globals{POSTROUTING} , output_chain( $interface ) , imatch_dest_dev( $interface );
|
||||||
addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
|
addnatjump $globals{POSTROUTING} , masq_chain( $interface ) , imatch_dest_dev( $interface );
|
||||||
|
|
||||||
if ( have_capability 'RAWPOST_TABLE' ) {
|
if ( have_capability 'RAWPOST_TABLE' ) {
|
||||||
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
|
insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) ) if $rawpost_table->{postrouting_chain $interface};
|
||||||
@ -2247,7 +2249,7 @@ sub generate_matrix() {
|
|||||||
# Make sure that the 1:1 NAT jumps are last in PREROUTING
|
# Make sure that the 1:1 NAT jumps are last in PREROUTING
|
||||||
#
|
#
|
||||||
addnatjump 'PREROUTING' , 'nat_in';
|
addnatjump 'PREROUTING' , 'nat_in';
|
||||||
addnatjump 'POSTROUTING' , 'nat_out';
|
addnatjump $globals{POSTROUTING} , 'nat_out';
|
||||||
|
|
||||||
add_interface_jumps @interfaces unless $interface_jumps_added;
|
add_interface_jumps @interfaces unless $interface_jumps_added;
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user