forked from extern/shorewall_code
Remove delayed insertion of RETURN rules in dnat chain
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8074 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
efc3167bb9
commit
99a5eba368
@ -1410,7 +1410,7 @@ sub match_ipsec_out( $$ ) {
|
|||||||
sub log_rule_limit( $$$$$$$$ ) {
|
sub log_rule_limit( $$$$$$$$ ) {
|
||||||
my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, $predicates ) = @_;
|
my ($level, $chainref, $chain, $disposition, $limit, $tag, $command, $predicates ) = @_;
|
||||||
|
|
||||||
my $prefix;
|
my $prefix = '';
|
||||||
|
|
||||||
$level = validate_level $level; # Do this here again because this function can be called directly from user exits.
|
$level = validate_level $level; # Do this here again because this function can be called directly from user exits.
|
||||||
|
|
||||||
@ -1423,36 +1423,46 @@ sub log_rule_limit( $$$$$$$$ ) {
|
|||||||
$predicates .= $limit if $limit;
|
$predicates .= $limit if $limit;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $tag ) {
|
if ( $config{LOGFORMAT} =~ /^\s*$/ ) {
|
||||||
if ( $config{LOGTAGONLY} ) {
|
if ( $level =~ '^ULOG' ) {
|
||||||
$chain = $tag;
|
$prefix = "-j $level ";
|
||||||
$tag = '';
|
} elsif ( $level =~ /^NFLOG/ ) {
|
||||||
|
$prefix = "-j $level ";
|
||||||
} else {
|
} else {
|
||||||
$tag .= ' ';
|
$prefix = "-j LOG $globals{LOGPARMS}--log-level $level ";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$tag = '' unless defined $tag;
|
if ( $tag ) {
|
||||||
}
|
if ( $config{LOGTAGONLY} ) {
|
||||||
|
$chain = $tag;
|
||||||
|
$tag = '';
|
||||||
|
} else {
|
||||||
|
$tag .= ' ';
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$tag = '' unless defined $tag;
|
||||||
|
}
|
||||||
|
|
||||||
$disposition =~ s/\s+.*//;
|
$disposition =~ s/\s+.*//;
|
||||||
|
|
||||||
if ( $globals{LOGRULENUMBERS} ) {
|
if ( $globals{LOGRULENUMBERS} ) {
|
||||||
$prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag;
|
$prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag;
|
||||||
} else {
|
} else {
|
||||||
$prefix = (sprintf $config{LOGFORMAT} , $chain , $disposition) . $tag;
|
$prefix = (sprintf $config{LOGFORMAT} , $chain , $disposition) . $tag;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( length $prefix > 29 ) {
|
if ( length $prefix > 29 ) {
|
||||||
$prefix = substr( $prefix, 0, 28 ) . ' ';
|
$prefix = substr( $prefix, 0, 28 ) . ' ';
|
||||||
warning_message "Log Prefix shortened to \"$prefix\"";
|
warning_message "Log Prefix shortened to \"$prefix\"";
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $level =~ '^ULOG' ) {
|
if ( $level =~ '^ULOG' ) {
|
||||||
$prefix = "-j $level --ulog-prefix \"$prefix\" ";
|
$prefix = "-j $level --ulog-prefix \"$prefix\" ";
|
||||||
} elsif ( $level =~ /^NFLOG/ ) {
|
} elsif ( $level =~ /^NFLOG/ ) {
|
||||||
$prefix = "-j $level --nflog-prefix \"$prefix\" ";
|
$prefix = "-j $level --nflog-prefix \"$prefix\" ";
|
||||||
} else {
|
} else {
|
||||||
$prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
|
$prefix = "-j LOG $globals{LOGPARMS}--log-level $level --log-prefix \"$prefix\" ";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $command eq 'add' ) {
|
if ( $command eq 'add' ) {
|
||||||
|
@ -1496,7 +1496,6 @@ sub generate_matrix() {
|
|||||||
my %policy_exclusions;
|
my %policy_exclusions;
|
||||||
my @interfaces = ( all_interfaces );
|
my @interfaces = ( all_interfaces );
|
||||||
my $preroutingref = ensure_chain 'nat', 'dnat';
|
my $preroutingref = ensure_chain 'nat', 'dnat';
|
||||||
my @returnstack;
|
|
||||||
my $fw = firewall_zone;
|
my $fw = firewall_zone;
|
||||||
#
|
#
|
||||||
# Special processing for complex zones
|
# Special processing for complex zones
|
||||||
@ -1643,12 +1642,17 @@ sub generate_matrix() {
|
|||||||
my $source = match_source_net $net;
|
my $source = match_source_net $net;
|
||||||
|
|
||||||
if ( $dnatref->{referenced} ) {
|
if ( $dnatref->{referenced} ) {
|
||||||
add_rule $preroutingref, $_ for ( @returnstack );
|
#
|
||||||
@returnstack = ();
|
# There are DNAT/REDIRECT rules with this zone as the source.
|
||||||
|
# Add a jump from this source network to this zone's DNAT/REDIRECT chain
|
||||||
|
#
|
||||||
add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j ', $dnatref->{name} );
|
add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j ', $dnatref->{name} );
|
||||||
}
|
}
|
||||||
|
#
|
||||||
push @returnstack, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested;
|
# If this zone has parents with DNAT/REDIRECT rules and there are no CONTINUE polcies with this zone as the source
|
||||||
|
# then add a RETURN jump for this source network.
|
||||||
|
#
|
||||||
|
add_rule $preroutingref, join( '', match_source_dev( $interface), $source, $ipsec_in_match, '-j RETURN' ) if $nested;
|
||||||
|
|
||||||
if ( $chain2 ) {
|
if ( $chain2 ) {
|
||||||
if ( @$exclusions ) {
|
if ( @$exclusions ) {
|
||||||
|
Loading…
Reference in New Issue
Block a user