Don't allow a source interface in a DNAT/REDIRECT rule with source == firewall.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-01 09:58:40 -07:00
parent add3d0169d
commit 9f298402d8

View File

@ -632,12 +632,13 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
#
# And generate the nat table rule(s)
#
my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
expand_rule ( ensure_chain ('nat' ,
( $action_chain ?
$action_chain :
( $sourceref->{type} == FIREWALL ? 'OUTPUT' :
dnat_chain $sourceref->{name} ) ) ),
PREROUTE_RESTRICT ,
( $action_chain ? $action_chain :
$firewallsource ? 'OUTPUT' :
dnat_chain $sourceref->{name} ) ) ,
$firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
$rule ,
$source ,
$origdest ,