From a37204c04f9203a0069b2e82861cfbb57bf09532 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 18 Oct 2006 23:03:54 +0000 Subject: [PATCH] Fix bad bug in exclusion policy handling git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4702 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/compiler | 49 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/Shorewall/compiler b/Shorewall/compiler index 0f2d16ffa..09bbc8895 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -4077,6 +4077,22 @@ activate_rules() run_iptables -A $2 -j ${1}_dyn } # + # Add a set of exclusions to a chain + # + add_exclusions_to_chain() # $1 = chain name, $2 - $n = exclusions + { + local c=$1 num=0 + + shift + + for host1 in $*; do + interface1=${host1%%:*} + networks1=${host1#*:} + num=$(($num + 1)) + run_iptables -I $c $num -o $interface1 -d $networks1 -j RETURN + done + } + # # Add jumps to early SNAT chains # for interface in $ALL_INTERFACES; do @@ -4279,6 +4295,29 @@ activate_rules() num_ifaces=0 fi + if [ -n "$exclusions1" ]; then + case $chain in + all2$zone1) + if eval test -z \"\$${chain}_exclusions\"; then + eval ${chain}_exclusions=Yes + add_exclusions_to_chain $chain $exclusions1 + fi + ;; + *2all) + chain1=${chain}_${zone1}_exclusions + if ! havechain $chain1; then + createchain $chain1 no + add_exclusions_to_chain $chain1 $exclusions1 + run_iptables -A $chain1 -j $chain + chain=$chain1 + fi + ;; + *) + add_exclusions_to_chain $chain $exclusions1 + ;; + esac + fi + if [ -n "$complex" ]; then for host1 in $dest_hosts; do interface1=${host1%%:*} @@ -4308,16 +4347,6 @@ activate_rules() done done fi - - if [ -n "$exclusions1" ]; then - local num=0 - for host1 in $exclusions1; do - interface1=${host1%%:*} - networks1=${host1#*:} - num=$(($num + 1)) - run_iptables -I $chain $num -o $interface1 -d $networks1 -j RETURN - done - fi done done