Fix nested zones

This commit is contained in:
Tom Eastep 2009-10-17 09:29:44 -07:00
parent bdb34caf5c
commit c72a290e3f
3 changed files with 21 additions and 4 deletions

View File

@ -1578,6 +1578,9 @@ sub process_rules() {
# Add jumps from the builtin chains to the interface-chains that are used by this configuration # Add jumps from the builtin chains to the interface-chains that are used by this configuration
# #
sub add_interface_jumps { sub add_interface_jumps {
our %input_jump_added;
our %output_jump_added;
our %forward_jump_added;
# #
# Add Nat jumps # Add Nat jumps
# #
@ -1598,10 +1601,10 @@ sub add_interface_jumps {
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
# #
for my $interface ( @_ ) { for my $interface ( @_ ) {
add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface; add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface;
add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) if use_input_chain $interface; add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface;
if ( use_output_chain $interface ) { unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) {
add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ); add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
} }
} }
@ -1668,6 +1671,9 @@ sub generate_matrix() {
my $notrackref = $raw_table->{notrack_chain $fw}; my $notrackref = $raw_table->{notrack_chain $fw};
my @zones = non_firewall_zones; my @zones = non_firewall_zones;
my $interface_jumps_added = 0; my $interface_jumps_added = 0;
our %input_jump_added = ();
our %output_jump_added = ();
our %forward_jump_added = ();
# #
# Special processing for complex configurations # Special processing for complex configurations
@ -1689,6 +1695,7 @@ sub generate_matrix() {
if ( use_forward_chain( $interface ) ) { if ( use_forward_chain( $interface ) ) {
$sourcechainref = $filter_table->{forward_chain $interface}; $sourcechainref = $filter_table->{forward_chain $interface};
add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
} else { } else {
$sourcechainref = $filter_table->{FORWARD}; $sourcechainref = $filter_table->{FORWARD};
$interfacematch = match_source_dev $interface; $interfacematch = match_source_dev $interface;
@ -1800,6 +1807,7 @@ sub generate_matrix() {
if ( use_output_chain $interface ) { if ( use_output_chain $interface ) {
$outputref = $filter_table->{output_chain $interface}; $outputref = $filter_table->{output_chain $interface};
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
} else { } else {
$outputref = $filter_table->{OUTPUT}; $outputref = $filter_table->{OUTPUT};
$interfacematch = match_dest_dev $interface; $interfacematch = match_dest_dev $interface;
@ -1848,6 +1856,7 @@ sub generate_matrix() {
if ( use_input_chain $interface ) { if ( use_input_chain $interface ) {
$inputchainref = $filter_table->{input_chain $interface}; $inputchainref = $filter_table->{input_chain $interface};
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
} else { } else {
$inputchainref = $filter_table->{INPUT}; $inputchainref = $filter_table->{INPUT};
$interfacematch = match_source_dev $interface; $interfacematch = match_source_dev $interface;
@ -1861,7 +1870,9 @@ sub generate_matrix() {
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) { if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
my $ref = source_exclusion( $exclusions, $frwd_ref ); my $ref = source_exclusion( $exclusions, $frwd_ref );
if ( use_forward_chain $interface ) { if ( use_forward_chain $interface ) {
add_jump $filter_table->{forward_chain $interface} , $ref, 0, join( '', $source, $ipsec_in_match ); my $forwardref = $filter_table->{forward_chain $interface};
add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
} else { } else {
add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match ); add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref ); move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
@ -1980,6 +1991,7 @@ sub generate_matrix() {
if ( use_forward_chain $interface ) { if ( use_forward_chain $interface ) {
$chain3ref = $filter_table->{forward_chain $interface}; $chain3ref = $filter_table->{forward_chain $interface};
add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
} else { } else {
$chain3ref = $filter_table->{FORWARD}; $chain3ref = $filter_table->{FORWARD};
$match_source_dev = match_source_dev $interface; $match_source_dev = match_source_dev $interface;

View File

@ -4,6 +4,8 @@ Changes in Shorewall 4.4.2.3
2) Only detect IP configuration when needed. 2) Only detect IP configuration when needed.
3) Fix nested zones.
Changes in Shorewall 4.4.2.2 Changes in Shorewall 4.4.2.2
1) Another fix for 'routeback' in routestopped. 1) Another fix for 'routeback' in routestopped.

View File

@ -183,6 +183,9 @@ Shorewall 4.4.2 Patch Release 3.
variables are only set when their values are needed to correctly variables are only set when their values are needed to correctly
execute the specified command. execute the specified command.
3) Nested zones did not work correctly in some cases where the parent
zone was defined with a wild-card interface name (one ending in '+').
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 . 2 P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 . 2
---------------------------------------------------------------------------- ----------------------------------------------------------------------------