Fix an iprange problem with the hosts file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6120 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-04-25 21:03:40 +00:00 · 2007-04-25 21:03:40 +00:00 · e3f35a632a
commit e3f35a632a
parent 41b02f5029
2 changed files with 5 additions and 2 deletions
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -932,7 +932,7 @@ sub iprange_match() {
    require_capability( 'IPRANGE_MATCH' , 'Address Ranges' );
    unless ( $iprangematch ) {
 	$match = '-m iprange ';
-	$iprangematch = 1;
+	$iprangematch = 1 unless $capabilities{KLUDGEFREE};
    }

    $match;
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -414,6 +414,7 @@ sub process_routestopped() {
 			    my $dest   = match_dest_net   $host;

 			    emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT";
+			    clearrule;
 			}
 		    }
 		} elsif ( $option eq 'source' ) {
@ -459,6 +460,7 @@ sub process_routestopped() {
 		    my ( $interface1, $h1 ) = split /:/, $host1;
 		    my $dest1 = match_dest_net $h1;
 		    emit "\$IPTABLES -A FORWARD -i $interface -o $interface1 $source $dest1 -j ACCEPT";
+		    clearrule;
 		}
 	    }
 	}
@ -1456,7 +1458,6 @@ sub generate_matrix() {
 		    my $ipsec_in_match  = match_ipsec_in  $zone , $hostref;
 		    my $ipsec_out_match = match_ipsec_out $zone , $hostref;
 		    for my $net ( @{$hostref->{hosts}} ) {
-			my $source = match_source_net $net;
 			my $dest   = match_dest_net   $net;

 			if ( $chain1 ) {
@ -1468,6 +1469,8 @@ sub generate_matrix() {
 			    }
 			}

+			my $source = match_source_net $net;
+
 			insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', "-i $interface ", $source, $ipsec_in_match );

 			if ( $chain2 ) {