Only use the 'accountout' chain when there are bridges

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6507 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-06-10 17:09:09 +00:00 · 2007-06-10 17:09:09 +00:00 · f274d55cb8
commit f274d55cb8
parent d9e14ffa1c
3 changed files with 41 additions and 18 deletions
--- a/Shorewall-perl/Shorewall/Accounting.pm
+++ b/Shorewall-perl/Shorewall/Accounting.pm
@ -29,6 +29,7 @@ use Shorewall::Common;
 use Shorewall::Config;
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Interfaces;
 use Shorewall::Chains;
 use strict;
@ -58,8 +59,13 @@ sub process_accounting_rule( $$$$$$$$$ ) {
 	"-j $jumpchain";
    }
-    unless ( $chain and $chain ne '-' ) {
+    my $restriction = NO_RESTRICT;
-	$chain = $source =~ /^$firewall_zone:?/ ? 'accountout' : 'accounting';
+
    if ( @bridges && $source =~ /^$firewall_zone:?/ ) {
 	$restriction = OUTPUT_RESTRICT;
 	$chain = 'accountout' unless $chain and $chain ne '-';
    } else {
 	$chain = 'accounting' unless $chain and $chain ne '-';
    }
    my $chainref = ensure_filter_chain $chain , 0;
@ -139,6 +145,7 @@ sub setup_accounting() {
 	process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark;
    }
    if ( @bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
 		insert_rule $filter_table->{$chain}, 1, '-j accounting';
@ -156,6 +163,18 @@ sub setup_accounting() {
 	} elsif ( $config{FASTACCEPT} ) {
 	    insert_rule $filter_table->{OUTPUT}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
 	}
    } else {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		insert_rule $filter_table->{$chain}, 1, '-j accounting';
 		insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
 	    }
 	} elsif ( $config{FASTACCEPT} ) {
 	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
 	    }
 	}
    }
 }
 1;
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -1511,9 +1511,10 @@ sub expand_rule( $$$$$$$$$$ )
 	    #
 	    fatal_error "Bridge port ( $diface) not allowed" if port_to_bridge( $diface );
 	    add_command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do' );
-	    $rule .= '-d $dest';
+	    $rule .= '-d $dest ';
 	    $chainref->{loopcount}++;
 	} else {
 	    fatal_error "Bridge Port ( $diface ) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
 	    fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone" if $restriction & INPUT_RESTRICT;
 	    if ( $iiface ) {
--- a/Shorewall-perl/Shorewall/Interfaces.pm
+++ b/Shorewall-perl/Shorewall/Interfaces.pm
@ -44,7 +44,8 @@ our @EXPORT = qw( add_group_to_zone
 		  find_interfaces_by_option
 		  get_interface_option
-		  @interfaces  );
+		  @interfaces
 		  @bridges );
 our @EXPORT_OK = ();
 our @VERSION = 1.00;
@ -64,6 +65,7 @@ our @VERSION = 1.00;
 #
 our @interfaces;
 our %interfaces;
 our @bridges;
 sub add_group_to_zone($$$$$)
 {
@ -308,6 +310,7 @@ sub validate_interfaces_file( $ )
 	    if ( $options{bridge} ) {
 		require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 		fatal_error "Bridges may not have wildcard names" if $wildcard;
 		push @bridges, $interface;
 	    }
 	} elsif ( defined $port ) {
 	    $options{port} = 1;