forked from extern/shorewall_code
Omit fw->fw jumps when there is a local zone.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
9e77bb5499
commit
fd11eb7d82
@ -1427,6 +1427,7 @@ sub handle_loopback_traffic() {
|
||||
my $natout = $nat_table->{OUTPUT};
|
||||
my $rawout = $raw_table->{OUTPUT};
|
||||
my $rulenum = 0;
|
||||
my $local = local_zone;
|
||||
|
||||
my $outchainref;
|
||||
my @rule;
|
||||
@ -1455,6 +1456,8 @@ sub handle_loopback_traffic() {
|
||||
#
|
||||
if ( $type1 == FIREWALL ) {
|
||||
for my $z2 ( @zones ) {
|
||||
next if $local && $z1 eq $z2;
|
||||
|
||||
my $chain = rules_target( $z1, $z2 );
|
||||
|
||||
generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
|
||||
|
@ -2448,8 +2448,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
warning_message( "The SOURCE zone in this rule is 'destonly'" ) if $sourceref->{destonly};
|
||||
|
||||
if ( $destref ) {
|
||||
warning_message( "The SOURCE zone is local and the DEST zone is off-firewall" ) if $sourceref->{type} == LOCAL && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
|
||||
warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'local'" ) if $destref->{type} == LOCAL && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
|
||||
warning_message( "The SOURCE zone is local and the DEST zone is off-firewall" ) if $sourceref->{type} == LOCAL && ! ( $destref->{type} & ( FIREWALL | VSERVER ) );
|
||||
warning_message( "The SOURCE zone is off-firewall and the DEST zone is 'local'" ) if $destref->{type} == LOCAL && ! ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
|
||||
warning_message( "\$FW to \$FW rules are ignored when there is a defined 'local' zone" ) if local_zone && $sourceref->{type} == FIREWALL && $destref->{type} == FIREWALL;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -246,10 +246,6 @@ c:a,b ipv4</programlisting>
|
||||
|
||||
<para>Only one <emphasis role="bold">local</emphasis> zone may
|
||||
be defined.</para>
|
||||
|
||||
<para>When a local zone is defined, you should ensure that the
|
||||
$FW -> $FW policy is ACCEPT; otherwise, extraneous chains
|
||||
and rules will be created.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
@ -244,10 +244,6 @@ c:a,b ipv6</programlisting>
|
||||
|
||||
<para>Only one <emphasis role="bold">local</emphasis> zone may
|
||||
be defined.</para>
|
||||
|
||||
<para>When a local zone is defined, you should ensure that the
|
||||
$FW -> $FW policy is ACCEPT; otherwise, extraneous chains
|
||||
and rules will be created.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
Loading…
Reference in New Issue
Block a user