From fe0bedacfc9103a17387130d84a287eb95c44b66 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 9 Jun 2011 07:27:06 -0700 Subject: [PATCH] Exempt ipsec from sfilter Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Misc.pm | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 4f580e514..eafa7ea70 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -504,6 +504,7 @@ sub add_common_rules() { my $policy = $config{SFILTER_DISPOSITION}; $level = $config{SFILTER_LOG_LEVEL}; my $audit = $policy =~ s/^A_//; + my $ipsec = have_ipsec ? '-m policy --pol none --dir in ' : ''; if ( $level || $audit ) { $chainref = new_standard_chain 'sfilter'; @@ -533,11 +534,11 @@ sub add_common_rules() { if ( @filters ) { for ( @filters ) { - add_jump( $chainref , $target, 1, match_source_net( $_ ) ), $chainref->{filtered}++; - add_jump( $chainref1 , $target, 1, match_source_net( $_ ) ), $chainref1->{filtered}++; + add_jump( $chainref , $target, 1, match_source_net( $_ ) . $ipsec ), $chainref->{filtered}++; + add_jump( $chainref1 , $target, 1, match_source_net( $_ ) . $ipsec ), $chainref1->{filtered}++; } } elsif ( $interfaceref->{bridge} eq $interface ) { - add_jump( $chainref , $target, 1, match_dest_dev( $interface ) ), $chainref->{filtered}++ unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter}; + add_jump( $chainref , $target, 1, match_dest_dev( $interface ) . $ipsec ), $chainref->{filtered}++ unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter}; } add_rule( $chainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT};