holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Exempt ipsec from sfilter

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-09 07:27:06 -07:00
parent 4ce751469b
commit fe0bedacfc
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -504,6 +504,7 @@ sub add_common_rules() {
my $policy = $config{SFILTER_DISPOSITION};
$level = $config{SFILTER_LOG_LEVEL};
my $audit = $policy =~ s/^A_//;
my $ipsec = have_ipsec ? '-m policy --pol none --dir in ' : '';
if ( $level || $audit ) {
$chainref = new_standard_chain 'sfilter';
@ -533,11 +534,11 @@ sub add_common_rules() {
if ( @filters ) {
for ( @filters ) {
add_jump( $chainref , $target, 1, match_source_net( $_ ) ), $chainref->{filtered}++;
add_jump( $chainref1 , $target, 1, match_source_net( $_ ) ), $chainref1->{filtered}++;
add_jump( $chainref , $target, 1, match_source_net( $_ ) . $ipsec ), $chainref->{filtered}++;
add_jump( $chainref1 , $target, 1, match_source_net( $_ ) . $ipsec ), $chainref1->{filtered}++;
}
} elsif ( $interfaceref->{bridge} eq $interface ) {
add_jump( $chainref , $target, 1, match_dest_dev( $interface ) ), $chainref->{filtered}++ unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter};
add_jump( $chainref , $target, 1, match_dest_dev( $interface ) . $ipsec ), $chainref->{filtered}++ unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter};
}
add_rule( $chainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ), $chainref->{filtered}++ if $config{FASTACCEPT};