Re: [Shorewall-devel] Shorewall 4.4.13 Beta 5

Tue, 14 Sep 2010 14:32:47 -0700 

On 9/14/10 2:22 PM, Mr Dash Four wrote:
> 
>> And it appears that very simple cases are also broken in Beta 5 :-(
>>
>> I'll take a look.
>>   
> Tom, wouldn't be easier if you include the blacklst chain at the 
> beginning of each configured device/zone depending on the 'from,to' 
> options in the blacklist file? You did it, unidirectionally, with 
> 'from', all it needs to be done is include that part of the code, but at 
> the other end of the chains, or am I simplifying it a bit here - is 
> there more to it?

There's more to it. 'blacklist' is not a zone attribute. It is a
host-group attribute( See shorewall-hosts(5) ). I regret that it was
initially implemented that way but it was and I need to maintain
compatibility.

At any rate, the patch I just posted corrects the problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Rules.pm 
b/Shorewall/Perl/Shorewall/Rules.pm
index 56790f1..1c4e18e 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2034,7 +2034,7 @@ sub generate_matrix() {
                            my $interfacematch = '';
                            my $use_output = 0;
 
-                           if ( @vservers || use_output_chain( $interface, 
$interfacechainref ) || ( ( $blacklist || @{$interfacechainref->{rules}} ) && ! 
$chain1ref ) ) {
+                           if ( @vservers || use_output_chain( $interface, 
$interfacechainref ) || $blacklist || ( @{$interfacechainref->{rules}} && ! 
$chain1ref ) ) {
                                $outputref = $interfacechainref;
                                add_jump $filter_table->{OUTPUT}, $outputref, 
0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
                                $use_output = 1;

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to