Re: [Shorewall-devel] Shorewall 4.4.19 Beta 5

Wed, 06 Apr 2011 14:57:29 -0700 

On 4/6/11 1:39 PM, Steven Jan Springl wrote:

> The attached minimal config. generates the following nat table rules:
> 
> *nat
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :dnat - [0:0]
> :net_dnat - [0:0]
> -A dnat -j net_dnat
> -A net_dnat -p 6 --dport 1234 -j REDIRECT --to-port 22
> COMMIT
> 
> In the above rules the dnat chain is unreferenced.
> 
> If 'physical=+' is removed from eth0 in the interfaces file or it is changed 
> to vaule other than '+' then a jump to the dnat chain from the PREROUTING 
> chain is generated.

Steven,

The attached patch seems to correct this problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 0b0e29f..7d50a12 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1356,7 +1356,18 @@ sub generate_matrix() {
                            # There are DNAT/REDIRECT rules with this zone as 
the source.
                            # Add a jump from this source network to this 
zone's DNAT/REDIRECT chain
                            #
-                           add_jump $preroutingref, source_exclusion( 
$exclusions, $dnatref), 0, join( '', match_source_dev( $interface), $source, 
$ipsec_in_match );
+                           add_jump( $preroutingref,
+                                     source_exclusion( $exclusions, $dnatref),
+                                     0,
+                                     join( '', match_source_dev( $interface), 
$source, $ipsec_in_match ) );
+                                     
+                           if ( get_physical( $interface ) eq '+' ) {
+                               #
+                               # The jump from the prerouting chain to dnat 
may not have been added above
+                               # 
+                               addnatjump 'PREROUTING', 'dnat', '' unless 
$preroutingref->{references}{PREROUTING};
+                           }
+                               
                            check_optimization( $dnatref ) if $source;
                        }

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to