Re: [Shorewall-devel] Shorewall 4.4.27 RC2 (with corrected patch)

[Tom Eastep]

On Thu, 2011-12-29 at 13:18 -0800, Tom Eastep wrote:
> On Thu, 2011-12-29 at 20:12 +0000, Steven Jan Springl wrote:
> > The patch fixes the above issues.
> > 
> > However, if DEST contains fw and an IP address e.g.
> > 
> > 1:130:F  10.1.1.0/24  fw:1.1.1.1
> > 
> > the iptables error still occurs.
> > 
> > My testing indicated that specifying a source of fw is valid for :F.
> > Should Shorewall not allow this?
> 
> Steven,
> 
> No. Traffic that originates on the firewall does not traverse the
> FORWARD chain. The reason that it was previously working for you is that
> the compiler was silently substituting OUTPUT for FORWARD. Now it is
> generating an error.

I believe that this patch catches all cases that should not be
supported.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 359bdc0..44672be 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -240,10 +240,10 @@ sub process_tc_rule( ) {
 	    } else {
 		$chain = 'tcout';
 	    }
-
 	    $source = '';
-	} else {
-	    $chain = 'tcout' if $source =~ s/^($fw)://;
+	} elsif ( $source =~ s/^($fw):// ) {
+	    fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
+	    $chain = 'tcout';
 	}
     }
 
@@ -252,8 +252,9 @@ sub process_tc_rule( ) {
 	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
 	    $chain = 'tcin';
 	    $dest  = '';
-	} else {
-	    $chain = 'tcin' if $dest =~ s/^($fw)://;
+	} elsif ( $dest =~ s/^($fw):// ) {
+	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
+	    $chain = 'tcin';
 	}
     }
 

signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual 
desktops for less than the cost of PCs and save 60% on VDI infrastructure 
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel