On 05/12/2013 09:32 AM, Dash Four wrote: > > Tom Eastep wrote: >>> Is that for the extra ACCEPT rule for 'lo' or something else? >>> >> >> It is for extra chains left behind. >> >> No traffic can come from the loopback device that hasn't already been >> sent out of it. As a consequence, filtering in the INPUT chain is >> superfluous and any 'local -> fw' rules will be optimized away with the >> patch I sent earlier. All that will be left is the ACCEPT rule. >> > Hang on! I need to have local->fw and fw->local rules - they make > perfect sense and I use them to restrict/log/report traffic. I just > don't want to have inter-chain rules connecting to or coming out of > local (or 'lo'), like net2local, local2net and so on.
Patch attached. You will have to live with the superfluous ACCEPT rule until I can find the time to suppress it. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 7e6ab13..ca226e5 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -2168,7 +2168,7 @@ sub generate_matrix() {
#
# FORWARDING Jump for non-IPSEC host group
#
- add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec';
+ add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) if $frwd_ref && ( $hostref->{ipsec} ne 'ipsec' && ! $hostref->{options}{local} );
}
} # Subnet Loop
} # Hostref Loop
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index d73acf8..f7dbedf 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -1270,8 +1270,6 @@ sub process_interface( $$ ) {
$options{ignore} ||= 0;
}
- $hostoptionsref->{destonly} = 1 if $hostoptionsref->{local};
-
$physical{$physical} = $interfaces{$interface} = { name => $interface ,
bridge => $bridge ,
filter => $filterref ,
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. This 200-page book is written by three acclaimed leaders in the field. The early access version is available now. Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
