On 05/14/2013 09:29 AM, Tom Eastep wrote: > On 05/13/2013 04:49 PM, Tom Eastep wrote: > >> >> Actually, the rule is generated but then optimized away. So the warning >> will need to be issued when the 'local2fw' chain contains rules but, we >> don't generate any jumps to it. >> > > The attached patch predicts when a rule will be optimized away because > of 'destonly' and issues a warning when the rule is processed.
This patchlet restores the INPUT ACCEPT rule for the loopback interface when a local zone has the 'destonly' option. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index fe4b239..4c1bcec 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1520,7 +1520,7 @@ sub add_interface_jumps {
my @interfaces = grep $_ ne '%vserver%', @_;
my $dummy;
my $loref = known_interface('lo');
- my $lo_jump_added = $loref && $loref->{options}{local};
+ my $lo_jump_added = $loref && $loref->{options}{local} && ! $loref->{options}{destonly};
#
# Add Nat jumps
#
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
