On 05/17/2013 05:29 PM, Tom Eastep wrote: > On 5/17/13 4:01 PM, "Dash Four" <[email protected]> wrote:
>>>> 4. "all+ all+ DROP" generates a "fw2fw" chain, bound to my "lo" >>>> interface no less - that should not happen. >>>> >>> >>> Why should the firewall zone be different from any other zone? If you >>> don't want that behavior, add this policy before the one you quote: >>> >>> $FW $FW ACCEPT >>> >> I was under the impression that the "fw" zone isn't attached to any >> interface. I already have a zone with that interface in it and it is >> called "local". > > Yes -- We invented 'local' zones for you. But every other user of > Shorewall assumes that the zone at the > other end of 'lo' is $FW because all intra-system IP communication must go > through 'lo'. That is a fundamental assumption of the Shorewall design. > When you define a fw->fw policy or fw->fw rules, they are enforced from > the OUTPUT chain via a chain named 'fw2fw' or 'fw-fw' (assuming that $FW > eq 'fw'. The attached simple patch eliminates the extraneous chains/rules when there is a local zone. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 12bd9f2..42b8c57 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1427,6 +1427,7 @@ sub handle_loopback_traffic() {
my $natout = $nat_table->{OUTPUT};
my $rawout = $raw_table->{OUTPUT};
my $rulenum = 0;
+ my $local = local_zone;
my $outchainref;
my @rule;
@@ -1455,6 +1456,8 @@ sub handle_loopback_traffic() {
#
if ( $type1 == FIREWALL ) {
for my $z2 ( @zones ) {
+ next if $local && $z1 eq $z2;
+
my $chain = rules_target( $z1, $z2 );
generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
