Re: [Shorewall-users] DROP rule creates double table entry

Thu, 12 Aug 2010 07:37:55 -0700 

On 8/12/10 6:59 AM, Tom Eastep wrote:
> On 8/11/10 8:48 PM, Hellmut Tümmler wrote:
>> Hello everybody,
>>  maybe i am staring for too long into this terminal and start to see double 
>> contours.
>> Using shorewall-4.4.10 on my gentoo box with following entry in rules (among 
>> others, tell me if you need a dump). It's located below SECTION NEW:
>>
>> #ACTION      SRC                                     DEST
>> DROP         net:82.96.96.3,85.190.0.3       any
>>
>> According to 'shorewall show net2fw' the rule is generated twice. This 
>> cannot 
>> be right can it? It doesn't happen when DEST is set to all.

It does -- in the fw2net chain.

>>
>> ...
>>     0     0 DROP       all  --  *      *       82.96.96.3           
>> 0.0.0.0/0           
>>     0     0 DROP       all  --  *      *       85.190.0.3           
>> 0.0.0.0/0           
>>     0     0 DROP       all  --  *      *       82.96.96.3           
>> 0.0.0.0/0           
>>     0     0 DROP       all  --  *      *       85.190.0.3           
>> 0.0.0.0/0           
>> ...
> 
> I have reproduced the problem.

And attached is a patch:

        patch /usr/share/shorewall/Shorewall/Zones.pm < anybug.diff

The patch will apply with an offset (-13 lines with 4.4.10 - I actually
tested it against 4.4.10.3). It will apply cleanly to 4.4.11 through
4.4.11.2.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Zones.pm 
b/Shorewall/Perl/Shorewall/Zones.pm
index dcfa920..fc82a8e 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -740,7 +740,13 @@ sub non_firewall_zones() {
 }
 
 sub all_parent_zones() {
-   grep ( ! @{$zones{$_}{parents}} ,  @zones );
+    #
+    # Although the firewall zone is a parent zone, we let the caller decide
+    # if it is to be included or not.
+    #
+    grep ( ! ( $zones{$_}->{type} == FIREWALL ||
+              $zones{$_}->{type} == VSERVER  ||
+              @{$zones{$_}{parents}} ) ,  @zones );
 }
 
 sub complex_zones() {

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to