[Shorewall-users] [BUG] rpfilter and dynamic chain

Fri, 06 Jun 2014 08:05:17 -0700 

Debian Package: 4.5.21.6-1
Shorewall Version: 4.5.21.6

Configuration: one-interface example configs

Problem Statement: If rpfilter is set on all interfaces in the
interfaces config, no references to the dynamic chain are created and
later in the startup, the dynamic chain gets eliminated.

Troubleshooting: I believe I've read all the relevant documentation
(blacklisting, interfaces, etc.) and if this is an intended feature I
don't see that it is documented. I've tried varying my config to make
sure that Optimization isn't the cause. I seem to be Doing The Right
Thing as far as blacklisting goes (DYNAMIC_BLACKLIST=Yes, BLACKLIST=ALL).

I believe I've found the cause and have attached a patch which corrects
the issue (usr/shorewall/Shorewall/Misc.pm).

Lastly, thanks for all of your time on a great product.


diff -ruN a/usr/share/shorewall/Shorewall/Misc.pm b/usr/share/shorewall/Shorewall/Misc.pm
--- a/usr/share/shorewall/Shorewall/Misc.pm	2014-06-06 09:34:33.771549950 -0500
+++ b/usr/share/shorewall/Shorewall/Misc.pm	2014-06-06 09:37:32.268231500 -0500
@@ -859,10 +859,10 @@
 		add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 	    }
 
-	    for ( option_chains( $interface ) ) {
-		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
-		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
-	    }
+	}
+	for ( option_chains( $interface ) ) {
+	    add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
+	    add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	}
     }
 

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their 
applications. Written by three acclaimed leaders in the field, 
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to