On 02/04/2013 03:10 PM, Tom Eastep wrote: >> >> I have specified INVALID_DISPOSITION=CONTINUE >> >> If any of the "PACKET DISPOSTION" parameters in shorewall.conf is set to >> CONTINUE, shouldn't '-j' be used instead of '-g' in the generated iptables >> rule? > > It should indeed; good catch! > > Patch attached. >
Even with that patch, a RETURN rule in the target chain won't work correctly with 'g'. The attached patch (which should be applied after PATCH 3) unconditionally uses -j' in these rules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 87a65cf..092cb7d 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -953,11 +953,7 @@ sub finish_chain_section ($$$) {
$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
- if ( $statetable{$_}[2] ) {
- add_ijump( $chainref, g => $target, state_imatch $_ );
- } else {
- add_ijump( $chainref, j => $target, state_imatch $_ );
- }
+ add_ijump( $chainref, j => $target, state_imatch $_ );
}
delete $state{$_};
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
