On 05/13/2013 04:49 PM, Tom Eastep wrote: > > Actually, the rule is generated but then optimized away. So the warning > will need to be issued when the 'local2fw' chain contains rules but, we > don't generate any jumps to it. >
The attached patch predicts when a rule will be optimized away because of 'destonly' and issues a warning when the rule is processed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 546695c..bc58a36 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2376,8 +2376,17 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
#
# If we are processing an inline action, we need the source zone for NAT.
#
- $sourceref = find_zone( $chainref->{sourcezone} ) if $chainref->{sourcezone};
+ if ( $chainref->{sourcezone} ) {
+ $sourceref = find_zone( $chainref->{sourcezone} );
+ unless ( $wildcard ) {
+ warning_message "The SOURCE in this rule is 'destonly'" if $sourceref->{destonly} && ! $sourceref->{complex};
+ }
+ }
} else {
+ unless ( $wildcard ) {
+ warning_message "The SOURCE zone in this rule is 'destonly'" if $sourceref->{destonly} && ! $sourceref->{complex};
+ }
+
unless ( $actiontype & NATONLY ) {
#
# Check for illegal bridge port rule
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index be9905f..14d3956 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -747,8 +747,11 @@ sub add_group_to_zone($$$$$)
my $zoneref = $zones{$zone};
my $zonetype = $zoneref->{type};
-
+ $interfaceref = $interfaces{$interface};
$zoneref->{interfaces}{$interface} = 1;
+ $zoneref->{destonly} ||= $interfaceref->{options}{destonly};
+
+ $interfaceref->{zones}{$zone} = 1;
my @newnetworks;
my @exclusions = ();
@@ -757,10 +760,6 @@ sub add_group_to_zone($$$$$)
my $allip = 0;
for my $host ( @$networks ) {
- $interfaceref = $interfaces{$interface};
-
- $interfaceref->{zones}{$zone} = 1;
-
$interfaceref->{nets}++;
fatal_error "Invalid Host List" unless supplied $host;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
