Klemens Rutz wrote: > Hi, > > a "DNAT-" rule with source "all" omitted destination zone is not > applied for packets originating from the firewall itself. Here is > an example (zones oz and $FW) and some further analysis:
<details deleted> The attached patch against 4.3 applies with offset to 4.2. Apply to /usr/share/shorewall-perl/Shorewall/Rules.pm > > This motivates another series of tests where the destination > zone is "oz". I get a warning from the compiler: > WARNING: Destination zone (oz) ignored) > but the firewall script seems to be correct in this case: > <more detail deleted> > The warning is kind of misleading here, I disagree. > because the destination zone is actually not ignore. Yes it is! You get the same result whether it is there, is not there, or is the name of any defined zone. > Though I agree that a destination > zone is only needed in a DNAT, but not in a DNAT- rule. > > Is the behavior with omitted destination zone correct Yes. > and > should I specify the destination zone in DNAT- rules or not? Not. > How serious should I take the warning about the ignored > destination zone? I can't answer that. The message tells you that you are doing something silly -- you can ignore it if you want to. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index dc0ad1b..e4585a7 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1453,7 +1453,7 @@ sub process_rule ( $$$$$$$$$$$$ ) {
}
} else {
my $destzone = (split( /:/, $dest, 2 ) )[0];
- $destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
+ $destzone = $action =~ /^REDIRECT/ ? firewall_zone : '' unless defined_zone $destzone;
if ( $intrazone || ( $zone ne $destzone ) ) {
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, 1;
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
