On 3/31/2014 5:38 AM, Hervé Werner wrote: > > I actually restarted Shorewall to get a working internet connection back > and did the dump afterwards because I knew the issue were already > logged. I understand your process but I can swear you I'm not trying to > fool you ;) > > Please find enclosed a proper dump as well as additional information on > my software system. > This time I was trying to ping DNS server 8.8.8.8.
Patch attached. The problem only occurred when FASTACCEPT=Yes; that is why I failed to reproduce it. > > Please note an error about module 'sch_tbf' when recompiling the policy > (shorewall_restart.txt). Don't know if it is tied to rpfilter. It is not. That is a result of Shorewall probing your system to learn its capabilities. > > > I also would like to thank you about the 2 patches you wrote, I can > confirm that Shorewall is now working as expected. Thank you for confirming that the patches corrected the problems. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index a70a880..c84061e 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -855,26 +855,28 @@ sub add_common_rules ( $ ) {
my $interfaceref = find_interface $interface;
- unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} || $interfaceref->{physical} eq 'lo' ) {
+ unless ( $interfaceref->{physical} eq 'lo' ) {
+ unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
- my @filters = @{$interfaceref->{filter}};
+ my @filters = @{$interfaceref->{filter}};
- $chainref = $filter_table->{forward_option_chain $interface};
+ $chainref = $filter_table->{forward_option_chain $interface};
- if ( @filters ) {
- add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
- } elsif ( $interfaceref->{bridge} eq $interface ) {
- add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
- unless( $config{ROUTE_FILTER} eq 'on' ||
- $interfaceref->{options}{routeback} ||
- $interfaceref->{options}{routefilter} ||
- $interfaceref->{physical} eq '+' );
- }
+ if ( @filters ) {
+ add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+ } elsif ( $interfaceref->{bridge} eq $interface ) {
+ add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
+ unless( $config{ROUTE_FILTER} eq 'on' ||
+ $interfaceref->{options}{routeback} ||
+ $interfaceref->{options}{routefilter} ||
+ $interfaceref->{physical} eq '+' );
+ }
- if ( @filters ) {
- $chainref = $filter_table->{input_option_chain $interface};
- add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+ if ( @filters ) {
+ $chainref = $filter_table->{input_option_chain $interface};
+ add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+ }
}
for ( option_chains( $interface ) ) {
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
