From 41a1a4c69448991bb89b22081b29bffe47bfcca1 Mon Sep 17 00:00:00 2001
From: Jiri Popelka <jpopelka@redhat.com>
Date: Wed, 6 Mar 2013 17:21:00 +0100
Subject: [PATCH] FORWARD_IN_ZONES and FORWARD_OUT_ZONES chains
 (RHBZ#912782)

We need to separate top-level FORWARD_ZONES chain
into these two chains to be able to correctly match
rules for input and output interface, see
https://bugzilla.redhat.com/show_bug.cgi?id=912782#c11
---
 src/firewall/core/base.py      |  4 ++--
 src/firewall/core/fw_zone.py   |  2 +-
 src/firewall/core/ipXtables.py | 10 ++++++----
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/firewall/core/base.py b/src/firewall/core/base.py
index b89870d..1dcf30b 100644
--- a/src/firewall/core/base.py
+++ b/src/firewall/core/base.py
@@ -44,8 +44,8 @@ INTERFACE_ZONE_SRC = {
     "PREROUTING": "PREROUTING",
     "POSTROUTING": "POSTROUTING",
     "INPUT": "INPUT",
-    "FORWARD_IN": "FORWARD",
-    "FORWARD_OUT": "FORWARD",
+    "FORWARD_IN": "FORWARD_IN",
+    "FORWARD_OUT": "FORWARD_OUT",
     "OUTPUT": "OUTPUT",
 }
 
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 2b0ac8b..c72055e 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -264,7 +264,7 @@ class FirewallZone:
                     target = self._zones[zone].target.format(
                         chain=SHORTCUTS[chain], zone=zone)
                     if target in [ "REJECT", "%%REJECT%%" ] and \
-                            src_chain not in [ "INPUT", "FORWARD", "OUTPUT" ]:
+                            src_chain not in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
                         # REJECT is only valid in the INPUT, FORWARD and
                         # OUTPUT chains, and user-defined chains which are 
                         # only called from those chains
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index d172151..311f9e4 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -83,14 +83,16 @@ DEFAULT_RULES["filter"] = [
     "-I INPUT 6 -j %%REJECT%%",
 
     "-N FORWARD_direct",
-    "-N FORWARD_ZONES",
+    "-N FORWARD_IN_ZONES",
+    "-N FORWARD_OUT_ZONES",
 
     "-I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT",
     "-I FORWARD 2 -i lo -j ACCEPT",
     "-I FORWARD 3 -j FORWARD_direct",
-    "-I FORWARD 4 -j FORWARD_ZONES",
-    "-I FORWARD 5 -p %%ICMP%% -j ACCEPT",
-    "-I FORWARD 6 -j %%REJECT%%",
+    "-I FORWARD 4 -j FORWARD_IN_ZONES",
+    "-I FORWARD 5 -j FORWARD_OUT_ZONES",
+    "-I FORWARD 6 -p %%ICMP%% -j ACCEPT",
+    "-I FORWARD 7 -j %%REJECT%%",
 
     "-N OUTPUT_direct",
 
-- 
1.8.1.4