extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 12:14:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Disallow :P in CLASSIFY rules and complain if :F is used when the SOURCE or DEST is $FW.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-12-29 07:47:57 -08:00
parent b367fb46af
commit 03610181fd
1 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -210,7 +210,8 @@ sub process_tc_rule( ) {
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
my $chain = $globals{MARKING_CHAIN};
my $chain = $globals{MARKING_CHAIN};
my $classid = 0;
if ( $remainder ) {
if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
@ -220,21 +221,26 @@ sub process_tc_rule( ) {
unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
$designator =~ /^([0-9a-fA-F]+)$/ &&
( $chain = $designator{$remainder} ) );
$mark = join( ':', $mark, $designator );
$mark = join( ':', $mark, $designator );
$classid = 1;
}
}
my $target = 'MARK --set-mark';
my $tcsref;
my $connmark = 0;
my $classid = 0;
my $device = '';
my $fw = firewall_zone;
my $list;
if ( $source ) {
if ( $source eq $fw ) {
$chain = 'tcout';
if ( $classid ) {
fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
} else {
$chain = 'tcout';
}
$source = '';
} else {
$chain = 'tcout' if $source =~ s/^($fw)://;
@ -243,6 +249,7 @@ sub process_tc_rule( ) {
if ( $dest ) {
if ( $dest eq $fw ) {
fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classify;
$chain = 'tcin';
$dest = '';
} else {
@ -267,8 +274,9 @@ sub process_tc_rule( ) {
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
} else {
unless ( $remainder ) {
unless ( $classid ) {
fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
$chain = 'tcpost';
$mark = $originalmark;
}