Support interface exclusion

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2018-06-10 12:02:19 -07:00
parent 43543b5c32
commit 0632723a6c
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10

View File

@ -5868,36 +5868,48 @@ sub do_nfacct( $ ) {
# Match Source Interface # Match Source Interface
# #
sub match_source_dev( $;$ ) { sub match_source_dev( $;$ ) {
my ( $interface, $nodev ) = @_;; my ( $interface, $nodev ) = @_;
my $invert = ( $interface =~ s/^!// ) ? '!' : '';
my $interfaceref = known_interface( $interface ); my $interfaceref = known_interface( $interface );
$interface = $interfaceref->{physical} if $interfaceref; $interface = $interfaceref->{physical} if $interfaceref;
return '' if $interface eq '+';
if ( $interface eq '+' ) {
fatal_error "Invalid interface (!+)" if $invert;
return '';
}
if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $interfaceref && $interfaceref->{options}{port} ) {
if ( $nodev ) { if ( $nodev ) {
"-m physdev --physdev-in $interface "; "${invert}-m physdev --physdev-in $interface ";
} else { } else {
my $bridgeref = find_interface $interfaceref->{bridge}; my $bridgeref = find_interface $interfaceref->{bridge};
"-i $bridgeref->{physical} -m physdev --physdev-in $interface "; "-i $bridgeref->{physical} ${invert}-m physdev --physdev-in $interface ";
} }
} else { } else {
"-i $interface "; "${invert}-i $interface ";
} }
} }
sub imatch_source_dev( $;$ ) { sub imatch_source_dev( $;$ ) {
my ( $interface, $nodev ) = @_;; my ( $interface, $nodev ) = @_;
my $invert = ( $interface =~ s/^!// ) ? '! ' : '';
my $interfaceref = known_interface( $interface ); my $interfaceref = known_interface( $interface );
$interface = $interfaceref->{physical} if $interfaceref; $interface = $interfaceref->{physical} if $interfaceref;
return () if $interface eq '+';
if ( $interface eq '+' ) {
fatal_error "Invalid interface (!+)" if $invert;
return ();
}
if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $interfaceref && $interfaceref->{options}{port} ) {
if ( $nodev ) { if ( $nodev ) {
( physdev => "--physdev-in $interface" ); ( physdev => "${invert}--physdev-in $interface" );
} else { } else {
my $bridgeref = find_interface $interfaceref->{bridge}; my $bridgeref = find_interface $interfaceref->{bridge};
( i => $bridgeref->{physical}, physdev => "--physdev-in $interface" ); ( i => $bridgeref->{physical}, physdev => "${invert}--physdev-in $interface" );
} }
} else { } else {
( i => $interface ); ( i => $invert . $interface );
} }
} }
@ -5905,54 +5917,66 @@ sub imatch_source_dev( $;$ ) {
# Match Dest device # Match Dest device
# #
sub match_dest_dev( $;$ ) { sub match_dest_dev( $;$ ) {
my ( $interface, $nodev ) = @_;; my ( $interface, $nodev ) = @_;
my $interfaceref = known_interface( $interface ); my $interfaceref = known_interface( $interface );
my $invert = ( $interface =~ s/^!// ) ? '! ' : '';
$interface = $interfaceref->{physical} if $interfaceref; $interface = $interfaceref->{physical} if $interfaceref;
return '' if $interface eq '+';
if ( $interface eq '+' ) {
fatal_error "Invalid interface (!+)" if $invert;
return '';
}
if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $interfaceref && $interfaceref->{options}{port} ) {
if ( $nodev ) { if ( $nodev ) {
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) { if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
"-m physdev --physdev-is-bridged --physdev-out $interface "; "${invert}-m physdev --physdev-is-bridged --physdev-out $interface ";
} else { } else {
"-m physdev --physdev-out $interface "; "${invert}-m physdev --physdev-out $interface ";
} }
} else { } else {
my $bridgeref = find_interface $interfaceref->{bridge}; my $bridgeref = find_interface $interfaceref->{bridge};
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) { if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
"-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface "; "-o $bridgeref->{physical} ${invert}-m physdev --physdev-is-bridged --physdev-out $interface ";
} else { } else {
"-o $bridgeref->{physical} -m physdev --physdev-out $interface "; "-o $bridgeref->{physical} ${invert}-m physdev --physdev-out $interface ";
} }
} }
} else { } else {
"-o $interface "; "${invert}-o $interface ";
} }
} }
sub imatch_dest_dev( $;$ ) { sub imatch_dest_dev( $;$ ) {
my ( $interface, $nodev ) = @_;; my ( $interface, $nodev ) = @_;
my $invert = ( $interface =~ s/^!// ) ? '!' : '';
my $interfaceref = known_interface( $interface ); my $interfaceref = known_interface( $interface );
$interface = $interfaceref->{physical} if $interfaceref; $interface = $interfaceref->{physical} if $interfaceref;
return () if $interface eq '+';
if ( $interface eq '+' ) {
fatal_error "Invalid interface (!+)" if $invert;
return ();
}
if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $interfaceref && $interfaceref->{options}{port} ) {
if ( $nodev ) { if ( $nodev ) {
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) { if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
( physdev => "--physdev-is-bridged --physdev-out $interface" ); ( physdev => "${invert}--physdev-is-bridged --physdev-out $interface" );
} else { } else {
( physdev => "--physdev-out $interface" ); ( physdev => "${invert}--physdev-out $interface" );
} }
} else { } else {
my $bridgeref = find_interface $interfaceref->{bridge}; my $bridgeref = find_interface $interfaceref->{bridge};
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) { if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
( o => $bridgeref->{physical}, physdev => "--physdev-is-bridged --physdev-out $interface" ); ( o => $bridgeref->{physical}, physdev => "${invert}--physdev-is-bridged --physdev-out $interface" );
} else { } else {
( o => $bridgeref->{physical}, physdev => "--physdev-out $interface" ); ( o => $bridgeref->{physical}, physdev => "${invert}--physdev-out $interface" );
} }
} }
} else { } else {
( o => $interface ); ( o => $invert . $interface );
} }
} }
@ -7568,6 +7592,11 @@ sub verify_source_interface( $$$$ ) {
my ( $iiface, $restriction, $table, $chainref ) = @_; my ( $iiface, $restriction, $table, $chainref ) = @_;
my $rule = ''; my $rule = '';
my $oiiface = $iiface;
#
# Ignore exclusion for now
#
$iiface =~ s/^!//;
fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface; fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface;
@ -7597,7 +7626,7 @@ sub verify_source_interface( $$$$ ) {
} }
$chainref->{restricted} |= $restriction; $chainref->{restricted} |= $restriction;
$rule .= match_source_dev( $iiface ); $rule .= match_source_dev( $oiiface );
} }
$rule; $rule;
@ -7692,6 +7721,11 @@ sub verify_dest_interface( $$$$ ) {
my ( $diface, $restriction, $chainref, $iiface ) = @_; my ( $diface, $restriction, $chainref, $iiface ) = @_;
my $rule = ''; my $rule = '';
my $odiface = $diface;
#
# Ignore exclusion for now
#
$diface =~ s/^!//;
fatal_error "Unknown Interface ($diface)" unless known_interface $diface; fatal_error "Unknown Interface ($diface)" unless known_interface $diface;
@ -7721,7 +7755,7 @@ sub verify_dest_interface( $$$$ ) {
} }
$chainref->{restricted} |= $restriction; $chainref->{restricted} |= $restriction;
$rule .= match_dest_dev( $diface ); $rule .= match_dest_dev( $odiface );
} }
$rule; $rule;