extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-02 10:59:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix rule insertion algorithms for Dynamic Zones

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@279 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-10-01 23:43:03 +00:00
parent 8ff1919657
commit 09285f8c06
1 changed files with 33 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Shorewall/firewall
View File

@ -3476,11 +3476,9 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
} }
output_rule_num() { output_rule_num() {
local num=`iptables -L OUTPUT -n --line-numbers | grep common | cut -d' ' -f1 | tail -n1` local num=`iptables -L OUTPUT -n --line-numbers | grep icmp | cut -d' ' -f1 | head -n1`
[ -z "$num" ] && num=`iptables -L OUTPUT -n --line-numbers | grep ACCEPT | cut -d' ' -f1 | tail -n1` [ -n "$num" ] && echo $(($num+1))
echo $num
} }
interface=${1%:*} interface=${1%:*}
@ -3490,6 +3488,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
determine_zones determine_zones
zone=$2 zone=$2
validate_zone $zone || startup_error "Error: Unknown zone: $zone" validate_zone $zone || startup_error "Error: Unknown zone: $zone"
@ -3503,6 +3502,11 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
startup_error "Error: Unknown interface $interface" startup_error "Error: Unknown interface $interface"
fi fi
dhcp_interfaces=`find_interfaces_by_option dhcp`
blacklist_interfaces=`find_interfaces_by_option blacklist`
filterping_interfaces=`find_interfaces_by_option filterping`
newhost="$interface:$host" newhost="$interface:$host"
> ${STATEDIR}/zones_$$ > ${STATEDIR}/zones_$$
@ -3535,7 +3539,17 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
while read z1 z2 chain; do while read z1 z2 chain; do
if [ "$z1" = "$zone" ]; then if [ "$z1" = "$zone" ]; then
if [ "$z2" = "$FW" ]; then if [ "$z2" = "$FW" ]; then
do_iptables -I `input_chain $interface` 2 -i $interface -s $host -j $chain if list_search $interface $dhcp_interfaces; then
rulenum=3
else
rulenum=2
fi
if ! list_search $interface $filterping_interfaces; then
rulenum=$(($rulenum + 1))
fi
do_iptables -I `input_chain $interface` $rulenum -s $host -j $chain
else else
source_chain=`forward_chain $interface` source_chain=`forward_chain $interface`
eval dest_hosts=\"\$${z2}_hosts\" eval dest_hosts=\"\$${z2}_hosts\"
@ -3544,7 +3558,13 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
eval rulenum=\$${base}_rulenum eval rulenum=\$${base}_rulenum
[ -z "$rulenum" ] && rulenum=2 if [ -z "$rulenum" ]; then
if list_search $interface $blacklist_interfaces; then
rulenum=3
else
rulenum=2
fi
fi
for h in $dest_hosts; do for h in $dest_hosts; do
iface=${h%:*} iface=${h%:*}
@ -3573,7 +3593,13 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
eval rulenum=\$${base}_rulenum eval rulenum=\$${base}_rulenum
[ -z "$rulenum" ] && rulenum=2 if [ -z "$rulenum" ]; then
if list_search $iface $blacklist_interfaces; then
rulenum=3
else
rulenum=2
fi
fi
if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then if [ "$iface" != "$interface" -o "$hosts" != "$host" ]; then
do_iptables -I `forward_chain $iface` $rulenum -s $hosts -o $interface -d $host -j $chain do_iptables -I `forward_chain $iface` $rulenum -s $hosts -o $interface -d $host -j $chain