Improve rules generated for exclusion lists

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2495 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-15 04:04:10 +01:00 · 2005-08-15 18:33:51 +00:00 · 2005-08-15 18:33:51 +00:00 · 0f7def6c67
commit 0f7def6c67
parent ef134da4b9
1 changed files with 27 additions and 11 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -4858,6 +4858,24 @@ process_rule() # $1 = target
 	    verify_interface $1 || interface_error $1
 	}

+	handle_exclusion()
+	{
+	    build_exclusion_chain newchain filter "$excludesource" "$excludedest"
+	    
+	    if [ $(list_count $addr) -eq 1 -a -n "$CONNTRACK_MATCH" ]; then
+		run_iptables -A $chain $(fix_bang $proto $sports $multiport $dports) -m conntrack --ctorigdst $addr -j $newchain
+		addr=
+	    else
+		run_iptables -A $chain $(fix_bang $proto $sports $multiport $dports) -j $newchain
+	    fi
+
+	    proto=
+	    sports=
+	    multiport=
+	    dports=
+	    chain=$newchain
+	}
+
 	# Set source variables. The 'cli' variable will hold the client match predicate(s).

 	cli=
@ -4984,6 +5002,10 @@ process_rule() # $1 = target
 		    fatal_error "Only DNAT, SAME and REDIRECT rules may specify destination port mapping; rule \"$rule\""
 		fi

+		if [ -n "${excludesource}${excludedest}" ]; then
+		    handle_exclusion
+		fi
+
 		if [ -z "$dnat_only" ]; then
 		    if [ -n "$serv" ]; then
 			for serv1 in $(separate_list $serv); do
@ -5037,6 +5059,10 @@ process_rule() # $1 = target
 	    # Destination is a simple zone

 	    if [ $COMMAND != check ]; then
+		if [ -n "${excludesource}${excludedest}" ]; then
+		    handle_exclusion
+		fi
+
 		if [ -n "$addr" ]; then
 		    for adr in $(separate_list $addr); do
 			if [ -n "$loglevel" ]; then
@ -5311,17 +5337,7 @@ process_rule() # $1 = target

    [ "x$protocol" = "x-" ] && protocol=all || protocol=${protocol:=all}

-    if [ $COMMAND != check ]; then
-	ensurechain $chain
-
-	if [ -n "${excludesource}${excludedest}" ]; then
-	    build_exclusion_chain newchain filter "$excludesource" "$excludedest"
-	    
-	    run_iptables -A $chain -p $protocol -j $newchain
-	    
-	    chain=$newchain
-	fi
-    fi
+    [ $COMMAND = check ] || ensurechain $chain

    # Generate Netfilter rule(s)