mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 10:51:02 +01:00
First steps toward zone-based blacklisting
This commit is contained in:
parent
1d650b41cd
commit
3c1cff0794
@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
|
||||
compile_stop_firewall
|
||||
);
|
||||
our @EXPORT_OK = qw( process_rule process_rule1 initialize );
|
||||
our $VERSION = '4.4_13';
|
||||
our $VERSION = '4.4_14';
|
||||
|
||||
our $macro_nest_level;
|
||||
our $current_param;
|
||||
@ -1851,6 +1851,8 @@ sub generate_matrix() {
|
||||
#
|
||||
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
||||
|
||||
add_jump( $frwd_ref, $filter_table->{blacklst}, 0 ) if $zoneref->{options}{in}{blacklist};
|
||||
|
||||
if ( have_ipsec ) {
|
||||
#
|
||||
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
|
||||
|
@ -84,7 +84,7 @@ our @EXPORT = qw( NOTHING
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.4_13';
|
||||
our $VERSION = '4.4_14';
|
||||
|
||||
#
|
||||
# IPSEC Option types
|
||||
@ -299,6 +299,7 @@ sub initialize( $ ) {
|
||||
sub parse_zone_option_list($$)
|
||||
{
|
||||
my %validoptions = ( mss => NUMERIC,
|
||||
blacklist => NOTHING,
|
||||
strict => NOTHING,
|
||||
next => NOTHING,
|
||||
reqid => NUMERIC,
|
||||
@ -311,7 +312,7 @@ sub parse_zone_option_list($$)
|
||||
#
|
||||
# Hash of options that have their own key in the returned hash.
|
||||
#
|
||||
my %key = ( mss => 'mss' );
|
||||
my %key = ( mss => 1 , blacklist => 'blacklist' );
|
||||
|
||||
my ( $list, $zonetype ) = @_;
|
||||
my %h;
|
||||
@ -344,7 +345,7 @@ sub parse_zone_option_list($$)
|
||||
}
|
||||
|
||||
if ( $key{$e} ) {
|
||||
$h{$e} = $val;
|
||||
$h{$e} = $val || 1;
|
||||
} else {
|
||||
fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
|
||||
$options .= $invert;
|
||||
@ -435,20 +436,22 @@ sub process_zone( \$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$zones{$zone} = { type => $type,
|
||||
parents => \@parents,
|
||||
bridge => '',
|
||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||
out => parse_zone_option_list( $out_options || '', $type ) ,
|
||||
complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
|
||||
nested => @parents > 0 ,
|
||||
super => 0 ,
|
||||
} ,
|
||||
interfaces => {} ,
|
||||
children => [] ,
|
||||
hosts => {}
|
||||
};
|
||||
my $zoneref = $zones{$zone} = { type => $type,
|
||||
parents => \@parents,
|
||||
bridge => '',
|
||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||
out => parse_zone_option_list( $out_options || '', $type ) ,
|
||||
complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
|
||||
nested => @parents > 0 ,
|
||||
super => 0 ,
|
||||
} ,
|
||||
interfaces => {} ,
|
||||
children => [] ,
|
||||
hosts => {}
|
||||
};
|
||||
|
||||
$zoneref->{options}{in}{blacklist} = $zoneref->{options}{out}{blacklist} = 1 if $zoneref->{options}{in_out}{blacklist};
|
||||
|
||||
return $zone;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user