Make 'expanded' apply to all wildcard policies

This commit is contained in:
Tom Eastep 2009-11-21 14:18:01 -08:00
parent c7de19cf39
commit 4aeee6fd8b
3 changed files with 11 additions and 6 deletions

View File

@ -202,8 +202,7 @@ our $VERSION = '4.4_4';
# #
# 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be # 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. Similarly, # replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. Similarly,
# 'expanded' also applies only to policy chains; when true, indicates that the chain is a policy chain as a result of # 'expanded' is set when a policy is define by a wildcard policy.
# EXPAND_POLICIES=Yes.
# #
# Only 'referenced' chains get written to the iptables-restore input. # Only 'referenced' chains get written to the iptables-restore input.
# #

View File

@ -102,12 +102,12 @@ sub set_policy_chain($$$$$)
$chainref1->{default} = $chainref->{default} if defined $chainref->{default}; $chainref1->{default} = $chainref->{default} if defined $chainref->{default};
$chainref1->{is_policy} = 1; $chainref1->{is_policy} = 1;
$chainref1->{expanded} = 1;
push @policy_chains, $chainref1; push @policy_chains, $chainref1;
} else { } else {
$chainref1->{policychain} = $chainref->{name}; $chainref1->{policychain} = $chainref->{name};
} }
$chainref1->{expanded} = 1;
$chainref1->{policy} = $policy; $chainref1->{policy} = $policy;
$chainref1->{policypair} = [ $source, $dest ]; $chainref1->{policypair} = [ $source, $dest ];
} }
@ -229,7 +229,13 @@ sub process_a_policy() {
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
} }
} elsif ( $chainref->{policy} ) { } elsif ( $chainref->{policy} ) {
if ( $chainref->{expanded} ) {
$chainref->{expanded} = 0;
convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
} else {
fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}"); fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
}
} else { } else {
convert_to_policy_chain( $chainref, $client, $server, $policy, 0 ); convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild ); push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );

View File

@ -28,8 +28,8 @@ None.
N E W F E A T U R E S I N 4 . 5 . 0 N E W F E A T U R E S I N 4 . 5 . 0
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
1) Previously, if EXPAND_POLICIES=Yes, the following sequence of 1) Previously, the following sequence of policies would produce a
policies would produce a 'Duplicate Policy' error: 'Duplicate Policy' error:
$FW all ACCEPT $FW all ACCEPT
$FW dmz REJECT info $FW dmz REJECT info