mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-22 05:28:59 +01:00
Bring trunk up to date with 4.0
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7401 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
9ac89392b6
commit
63705c0b64
@ -323,6 +323,7 @@ sub initialize() {
|
||||
EXPAND_POLICIES => undef,
|
||||
KEEP_RT_TABLES => undef,
|
||||
DELETE_THEN_ADD => undef,
|
||||
MULTICAST => undef,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -1467,6 +1468,7 @@ sub get_configuration( $ ) {
|
||||
default_yes_no 'EXPAND_POLICIES' , '';
|
||||
default_yes_no 'KEEP_RT_TABLES' , '';
|
||||
default_yes_no 'DELETE_THEN_ADD' , 'Yes';
|
||||
default_yes_no 'MULTICAST ' , '';
|
||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||
|
||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||
|
||||
@ -338,10 +338,11 @@ sub validate_policy()
|
||||
#
|
||||
# Policy Rule application
|
||||
#
|
||||
sub policy_rules( $$$$ ) {
|
||||
my ( $chainref , $target, $loglevel, $default ) = @_;
|
||||
sub policy_rules( $$$$$ ) {
|
||||
my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
|
||||
|
||||
unless ( $target eq 'NONE' ) {
|
||||
add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
|
||||
add_rule $chainref, "-j $default" if $default && $default ne 'none';
|
||||
log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
|
||||
fatal_error "Null target in policy_rules()" unless $target;
|
||||
@ -371,19 +372,19 @@ sub default_policy( $$$ ) {
|
||||
fatal_error "No default policy for $_[1] to zone $_[2]" unless $policyref;
|
||||
|
||||
if ( $chainref eq $policyref ) {
|
||||
policy_rules $chainref , $policy, $loglevel , $default;
|
||||
policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
|
||||
} else {
|
||||
if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
|
||||
if ( $synparams ) {
|
||||
report_syn_flood_protection;
|
||||
policy_rules $chainref , $policy , $loglevel , $default;
|
||||
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
||||
} else {
|
||||
add_rule $chainref, "-j $policyref->{name}";
|
||||
$chainref = $policyref;
|
||||
}
|
||||
} elsif ( $policy eq 'CONTINUE' ) {
|
||||
report_syn_flood_protection if $synparams;
|
||||
policy_rules $chainref , $policy , $loglevel , $default;
|
||||
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
||||
} else {
|
||||
report_syn_flood_protection if $synparams;
|
||||
add_rule $chainref , "-j $policyref->{name}";
|
||||
@ -412,7 +413,7 @@ sub apply_policy_rules() {
|
||||
|
||||
if ( $name =~ /^all2|2all$/ ) {
|
||||
run_user_exit $chainref;
|
||||
policy_rules $chainref , $policy, $loglevel , $default;
|
||||
policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
|
||||
}
|
||||
|
||||
}
|
||||
@ -454,7 +455,7 @@ sub complete_standard_chain ( $$$ ) {
|
||||
|
||||
( $policy, $loglevel, $default ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
|
||||
|
||||
policy_rules $stdchainref , $policy , $loglevel, $default;
|
||||
policy_rules $stdchainref , $policy , $loglevel, $default, 0;
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@ -998,7 +998,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
if ( $dest eq '-' ) {
|
||||
$dest = firewall_zone;
|
||||
} else {
|
||||
$dest = join( '', firewall_zone, '::', $dest );
|
||||
$dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /(.+?)::/;
|
||||
}
|
||||
} elsif ( $action eq 'REJECT' ) {
|
||||
$action = 'reject';
|
||||
@ -1585,14 +1585,24 @@ sub generate_matrix() {
|
||||
my $dest = match_dest_net $net;
|
||||
|
||||
if ( $chain1 ) {
|
||||
my $nextchain;
|
||||
my $outputref = $filter_table->{output_chain $interface};
|
||||
|
||||
if ( @$exclusions ) {
|
||||
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" );
|
||||
add_rule $outputref , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" );
|
||||
add_rule $filter_table->{"${zone}_output"} , "-j $chain1";
|
||||
$nextchain = "${zone}_output";
|
||||
} else {
|
||||
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
|
||||
add_rule $outputref , join( '', $dest, $ipsec_out_match, "-j $chain1" );
|
||||
$nextchain = $chain1;
|
||||
}
|
||||
|
||||
add_rule( $outputref , join('', match_source_net $net, '-d 255.255.255.255 ' . $ipsec_out_match, "-j $nextchain" ) )
|
||||
if $hostref->{options}{broadcast};
|
||||
}
|
||||
|
||||
next if$hostref->{options}{destonly};
|
||||
|
||||
my $source = match_source_net $net;
|
||||
|
||||
insertnatjump 'PREROUTING' , dnat_chain $zone, \$prerouting_rule, join( '', match_source_dev( $interface), $source, $ipsec_in_match );
|
||||
@ -1744,6 +1754,7 @@ sub generate_matrix() {
|
||||
my $arrayref = $typeref->{$interface};
|
||||
my $chain3ref = $filter_table->{forward_chain $interface};
|
||||
for my $hostref ( @$arrayref ) {
|
||||
next if $hostref->{options}{destonly};
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
for my $type1ref ( values %$dest_hosts_ref ) {
|
||||
for my $interface1 ( keys %$type1ref ) {
|
||||
|
||||
@ -880,6 +880,8 @@ sub validate_hosts_file()
|
||||
routeback => 1,
|
||||
routefilter => 1,
|
||||
tcpflags => 1,
|
||||
broadcast => 1,
|
||||
destonly => 1,
|
||||
);
|
||||
|
||||
my $ipsec = 0;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user