mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-18 04:11:22 +01:00
Break up and eliminate handle_pio_jumps()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
8a9427ebff
commit
63eb0bee5b
@ -1573,52 +1573,23 @@ sub handle_nested_zone( $$ ) {
|
||||
}
|
||||
|
||||
#
|
||||
# Generate the PREROUTING, INPUT and OUTPUT jumps for the passed ($zone:$typeref:$interface)
|
||||
# Add output jumps to the passed zone:interface:hostref:net
|
||||
#
|
||||
sub handle_pio_jumps( $$$$$$$$ ) {
|
||||
my ( $zone,
|
||||
$zoneref,
|
||||
$typeref,
|
||||
$interface,
|
||||
$nested,
|
||||
$parenthasnat,
|
||||
$parenthasnotrack,
|
||||
$frwd_ref,
|
||||
) = @_;
|
||||
sub add_output_jumps( $$$$$$$ ) {
|
||||
my ( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, ) = @_;
|
||||
|
||||
our @vservers;
|
||||
our %input_jump_added;
|
||||
our %output_jump_added;
|
||||
our %forward_jump_added;
|
||||
|
||||
my $arrayref = $typeref->{$interface};
|
||||
my $interfaceref = find_interface $interface;
|
||||
my $isport = $interfaceref->{options}{port};
|
||||
my $bridge = $interfaceref->{bridge};
|
||||
my $notrackref = ensure_chain 'raw' , notrack_chain( $zone );
|
||||
my $chain1 = rules_target firewall_zone , $zone;
|
||||
my $chain2 = rules_target $zone, firewall_zone;
|
||||
|
||||
for my $hostref ( @$arrayref ) {
|
||||
my @ipsec_in_match = match_ipsec_in $zone , $hostref;
|
||||
my @ipsec_out_match = match_ipsec_out $zone , $hostref;
|
||||
my $exclusions = $hostref->{exclusions};
|
||||
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
my @dest = imatch_dest_net $net;
|
||||
#
|
||||
# OUTPUT
|
||||
#
|
||||
if ( $chain1 && ! ( zone_type( $zone) & BPORT ) ) {
|
||||
#
|
||||
# Policy from the firewall to this zone is not 'CONTINUE' and this isn't a bport zone
|
||||
#
|
||||
my $chain1ref = $filter_table->{$chain1};
|
||||
my $nextchain = dest_exclusion( $exclusions, $chain1 );
|
||||
my $outputref;
|
||||
my $interfacechainref = $filter_table->{output_chain $interface};
|
||||
my @interfacematch;
|
||||
my $use_output = 0;
|
||||
my @dest = imatch_dest_net $net;
|
||||
my @ipsec_out_match = match_ipsec_out $zone , $hostref;
|
||||
|
||||
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
|
||||
$outputref = $interfacechainref;
|
||||
@ -1635,7 +1606,7 @@ sub handle_pio_jumps( $$$$$$$$ ) {
|
||||
$use_output = 1;
|
||||
|
||||
unless ( lc $net eq IPv6_LINKLOCAL ) {
|
||||
for my $vzone ( vserver_zones ) {
|
||||
for my $vzone ( @vservers ) {
|
||||
generate_source_rules ( $outputref, $vzone, $zone, @dest );
|
||||
}
|
||||
}
|
||||
@ -1655,14 +1626,16 @@ sub handle_pio_jumps( $$$$$$$$ ) {
|
||||
move_rules( $interfacechainref , $chain1ref ) unless $use_output;
|
||||
}
|
||||
|
||||
clearrule;
|
||||
#
|
||||
# Add prerouting jumps from the passed zone:interface:hostref:net
|
||||
#
|
||||
sub add_prerouting_jumps( $$$$$$$$ ) {
|
||||
my ( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack ) = @_;
|
||||
|
||||
unless( $hostref->{options}{destonly} ) {
|
||||
#
|
||||
# PREROUTING
|
||||
#
|
||||
my $dnatref = $nat_table->{dnat_chain( $zone )};
|
||||
my $preroutingref = $nat_table->{PREROUTING};
|
||||
my $notrackref = ensure_chain 'raw' , notrack_chain( $zone );
|
||||
my @ipsec_in_match = match_ipsec_in $zone , $hostref;
|
||||
|
||||
my @source = imatch_source_net $net;
|
||||
|
||||
@ -1687,7 +1660,6 @@ sub handle_pio_jumps( $$$$$$$$ ) {
|
||||
#
|
||||
add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
|
||||
}
|
||||
|
||||
#
|
||||
# If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
|
||||
# then add a RETURN jump for this source network.
|
||||
@ -1696,14 +1668,26 @@ sub handle_pio_jumps( $$$$$$$$ ) {
|
||||
add_ijump $preroutingref, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
|
||||
add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# INPUT
|
||||
# Add input jumps from the passed zone:interface:hostref:net
|
||||
#
|
||||
sub add_input_jumps( $$$$$$$$ ) {
|
||||
my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) = @_;
|
||||
|
||||
our @vservers;
|
||||
our %input_jump_added;
|
||||
our %forward_jump_added;
|
||||
|
||||
my $chain2 = rules_target $zone, firewall_zone;
|
||||
my $chain2ref = $filter_table->{$chain2};
|
||||
my $inputchainref;
|
||||
my $interfacechainref = $filter_table->{input_chain $interface};
|
||||
my @interfacematch;
|
||||
my $use_input;
|
||||
my @source = imatch_source_net $net;
|
||||
my @ipsec_in_match = match_ipsec_in $zone , $hostref;
|
||||
|
||||
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
|
||||
$inputchainref = $interfacechainref;
|
||||
@ -1766,10 +1750,7 @@ sub handle_pio_jumps( $$$$$$$$ ) {
|
||||
|
||||
move_rules ( $forwardref , $frwd_ref );
|
||||
}
|
||||
} # Complex non-IPSEC host group
|
||||
} # Not a destonly host group
|
||||
} # Network Loop
|
||||
} # Host Group Loop
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
@ -1896,17 +1877,40 @@ sub generate_matrix() {
|
||||
add_interface_jumps(@interfaces) unless $interface_jumps_added++;
|
||||
}
|
||||
|
||||
handle_pio_jumps( $zone,
|
||||
$zoneref,
|
||||
$typeref,
|
||||
$interface,
|
||||
$nested,
|
||||
$parenthasnat,
|
||||
$parenthasnotrack,
|
||||
$frwd_ref,
|
||||
);
|
||||
my $interfaceref = find_interface $interface;
|
||||
my $isport = $interfaceref->{options}{port};
|
||||
my $bridge = $interfaceref->{bridge};
|
||||
|
||||
for my $hostref ( @{$typeref->{$interface}} ) {
|
||||
my $exclusions = $hostref->{exclusions};
|
||||
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
#
|
||||
# OUTPUT
|
||||
#
|
||||
if ( rules_target( firewall_zone, $zone ) && ! ( zone_type( $zone) & BPORT ) ) {
|
||||
#
|
||||
# Policy from the firewall to this zone is not 'CONTINUE' and this isn't a bport zone
|
||||
#
|
||||
add_output_jumps( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge );
|
||||
}
|
||||
|
||||
clearrule;
|
||||
|
||||
unless( $hostref->{options}{destonly} ) {
|
||||
#
|
||||
# PREROUTING
|
||||
#
|
||||
add_prerouting_jumps( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack );
|
||||
#
|
||||
# INPUT
|
||||
#
|
||||
add_input_jumps( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge );
|
||||
}
|
||||
} # Subnet Loop
|
||||
} # Hostref Loop
|
||||
} # Interface Loop
|
||||
} #Type Loop
|
||||
#
|
||||
# F O R W A R D I N G
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user