mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-02 19:09:33 +01:00
Fix one bug plus clean up more chain-to-chain jump generation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8415 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
0927fcb95c
commit
8463d54580
@ -493,8 +493,8 @@ sub add_rule($$;$)
|
|||||||
|
|
||||||
#
|
#
|
||||||
# Add a jump from the chain represented by the reference in the first argument to
|
# Add a jump from the chain represented by the reference in the first argument to
|
||||||
# the chain named in the second argument. The optional third argument specifies any
|
# the target in the second argument. The optional third argument specifies any
|
||||||
# matches to be included in the rule and must end with a space character if it is passed.
|
# matches to be included in the rule and must end with a space character if it is non-null.
|
||||||
#
|
#
|
||||||
|
|
||||||
sub add_jump( $$;$ ) {
|
sub add_jump( $$;$ ) {
|
||||||
@ -503,14 +503,22 @@ sub add_jump( $$;$ ) {
|
|||||||
$predicate |= '';
|
$predicate |= '';
|
||||||
|
|
||||||
my $toref;
|
my $toref;
|
||||||
|
#
|
||||||
|
# The second argument may be a scalar (chain name or builtin target) or a chain reference
|
||||||
|
#
|
||||||
if ( reftype $to ) {
|
if ( reftype $to ) {
|
||||||
$toref = $to;
|
$toref = $to;
|
||||||
$to = $toref->{name};
|
$to = $toref->{name};
|
||||||
} else {
|
} else {
|
||||||
|
#
|
||||||
|
# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
|
||||||
|
#
|
||||||
$toref = ensure_chain( $fromref->{table} , $to ) unless ($targets{$to} | 0 ) & STANDARD;
|
$toref = ensure_chain( $fromref->{table} , $to ) unless ($targets{$to} | 0 ) & STANDARD;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the destination is a chain, mark it referenced
|
||||||
|
#
|
||||||
$toref->{referenced} = 1 if $toref;
|
$toref->{referenced} = 1 if $toref;
|
||||||
|
|
||||||
add_rule ($fromref, join( '', $predicate, "-j $to" ) );
|
add_rule ($fromref, join( '', $predicate, "-j $to" ) );
|
||||||
|
|||||||
@ -352,7 +352,7 @@ sub policy_rules( $$$$$ ) {
|
|||||||
fatal_error "Null target in policy_rules()" unless $target;
|
fatal_error "Null target in policy_rules()" unless $target;
|
||||||
$target = 'reject' if $target eq 'REJECT';
|
$target = 'reject' if $target eq 'REJECT';
|
||||||
|
|
||||||
add_rule( $chainref , "-j $target" ) unless $target eq 'CONTINUE';
|
add_jump( $chainref , $target ) unless $target eq 'CONTINUE';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -378,7 +378,7 @@ sub default_policy( $$$ ) {
|
|||||||
report_syn_flood_protection;
|
report_syn_flood_protection;
|
||||||
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
||||||
} else {
|
} else {
|
||||||
add_rule $chainref, "-j $policyref->{name}";
|
add_jump $chainref, $policyref;
|
||||||
$chainref = $policyref;
|
$chainref = $policyref;
|
||||||
}
|
}
|
||||||
} elsif ( $policy eq 'CONTINUE' ) {
|
} elsif ( $policy eq 'CONTINUE' ) {
|
||||||
@ -386,7 +386,7 @@ sub default_policy( $$$ ) {
|
|||||||
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
|
||||||
} else {
|
} else {
|
||||||
report_syn_flood_protection if $synparams;
|
report_syn_flood_protection if $synparams;
|
||||||
add_rule $chainref , "-j $policyref->{name}";
|
add_jump $chainref , $policyref;
|
||||||
$chainref = $policyref;
|
$chainref = $policyref;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1480,6 +1480,8 @@ sub generate_matrix() {
|
|||||||
return $chain if $chainref && $chainref->{referenced};
|
return $chain if $chainref && $chainref->{referenced};
|
||||||
return 'ACCEPT' if $zone eq $zone1;
|
return 'ACCEPT' if $zone eq $zone1;
|
||||||
|
|
||||||
|
fatal_error "Internal Error in rules_target()" unless $chainref;
|
||||||
|
|
||||||
if ( $chainref->{policy} ne 'CONTINUE' ) {
|
if ( $chainref->{policy} ne 'CONTINUE' ) {
|
||||||
my $policyref = $filter_table->{$chainref->{policychain}};
|
my $policyref = $filter_table->{$chainref->{policychain}};
|
||||||
return $policyref->{name} if $policyref;
|
return $policyref->{name} if $policyref;
|
||||||
@ -1494,9 +1496,7 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
sub create_zone_dyn_chain( $$ ) {
|
sub create_zone_dyn_chain( $$ ) {
|
||||||
my ( $zone , $chainref ) = @_;
|
my ( $zone , $chainref ) = @_;
|
||||||
my $name = "${zone}_dyn";
|
add_jump $chainref, "${zone}_dyn";
|
||||||
new_standard_chain $name;
|
|
||||||
add_rule $chainref, "-j $name";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1576,8 +1576,7 @@ sub generate_matrix() {
|
|||||||
my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {};
|
my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {};
|
||||||
|
|
||||||
if ( $config{DYNAMIC_ZONES} ) {
|
if ( $config{DYNAMIC_ZONES} ) {
|
||||||
no warnings;
|
create_zone_dyn_chain $zone, $frwd_ref if ( scalar keys %$source_ref ) || ( $type eq 'ipsec4' );
|
||||||
create_zone_dyn_chain $zone, $frwd_ref if (%$source_ref || $type eq 'ipsec4' );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
|
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
|
||||||
@ -1597,9 +1596,10 @@ sub generate_matrix() {
|
|||||||
for my $hostref ( @{$arrayref} ) {
|
for my $hostref ( @{$arrayref} ) {
|
||||||
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
add_rule(
|
add_jump(
|
||||||
$sourcechainref,
|
$sourcechainref,
|
||||||
join( '', $interfacematch , match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" )
|
$frwd_ref,
|
||||||
|
join( '', $interfacematch , match_source_net( $net ), $ipsec_match )
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1752,9 +1752,9 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
|
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
|
||||||
if ( use_forward_chain $interface ) {
|
if ( use_forward_chain $interface ) {
|
||||||
add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" );
|
add_jump $filter_table->{forward_chain $interface} , $frwd_ref, join( '', $source, $ipsec_in_match );
|
||||||
} else {
|
} else {
|
||||||
add_rule $filter_table->{FORWARD} , join( '', match_source_dev( $interface ) , $source, $ipsec_in_match. "-j $frwd_ref->{name}" );
|
add_jump $filter_table->{FORWARD} , $frwd_ref, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
|
||||||
move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
|
move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user