extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-08-13 17:54:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

First cut at a fix for SAME

Browse Source
This commit is contained in:
Tom Eastep
2010-09-11 16:52:19 -07:00
parent 9e922d6967
commit 9478b51aef
3 changed files with 16 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -67,6 +67,7 @@ our %EXPORT_TAGS = (
CHAIN CHAIN
NO_RESTRICT NO_RESTRICT
PREROUTE_RESTRICT PREROUTE_RESTRICT
DESTIFAC_DISALLOW
INPUT_RESTRICT INPUT_RESTRICT
OUTPUT_RESTRICT OUTPUT_RESTRICT
POSTROUTE_RESTRICT POSTROUTE_RESTRICT
@ -257,7 +258,8 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and
INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed
OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed
POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed
DESTIFAC_DISALLOW => 32, # Disallow DEST interface
}; };
our $iprangematch; our $iprangematch;
@ -3238,6 +3240,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Dest interface -- must use routing table # Dest interface -- must use routing table
# #
fatal_error "DEST interface ($diface) not allowed in the PREROUTING chain" if $restriction & DESTIFAC_DISALLOW;
fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface ); fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface );
push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' ); push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
$rule .= '-d $dest '; $rule .= '-d $dest ';
@ -3245,6 +3248,7 @@ sub expand_rule( $$$$$$$$$$;$ )
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
fatal_error "DEST interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFAC_DISALLOW;
if ( $iiface ) { if ( $iiface ) {
my $bridge = port_to_bridge( $diface ); my $bridge = port_to_bridge( $diface );

10
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -957,14 +957,15 @@ sub handle_stickiness( $ ) {
} else { } else {
$rule1 = $_; $rule1 = $_;
$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/; $rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
$rule2 = '';
} }
$rule1 =~ s/-A tcpre //; $rule1 =~ s/-A //;
add_rule $chainref, $rule1; add_rule $chainref, $rule1;
if ( $rule2 ) { if ( $rule2 ) {
$rule2 =~ s/-A tcpre //; $rule2 =~ s/-A //;
add_rule $chainref, $rule2; add_rule $chainref, $rule2;
} }
} }
@ -984,14 +985,15 @@ sub handle_stickiness( $ ) {
} else { } else {
$rule1 = $_; $rule1 = $_;
$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/; $rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
$rule2 = '';
} }
$rule1 =~ s/-A tcout //; $rule1 =~ s/-A //;
add_rule $chainref, $rule1; add_rule $chainref, $rule1;
if ( $rule2 ) { if ( $rule2 ) {
$rule2 =~ s/-A tcout //; $rule2 =~ s/-A //;
add_rule $chainref, $rule2; add_rule $chainref, $rule2;
} }
} }

6
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -248,6 +248,8 @@ sub process_tc_rule( ) {
my ($cmd, $rest) = split( '/', $mark, 2 ); my ($cmd, $rest) = split( '/', $mark, 2 );
my $restriction = 0;
$list = ''; $list = '';
unless ( $classid ) { unless ( $classid ) {
@ -275,6 +277,8 @@ sub process_tc_rule( ) {
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre'; fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
} }
$restriction = DESTIFAC_DISALLOW;
$sticky++; $sticky++;
} elsif ( $target eq 'IPMARK ' ) { } elsif ( $target eq 'IPMARK ' ) {
my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 ); my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
@ -380,7 +384,7 @@ sub process_tc_rule( ) {
} }
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} , $restrictions{$chain} | $restriction ,
do_proto( $proto, $ports, $sports) . do_proto( $proto, $ports, $sports) .
do_user( $user ) . do_user( $user ) .
do_test( $testval, $globals{TC_MASK} ) . do_test( $testval, $globals{TC_MASK} ) .