extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-08 22:58:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve handling of 'all' in the conntrack file.

Browse Source 
- Also added 'all-' to represent all off-firewall zones.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-21 13:07:01 -08:00
parent 7bfbf522bc
commit 952aed225d
3 changed files with 17 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -54,7 +54,9 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
my $zone;
my $restriction = PREROUTE_RESTRICT;
unless ( $chainref ) {
if ( $chainref ) {
$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
} else {
#
# Entry in the conntrack file
#
@ -248,10 +250,10 @@ sub setup_conntrack() {
$empty = 0;
if ( $source eq 'all' ) {
for my $zone (all_zones) {
process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
}
if ( $source =~ /^all(-)?(:(.+))?$/ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user ) unless $1;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user );
} else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
}

8
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -151,10 +151,10 @@
</varlistentry>
<varlistentry>
<term/>
<term></term>
<listitem>
<para/>
<para></para>
</listitem>
</varlistentry>
@ -250,6 +250,10 @@
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
used as the <replaceable>zone</replaceable> name to mean
<firstterm>all zones</firstterm>.</para>
<para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
used as the <replaceable>zone</replaceable> name to mean all
<firstterm>off-firewall zone</firstterm>s.</para>
</listitem>
</varlistentry>

4
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -145,6 +145,10 @@
<para>Beginning with Shorewall 4.5.7, <option>all</option> can be
used as the <replaceable>zone</replaceable> name to mean
<firstterm>all zones</firstterm>.</para>
<para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
used as the <replaceable>zone</replaceable> name to mean all
<firstterm>off-firewall zone</firstterm>s.</para>
</listitem>
</varlistentry>