extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-18 15:46:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow 'ipsec' in /etc/shorewall/hosts to work in the presence of dynamic zones

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2419 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-07-27 17:29:20 +00:00
parent 7652794fe4
commit 9a42f57a6a
1 changed files with 29 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
Shorewall/firewall
View File

@ -4220,28 +4220,31 @@ process_actions1() {
fn=$(find_file $f1) fn=$(find_file $f1)
if [ ! -f $TMP_DIR/$f1 ]; then if [ ! -f $TMP_DIR/$f1 ]; then
#
# We must only verify macros once to ensure that they don't invoke any non-standard actions
#
if [ -f $fn ]; then if [ -f $fn ]; then
strip_file $f1 $fn strip_file $f1 $fn
progress_message " ..Expanding Macro $fn..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
expandv mtarget
temp="${mtarget%%:*}"
case "$temp" in
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM)
;;
*)
rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec"
startup_error "Invalid TARGET in rule \"$rule\""
esac
done < $TMP_DIR/$f1
progress_message " ..End Macro"
else else
rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec"
startup_error "Invalid TARGET in rule \"$rule\"" startup_error "Invalid TARGET in rule \"$rule\""
fi fi
progress_message " ..Expanding Macro $fn..."
while read mtarget mclients mservers mprotocol mports mcports mratelimit muserspec; do
expandv mtarget
temp="${mtarget%%:*}"
case "$temp" in
ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE|PARAM)
;;
*)
rule="$mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec"
startup_error "Invalid TARGET in rule \"$rule\""
esac
done < $TMP_DIR/$f1
progress_message " ..End Macro"
fi fi
fi fi
;; ;;
@ -7541,6 +7544,14 @@ activate_rules()
fi fi
} }
#
# Create a dynamic chain for a zone and jump to it from a second chain
#
create_zone_dyn_chain() # $1 = zone, $2 = second chain
{
createchain ${1}_dyn No
run_iptables -A $2 -j ${1}_dyn
}
# #
# Add jumps to early SNAT chains # Add jumps to early SNAT chains
# #
@ -7584,12 +7595,10 @@ activate_rules()
if [ -n "$is_ipsec" ]; then if [ -n "$is_ipsec" ]; then
eval source_hosts=\$${zone}_hosts eval source_hosts=\$${zone}_hosts
if [ -n "$DYNAMIC_ZONES" ]; then [ -n "$DYNAMIC_ZONES" ] && create_zone_dyn_chain $zone $frwd_chain
createchain ${zone}_dyn No
run_iptables -A $frwd_chain -j ${zone}_dyn
fi
else else
eval source_hosts=\$${zone}_ipsec_hosts eval source_hosts=\$${zone}_ipsec_hosts
[ -n "$DYNAMIC_ZONES" -a -n "$source_hosts" ] && create_zone_dyn_chain $zone $frwd_chain
fi fi
for host in $source_hosts; do for host in $source_hosts; do