extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-20 16:10:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Make exclusion of set lists more consistent

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-10-05 12:22:27 -07:00
parent 7767d30c7c
commit a10ced2da2
1 changed files with 5 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3278,32 +3278,6 @@ sub set_global_variables( $ ) {
} }
} }
#
# Process an element in an exclusion list
#
sub handle_network_exclusion( $;$ ) {
my ( $net, $excl ) = @_;
if ( $net =~ /^(\+\[(.+)\])$/ ) {
my @excl = mysplit $2;
for ( @excl ) {
fatal_error "Expected ipset name ($_)" unless /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
unless ( $2 ) {
if ( $1 ) {
s/!/!+/;
} else {
s/^/+/;
}
}
}
$net = join ',', @excl;
}
$excl ? join ',', $excl, $net : $net;
}
# #
# Split a network element into the net part and exclusion part (if any) # Split a network element into the net part and exclusion part (if any)
# #
@ -3352,15 +3326,15 @@ sub handle_network_list( $$ ) {
if ( /!/ ) { if ( /!/ ) {
if ( /^!(.*)$/ ) { if ( /^!(.*)$/ ) {
fatal_error "Invalid $srcdst ($list)" if ( $nets || $excl ); fatal_error "Invalid $srcdst ($list)" if ( $nets || $excl );
$excl = handle_network_exclusion $1, ''; $excl = $1;
} else { } else {
fatal_error "Invalid $srcdst ($list)" if $excl; fatal_error "Invalid $srcdst ($list)" if $excl;
my ( $temp1, $temp2 ) = split_network $_, $srcdst, $list; my ( $temp1, $temp2 ) = split_network $_, $srcdst, $list;
$nets = $nets ? join(',', $nets, $temp1 ) : $temp1; $nets = $nets ? join(',', $nets, $temp1 ) : $temp1;
$excl = handle_network_exclusion $temp2 if $temp2; $excl = $temp2 if $temp2;
} }
} elsif ( $excl ) { } elsif ( $excl ) {
$excl = handle_network_exclusion( $_, $excl ); $excl .= ",$_";
} else { } else {
$nets = $nets ? join(',', $nets, $_ ) : $_; $nets = $nets ? join(',', $nets, $_ ) : $_;
} }
@ -3657,7 +3631,7 @@ sub expand_rule( $$$$$$$$$$;$ )
if ( $inets ) { if ( $inets ) {
( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' ); ( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) { unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
my @iexcl = mysplit $iexcl; my @iexcl = mysplit $iexcl;
if ( @iexcl == 1 ) { if ( @iexcl == 1 ) {
$rule .= match_source_net "!$iexcl" , $restriction; $rule .= match_source_net "!$iexcl" , $restriction;
@ -3675,7 +3649,7 @@ sub expand_rule( $$$$$$$$$$;$ )
if ( $dnets ) { if ( $dnets ) {
( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' ); ( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );
unless ( $dnets ) { unless ( $dnets || $dexcl =~ /^\+\[/ ) {
my @dexcl = mysplit $dexcl; my @dexcl = mysplit $dexcl;
if ( @dexcl == 1 ) { if ( @dexcl == 1 ) {
$rule .= match_dest_net "!$dexcl"; $rule .= match_dest_net "!$dexcl";