extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-19 21:01:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Generate omnibus tracking rules when NAT/ACCEPT with helper appears in an action.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-10 06:55:18 -07:00
parent e84ee76c7d
commit ad818c071a
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -121,10 +121,6 @@ my %auditpolicies = ( ACCEPT => 1,
REJECT => 1
);
#
# Source zone of the rule being processed
#
my $rulezone;
#
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
@ -922,7 +918,7 @@ sub new_action( $$ ) {
fatal_error "Invalid action name($action)" if reserved_name( $action );
$actions{$action} = { actchain => '' };
$actions{$action} = { actchain => '' };
$targets{$action} = $type;
}
@ -1895,8 +1891,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
$rulezone = $sourcezone;
}
if ( $actiontype & NATONLY ) {
@ -2066,6 +2060,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
);
unless ( $helper eq '-' ) {
my $rulezone = $inaction ? 'all' : $sourcezone;
process_conntrack_rule( "CT:helper:$helper" ,
"$rulezone:$source",
$origdest,
@ -2092,6 +2088,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$loglevel = '';
$action = 'ACCEPT';
$origdest = ALLIP if $origdest =~ /[+]/;
$helper = '-';
}
} elsif ( $actiontype & NONAT ) {
#
@ -2145,7 +2142,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$log_action ,
'' );
if ( ! ( $helper eq '-' || ( $actiontype & NATRULE ) ) ) {
if ( $action eq 'ACCEPT' && $helper ne '-' ) {
my $rulezone = $inaction ? 'all' : $sourcezone;
process_conntrack_rule( "CT:helper:$helper" ,
"$rulezone:$source",
$origdest ? $origdest : $dest,