mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-24 15:18:53 +01:00
Generate omnibus tracking rules when NAT/ACCEPT with helper appears in an action.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
e84ee76c7d
commit
ad818c071a
@ -121,10 +121,6 @@ my %auditpolicies = ( ACCEPT => 1,
|
|||||||
REJECT => 1
|
REJECT => 1
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# Source zone of the rule being processed
|
|
||||||
#
|
|
||||||
my $rulezone;
|
|
||||||
#
|
|
||||||
# Rather than initializing globals in an INIT block or during declaration,
|
# Rather than initializing globals in an INIT block or during declaration,
|
||||||
# we initialize them in a function. This is done for two reasons:
|
# we initialize them in a function. This is done for two reasons:
|
||||||
#
|
#
|
||||||
@ -1895,8 +1891,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
|
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
|
||||||
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
|
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
|
||||||
fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
|
fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
|
||||||
|
|
||||||
$rulezone = $sourcezone;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $actiontype & NATONLY ) {
|
if ( $actiontype & NATONLY ) {
|
||||||
@ -2066,6 +2060,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
);
|
);
|
||||||
|
|
||||||
unless ( $helper eq '-' ) {
|
unless ( $helper eq '-' ) {
|
||||||
|
my $rulezone = $inaction ? 'all' : $sourcezone;
|
||||||
|
|
||||||
process_conntrack_rule( "CT:helper:$helper" ,
|
process_conntrack_rule( "CT:helper:$helper" ,
|
||||||
"$rulezone:$source",
|
"$rulezone:$source",
|
||||||
$origdest,
|
$origdest,
|
||||||
@ -2092,6 +2088,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$loglevel = '';
|
$loglevel = '';
|
||||||
$action = 'ACCEPT';
|
$action = 'ACCEPT';
|
||||||
$origdest = ALLIP if $origdest =~ /[+]/;
|
$origdest = ALLIP if $origdest =~ /[+]/;
|
||||||
|
$helper = '-';
|
||||||
}
|
}
|
||||||
} elsif ( $actiontype & NONAT ) {
|
} elsif ( $actiontype & NONAT ) {
|
||||||
#
|
#
|
||||||
@ -2145,7 +2142,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$log_action ,
|
$log_action ,
|
||||||
'' );
|
'' );
|
||||||
|
|
||||||
if ( ! ( $helper eq '-' || ( $actiontype & NATRULE ) ) ) {
|
if ( $action eq 'ACCEPT' && $helper ne '-' ) {
|
||||||
|
my $rulezone = $inaction ? 'all' : $sourcezone;
|
||||||
process_conntrack_rule( "CT:helper:$helper" ,
|
process_conntrack_rule( "CT:helper:$helper" ,
|
||||||
"$rulezone:$source",
|
"$rulezone:$source",
|
||||||
$origdest ? $origdest : $dest,
|
$origdest ? $origdest : $dest,
|
||||||
|
Loading…
Reference in New Issue
Block a user