Generate omnibus tracking rules when NAT/ACCEPT with helper appears in an action.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-10 06:55:18 -07:00
parent e84ee76c7d
commit ad818c071a

View File

@ -121,10 +121,6 @@ my %auditpolicies = ( ACCEPT => 1,
REJECT => 1 REJECT => 1
); );
# #
# Source zone of the rule being processed
#
my $rulezone;
#
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
@ -1895,8 +1891,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone; fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
$rulezone = $sourcezone;
} }
if ( $actiontype & NATONLY ) { if ( $actiontype & NATONLY ) {
@ -2066,6 +2060,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
); );
unless ( $helper eq '-' ) { unless ( $helper eq '-' ) {
my $rulezone = $inaction ? 'all' : $sourcezone;
process_conntrack_rule( "CT:helper:$helper" , process_conntrack_rule( "CT:helper:$helper" ,
"$rulezone:$source", "$rulezone:$source",
$origdest, $origdest,
@ -2092,6 +2088,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$loglevel = ''; $loglevel = '';
$action = 'ACCEPT'; $action = 'ACCEPT';
$origdest = ALLIP if $origdest =~ /[+]/; $origdest = ALLIP if $origdest =~ /[+]/;
$helper = '-';
} }
} elsif ( $actiontype & NONAT ) { } elsif ( $actiontype & NONAT ) {
# #
@ -2145,7 +2142,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$log_action , $log_action ,
'' ); '' );
if ( ! ( $helper eq '-' || ( $actiontype & NATRULE ) ) ) { if ( $action eq 'ACCEPT' && $helper ne '-' ) {
my $rulezone = $inaction ? 'all' : $sourcezone;
process_conntrack_rule( "CT:helper:$helper" , process_conntrack_rule( "CT:helper:$helper" ,
"$rulezone:$source", "$rulezone:$source",
$origdest ? $origdest : $dest, $origdest ? $origdest : $dest,