extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-20 13:21:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Generate omnibus tracking rules when NAT/ACCEPT with helper appears in an action.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-08-10 06:55:18 -07:00
parent e84ee76c7d
commit ad818c071a
1 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -121,10 +121,6 @@ my %auditpolicies = ( ACCEPT => 1,
REJECT => 1 REJECT => 1
); );
# #
# Source zone of the rule being processed
#
my $rulezone;
#
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons: # we initialize them in a function. This is done for two reasons:
# #
@ -922,7 +918,7 @@ sub new_action( $$ ) {
fatal_error "Invalid action name($action)" if reserved_name( $action ); fatal_error "Invalid action name($action)" if reserved_name( $action );
$actions{$action} = { actchain => '' }; $actions{$action} = { actchain => '' };
$targets{$action} = $type; $targets{$action} = $type;
} }
@ -1895,8 +1891,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/; fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone ); fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone; fatal_error 'USER/GROUP may only be specified when the SOURCE zone is $FW' unless $user eq '-' || $sourcezone eq firewall_zone;
$rulezone = $sourcezone;
} }
if ( $actiontype & NATONLY ) { if ( $actiontype & NATONLY ) {
@ -2066,6 +2060,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
); );
unless ( $helper eq '-' ) { unless ( $helper eq '-' ) {
my $rulezone = $inaction ? 'all' : $sourcezone;
process_conntrack_rule( "CT:helper:$helper" , process_conntrack_rule( "CT:helper:$helper" ,
"$rulezone:$source", "$rulezone:$source",
$origdest, $origdest,
@ -2092,6 +2088,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$loglevel = ''; $loglevel = '';
$action = 'ACCEPT'; $action = 'ACCEPT';
$origdest = ALLIP if $origdest =~ /[+]/; $origdest = ALLIP if $origdest =~ /[+]/;
$helper = '-';
} }
} elsif ( $actiontype & NONAT ) { } elsif ( $actiontype & NONAT ) {
# #
@ -2145,7 +2142,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
$log_action , $log_action ,
'' ); '' );
if ( ! ( $helper eq '-' || ( $actiontype & NATRULE ) ) ) { if ( $action eq 'ACCEPT' && $helper ne '-' ) {
my $rulezone = $inaction ? 'all' : $sourcezone;
process_conntrack_rule( "CT:helper:$helper" , process_conntrack_rule( "CT:helper:$helper" ,
"$rulezone:$source", "$rulezone:$source",
$origdest ? $origdest : $dest, $origdest ? $origdest : $dest,