mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 18:21:27 +02:00
Eliminate the hideously complex forwarding code in generate_matrix()
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
63eb0bee5b
commit
ae66d7d7a5
@ -1839,7 +1839,11 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
for my $zone ( @zones ) {
|
for my $zone ( @zones ) {
|
||||||
my $zoneref = find_zone( $zone );
|
my $zoneref = find_zone( $zone );
|
||||||
handle_complex_zone( $zone, $zoneref ) if @zones > 2 || $zoneref->{complex};
|
if ( @zones > 2 || $zoneref->{complex} ) {
|
||||||
|
handle_complex_zone( $zone, $zoneref );
|
||||||
|
} else {
|
||||||
|
new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# NOTRACK from firewall
|
# NOTRACK from firewall
|
||||||
@ -1911,6 +1915,8 @@ sub generate_matrix() {
|
|||||||
} # Hostref Loop
|
} # Hostref Loop
|
||||||
} # Interface Loop
|
} # Interface Loop
|
||||||
} #Type Loop
|
} #Type Loop
|
||||||
|
|
||||||
|
if ( $frwd_ref ) {
|
||||||
#
|
#
|
||||||
# F O R W A R D I N G
|
# F O R W A R D I N G
|
||||||
#
|
#
|
||||||
@ -1947,10 +1953,6 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
|
my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
|
||||||
|
|
||||||
if ( $frwd_ref ) {
|
|
||||||
#
|
|
||||||
# Simple case -- the source zone has it's own forwarding chain
|
|
||||||
#
|
|
||||||
for my $typeref ( values %{$zone1ref->{hosts}} ) {
|
for my $typeref ( values %{$zone1ref->{hosts}} ) {
|
||||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
|
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
|
||||||
for my $hostref ( @{$typeref->{$interface}} ) {
|
for my $hostref ( @{$typeref->{$interface}} ) {
|
||||||
@ -1965,81 +1967,6 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
#
|
|
||||||
# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
|
|
||||||
#
|
|
||||||
for my $typeref ( values %$source_hosts_ref ) {
|
|
||||||
for my $interface ( keys %$typeref ) {
|
|
||||||
my $interfaceref = find_interface $interface;
|
|
||||||
my $chain3ref;
|
|
||||||
my @match_source_dev;
|
|
||||||
my $forwardchainref = $filter_table->{forward_chain $interface};
|
|
||||||
|
|
||||||
if ( use_forward_chain( $interface , $forwardchainref ) || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
|
|
||||||
#
|
|
||||||
# Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
|
|
||||||
#
|
|
||||||
$chain3ref = $forwardchainref;
|
|
||||||
|
|
||||||
if ( $interfaceref->{options}{port} ) {
|
|
||||||
add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
|
|
||||||
j => $chain3ref,
|
|
||||||
imatch_source_dev( $interface , 1 ) )
|
|
||||||
unless $forward_jump_added{$interface}++;
|
|
||||||
} else {
|
|
||||||
add_ijump $filter_table->{FORWARD} , j => $chain3ref, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
#
|
|
||||||
# Don't use the interface's forward chain -- move any rules in that chain to this rules chain
|
|
||||||
#
|
|
||||||
if ( $interfaceref->{options}{port} ) {
|
|
||||||
$chain3ref = $filter_table->{ forward_chain $interfaceref->{bridge} };
|
|
||||||
@match_source_dev = imatch_source_dev $interface, 1;
|
|
||||||
} else {
|
|
||||||
$chain3ref = $filter_table->{FORWARD};
|
|
||||||
@match_source_dev = imatch_source_dev $interface;
|
|
||||||
}
|
|
||||||
|
|
||||||
move_rules $forwardchainref, $chainref;
|
|
||||||
}
|
|
||||||
|
|
||||||
for my $hostref ( @{$typeref->{$interface}} ) {
|
|
||||||
next if $hostref->{options}{destonly};
|
|
||||||
my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
|
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
|
||||||
for my $type1ref ( values %{$zone1ref->{hosts}} ) {
|
|
||||||
for my $interface1 ( keys %$type1ref ) {
|
|
||||||
my $array1ref = $type1ref->{$interface1};
|
|
||||||
for my $host1ref ( @$array1ref ) {
|
|
||||||
next if $host1ref->{options}{sourceonly};
|
|
||||||
my @ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
|
|
||||||
my $dest_exclusion = dest_exclusion( $host1ref->{exclusions}, $chain );
|
|
||||||
for my $net1 ( @{$host1ref->{hosts}} ) {
|
|
||||||
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
|
|
||||||
#
|
|
||||||
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
|
|
||||||
#
|
|
||||||
add_ijump(
|
|
||||||
$excl3ref ,
|
|
||||||
j => $dest_exclusion,
|
|
||||||
@match_source_dev,
|
|
||||||
imatch_dest_dev($interface1),
|
|
||||||
imatch_source_net($net),
|
|
||||||
imatch_dest_net($net1),
|
|
||||||
@ipsec_out_match
|
|
||||||
);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
# E N D F O R W A R D I N G
|
# E N D F O R W A R D I N G
|
||||||
@ -2048,6 +1975,7 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
add_ijump $frwd_ref , g => $last_chain if $frwd_ref && $last_chain;
|
add_ijump $frwd_ref , g => $last_chain if $frwd_ref && $last_chain;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
progress_message ' Finishing matrix...';
|
progress_message ' Finishing matrix...';
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user