extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-29 00:49:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Ok -- so I lied...

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5716 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-27 05:07:57 +00:00
parent dd98eab8ee
commit b522fb46a2
1 changed files with 54 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
New/compiler.pl
View File

@ -336,23 +336,25 @@ stop_firewall() {
rm -f \${VARDIR}/proxyarp rm -f \${VARDIR}/proxyarp
"; ";
emit ' delete_tc1' if $config{CLEAR_TC}; push_indent;
emitj( ' undo_routing', emit 'delete_tc1' if $config{CLEAR_TC};
' restore_default_route'
emitj( 'undo_routing',
'restore_default_route'
); );
my $criticalhosts = process_criticalhosts; my $criticalhosts = process_criticalhosts;
if ( @$criticalhosts ) { if ( @$criticalhosts ) {
if ( $config{ADMINISABSENTMINDED} ) { if ( $config{ADMINISABSENTMINDED} ) {
emitj ( ' for chain in INPUT OUTPUT; do', emitj ( 'for chain in INPUT OUTPUT; do',
' setpolicy $chain ACCEPT', ' setpolicy $chain ACCEPT',
' done', 'done',
'', '',
' setpolicy FORWARD DROP', 'setpolicy FORWARD DROP',
'', '',
' deleteallchains', 'deleteallchains',
'' ''
); );
@ -361,75 +363,72 @@ stop_firewall() {
my $source = match_source_net $host; my $source = match_source_net $host;
my $dest = match_dest_net $host; my $dest = match_dest_net $host;
emitj( " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT", emitj( "\$IPTABLES -A INPUT -i $interface $source -j ACCEPT",
" \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT" "\$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT"
); );
} }
emit " emitj( '',
for chain in INPUT OUTPUT; do 'for chain in INPUT OUTPUT; do',
setpolicy \$chain DROP ' setpolicy $chain DROP',
done "done\n"
"; );
} else { } else {
emit " emitj( '',
for chain in INPUT OUTPUT; do 'for chain in INPUT OUTPUT; do',
setpolicy \$chain ACCEPT ' setpolicy \$chain ACCEPT',
done 'done',
'',
setpolicy FORWARD DROP 'setpolicy FORWARD DROP',
'',
deleteallchains "deleteallchains\n"
"; );
for my $hosts ( @$criticalhosts ) { for my $hosts ( @$criticalhosts ) {
my ( $interface, $host ) = ( split /:/, $hosts ); my ( $interface, $host ) = ( split /:/, $hosts );
my $source = match_source_net $host; my $source = match_source_net $host;
my $dest = match_dest_net $host; my $dest = match_dest_net $host;
emitj( " \$IPTABLES -A INPUT -i $interface $source -j ACCEPT", emitj( "\$IPTABLES -A INPUT -i $interface $source -j ACCEPT",
" \$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT" "\$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT"
); );
} }
emit " emitj ( "\nsetpolicy INPUT DROP",
'',
setpolicy INPUT DROP 'for chain in INPUT FORWARD; do',
' setcontinue $chain',
for chain in INPUT FORWARD; do "done\n"
setcontinue \$chain );
done
";
} }
} elsif ( ! $config{ADMINISABSENTMINDED} ) { } elsif ( ! $config{ADMINISABSENTMINDED} ) {
emit "for chain in INPUT OUTPUT FORWARD; do emitj( 'for chain in INPUT OUTPUT FORWARD; do',
setpolicy \$chain DROP ' setpolicy $chain DROP',
done 'done',
'',
deleteallchains "deleteallchains\n"
" );
} else { } else {
emit "for chain in INPUT FORWARD; do emitj( 'for chain in INPUT FORWARD; do',
setpolicy \$chain DROP ' setpolicy $chain DROP',
done 'done',
'',
setpolicy OUTPUT ACCEPT 'setpolicy OUTPUT ACCEPT',
'',
deleteallchains 'deleteallchains',
'',
for chain in INPUT FORWARD; do 'for chain in INPUT FORWARD; do',
setcontinue \$chain ' setcontinue $chain',
done "done\n",
"; );
} }
push_indent;
process_routestopped; process_routestopped;
emitj( '$IPTABLES -A INPUT -i lo -j ACCEPT', emitj( '$IPTABLES -A INPUT -i lo -j ACCEPT',
'$IPTABLES -A OUTPUT -o lo -j ACCEPT' '$IPTABLES -A OUTPUT -o lo -j ACCEPT'
); );
emit '$IPTABLES -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED}; emit '$IPTABLES -A OUTPUT -o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
my $interfaces = find_interfaces_by_option 'dhcp'; my $interfaces = find_interfaces_by_option 'dhcp';