mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-23 16:13:18 +01:00
Replace canonical_chain by rules_chain
This commit is contained in:
Tom Eastep
parent
10affb1cde
commit
b662718eec
@ -85,7 +85,7 @@ our %EXPORT_TAGS = (
|
||||
decr_cmd_level
|
||||
chain_base
|
||||
forward_chain
|
||||
canonical_chain
|
||||
rules_chain
|
||||
zone_forward_chain
|
||||
use_forward_chain
|
||||
input_chain
|
||||
@ -673,7 +673,7 @@ sub chain_base($) {
|
||||
#
|
||||
# Name of canonical chain
|
||||
#
|
||||
sub canonical_chain ($$) {
|
||||
sub rules_chain ($$) {
|
||||
join "$config{ZONE2ZONE}", @_;
|
||||
}
|
||||
|
||||
@ -766,7 +766,7 @@ sub use_input_chain($) {
|
||||
#
|
||||
# Use the '<zone>2fw' chain if it is referenced.
|
||||
#
|
||||
$chainref = $filter_table->{canonical_chain( $zone, firewall_zone )};
|
||||
$chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
|
||||
|
||||
! ( $chainref->{referenced} || $chainref->{is_policy} )
|
||||
}
|
||||
@ -810,7 +810,7 @@ sub use_output_chain($) {
|
||||
#
|
||||
# Use the 'fw2<zone>' chain if it is referenced.
|
||||
#
|
||||
$chainref = $filter_table->{canonical_chain( firewall_zone , $interfaceref->{zone} )};
|
||||
$chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
|
||||
|
||||
! ( $chainref->{referenced} || $chainref->{is_policy} )
|
||||
}
|
||||
@ -1182,7 +1182,7 @@ sub finish_section ( $ ) {
|
||||
|
||||
for my $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
my $chainref = $chain_table{'filter'}{canonical_chain( $zone, $zone1 )};
|
||||
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
|
||||
finish_chain_section $chainref, $sections if $chainref->{referenced};
|
||||
}
|
||||
}
|
||||
@ -1209,12 +1209,12 @@ sub set_mss( $$$ ) {
|
||||
|
||||
for my $z ( all_zones ) {
|
||||
if ( $direction eq '_in' ) {
|
||||
set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
|
||||
set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
|
||||
} elsif ( $direction eq '_out' ) {
|
||||
set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
|
||||
set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
|
||||
} else {
|
||||
set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
|
||||
set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
|
||||
set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
|
||||
set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -68,7 +68,7 @@ sub new_policy_chain($$$$)
|
||||
{
|
||||
my ($source, $dest, $policy, $optional) = @_;
|
||||
|
||||
my $chainref = new_chain( 'filter', canonical_chain( ${source}, ${dest} ) );
|
||||
my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
|
||||
|
||||
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
|
||||
|
||||
@ -119,7 +119,7 @@ use constant { OPTIONAL => 1 };
|
||||
|
||||
sub add_or_modify_policy_chain( $$ ) {
|
||||
my ( $zone, $zone1 ) = @_;
|
||||
my $chain = canonical_chain( ${zone}, ${zone1} );
|
||||
my $chain = rules_chain( ${zone}, ${zone1} );
|
||||
my $chainref = $filter_table->{$chain};
|
||||
|
||||
if ( $chainref ) {
|
||||
@ -211,7 +211,7 @@ sub process_a_policy() {
|
||||
}
|
||||
}
|
||||
|
||||
my $chain = canonical_chain( ${client}, ${server} );
|
||||
my $chain = rules_chain( ${client}, ${server} );
|
||||
my $chainref;
|
||||
|
||||
if ( defined $filter_table->{$chain} ) {
|
||||
@ -252,19 +252,19 @@ sub process_a_policy() {
|
||||
if ( $serverwild ) {
|
||||
for my $zone ( @zonelist ) {
|
||||
for my $zone1 ( @zonelist ) {
|
||||
set_policy_chain $client, $server, canonical_chain( ${zone}, ${zone1} ), $chainref, $policy;
|
||||
set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
|
||||
print_policy $zone, $zone1, $policy, $chain;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for my $zone ( all_zones ) {
|
||||
set_policy_chain $client, $server, canonical_chain( ${zone}, ${server} ), $chainref, $policy;
|
||||
set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
|
||||
print_policy $zone, $server, $policy, $chain;
|
||||
}
|
||||
}
|
||||
} elsif ( $serverwild ) {
|
||||
for my $zone ( @zonelist ) {
|
||||
set_policy_chain $client, $server, canonical_chain( ${client}, ${zone} ), $chainref, $policy;
|
||||
set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
|
||||
print_policy $client, $zone, $policy, $chain;
|
||||
}
|
||||
|
||||
@ -334,7 +334,7 @@ sub validate_policy()
|
||||
|
||||
for $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{canonical_chain( ${zone}, ${zone1} )}{policy};
|
||||
fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -418,7 +418,7 @@ sub apply_policy_rules() {
|
||||
|
||||
for my $zone ( all_zones ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
my $chainref = $filter_table->{canonical_chain( ${zone}, ${zone1} )};
|
||||
my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
|
||||
|
||||
if ( $chainref->{referenced} ) {
|
||||
run_user_exit $chainref;
|
||||
@ -444,7 +444,7 @@ sub complete_standard_chain ( $$$$ ) {
|
||||
|
||||
run_user_exit $stdchainref;
|
||||
|
||||
my $ruleschainref = $filter_table->{canonical_chain( ${zone}, ${zone2} ) } || $filter_table->{canonical_chain( 'all', 'all' ) };
|
||||
my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
|
||||
my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
|
||||
my $policychainref;
|
||||
|
||||
|
||||
@ -1132,7 +1132,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$chain = canonical_chain( ${sourcezone}, ${destzone} );
|
||||
$chain = rules_chain( ${sourcezone}, ${destzone} );
|
||||
$chainref = ensure_chain 'filter', $chain;
|
||||
$policy = $chainref->{policy};
|
||||
|
||||
@ -1619,7 +1619,7 @@ sub add_interface_jumps {
|
||||
# Loopback
|
||||
#
|
||||
my $fw = firewall_zone;
|
||||
my $chainref = $filter_table->{canonical_chain( ${fw}, ${fw} )};
|
||||
my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};
|
||||
|
||||
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
|
||||
add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
|
||||
@ -1643,7 +1643,7 @@ sub generate_matrix() {
|
||||
#
|
||||
sub rules_target( $$ ) {
|
||||
my ( $zone, $zone1 ) = @_;
|
||||
my $chain = canonical_chain( ${zone}, ${zone1} );
|
||||
my $chain = rules_chain( ${zone}, ${zone1} );
|
||||
my $chainref = $filter_table->{$chain};
|
||||
|
||||
return $chain if $chainref && $chainref->{referenced};
|
||||
@ -1776,7 +1776,7 @@ sub generate_matrix() {
|
||||
|
||||
if ( $parenthasnat || $parenthasnotrack ) {
|
||||
for my $zone1 ( all_zones ) {
|
||||
if ( $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
|
||||
if ( $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
|
||||
#
|
||||
# This zone has a continue policy to another zone. We must
|
||||
# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
|
||||
@ -1908,7 +1908,7 @@ sub generate_matrix() {
|
||||
|
||||
for my $zone1 ( @zones ) {
|
||||
my $zone1ref = find_zone( $zone1 );
|
||||
my $policy = $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy};
|
||||
my $policy = $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy};
|
||||
|
||||
next if $policy eq 'NONE';
|
||||
|
||||
@ -1958,7 +1958,7 @@ sub generate_matrix() {
|
||||
for my $zone1 ( @dest_zones ) {
|
||||
my $zone1ref = find_zone( $zone1 );
|
||||
|
||||
next if $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
|
||||
next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
|
||||
|
||||
my $chain = rules_target $zone, $zone1;
|
||||
|
||||
|
||||
@ -83,8 +83,8 @@ sub setup_tunnels() {
|
||||
for my $zone ( split_list $gatewayzones, 'zone' ) {
|
||||
my $type = zone_type( $zone );
|
||||
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
|
||||
$inchainref = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
|
||||
$outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
|
||||
$inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
||||
$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
||||
|
||||
unless ( $capabilities{POLICY_MATCH} ) {
|
||||
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
@ -239,8 +239,8 @@ sub setup_tunnels() {
|
||||
|
||||
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
|
||||
|
||||
my $inchainref = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
|
||||
my $outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
|
||||
my $inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
||||
my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
||||
|
||||
$gateway = ALLIP if $gateway eq '-';
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user