mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 12:14:32 +01:00
Add output option chains
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
03610181fd
commit
bddfb4f41c
@ -123,6 +123,7 @@ our %EXPORT_TAGS = (
|
||||
zone_input_chain
|
||||
use_input_chain
|
||||
output_chain
|
||||
output_option_chain
|
||||
prerouting_chain
|
||||
postrouting_chain
|
||||
zone_output_chain
|
||||
@ -1576,6 +1577,14 @@ sub input_option_chain($) {
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
|
||||
}
|
||||
|
||||
#
|
||||
# Output Option Chain for an interface
|
||||
#
|
||||
sub output_option_chain($) {
|
||||
my $interface = shift;
|
||||
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
|
||||
}
|
||||
|
||||
#
|
||||
# Forward Option Chain for an interface
|
||||
#
|
||||
|
||||
@ -615,7 +615,7 @@ sub add_common_rules ( $ ) {
|
||||
}
|
||||
|
||||
for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
|
||||
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface );
|
||||
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
|
||||
|
||||
my $interfaceref = find_interface $interface;
|
||||
|
||||
@ -784,7 +784,7 @@ sub add_common_rules ( $ ) {
|
||||
for $interface ( @$list ) {
|
||||
set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
|
||||
'dhcp',
|
||||
1 ) for input_option_chain( $interface ), output_chain( $interface );
|
||||
1 ) for input_option_chain( $interface ), output_option_chain( $interface );
|
||||
|
||||
add_ijump( $filter_table->{forward_option_chain $interface} ,
|
||||
j => 'ACCEPT',
|
||||
|
||||
@ -2620,11 +2620,9 @@ sub process_rules() {
|
||||
}
|
||||
|
||||
$section = '';
|
||||
|
||||
if ( my $chainref = $filter_table->{A_blacklog} ) {
|
||||
$chainref->{referenced} = 0 unless %{$chainref->{references}};
|
||||
}
|
||||
|
||||
#
|
||||
# Now insert all interface option rules into the rules chains
|
||||
#
|
||||
for my $zone1 ( off_firewall_zones ) {
|
||||
my @interfaces = keys %{zone_interfaces( $zone1 )};
|
||||
|
||||
@ -2657,7 +2655,26 @@ sub process_rules() {
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
for my $zone1 ( firewall_zone, vserver_zones ) {
|
||||
for my $zone2 ( off_firewall_zones ) {
|
||||
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
|
||||
my @interfaces = keys %{zone_interfaces( $zone2 )};
|
||||
|
||||
if ( @interfaces == 1 ) {
|
||||
if ( my $chain1ref = $filter_table->{output_option_chain $interfaces[0]} ) {
|
||||
push( @{$chainref->{rules}}, @{$chain1ref->{rules}} );
|
||||
}
|
||||
} else {
|
||||
for my $interface ( @interfaces ) {
|
||||
if ( my $chain1ref = $filter_table->{output_option_chain $interface} ) {
|
||||
add_ijump ( $chainref , j => $chain1ref->{name}, imatch_dest_dev( $interface ) );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$fn = open_file 'rules';
|
||||
|
||||
|
||||
@ -249,7 +249,7 @@ sub process_tc_rule( ) {
|
||||
|
||||
if ( $dest ) {
|
||||
if ( $dest eq $fw ) {
|
||||
fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classify;
|
||||
fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
|
||||
$chain = 'tcin';
|
||||
$dest = '';
|
||||
} else {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user