extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-21 10:18:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add output option chains

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-12-29 08:22:00 -08:00
parent 03610181fd
commit bddfb4f41c
4 changed files with 35 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -123,6 +123,7 @@ our %EXPORT_TAGS = (
zone_input_chain zone_input_chain
use_input_chain use_input_chain
output_chain output_chain
output_option_chain
prerouting_chain prerouting_chain
postrouting_chain postrouting_chain
zone_output_chain zone_output_chain
@ -1576,6 +1577,14 @@ sub input_option_chain($) {
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop'; ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
} }
#
# Output Option Chain for an interface
#
sub output_option_chain($) {
my $interface = shift;
( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
}
# #
# Forward Option Chain for an interface # Forward Option Chain for an interface
# #

4
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -615,7 +615,7 @@ sub add_common_rules ( $ ) {
} }
for $interface ( grep $_ ne '%vserver%', all_interfaces ) { for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ); ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
my $interfaceref = find_interface $interface; my $interfaceref = find_interface $interface;
@ -784,7 +784,7 @@ sub add_common_rules ( $ ) {
for $interface ( @$list ) { for $interface ( @$list ) {
set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) , set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
'dhcp', 'dhcp',
1 ) for input_option_chain( $interface ), output_chain( $interface ); 1 ) for input_option_chain( $interface ), output_option_chain( $interface );
add_ijump( $filter_table->{forward_option_chain $interface} , add_ijump( $filter_table->{forward_option_chain $interface} ,
j => 'ACCEPT', j => 'ACCEPT',

27
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2620,11 +2620,9 @@ sub process_rules() {
} }
$section = ''; $section = '';
#
if ( my $chainref = $filter_table->{A_blacklog} ) { # Now insert all interface option rules into the rules chains
$chainref->{referenced} = 0 unless %{$chainref->{references}}; #
}
for my $zone1 ( off_firewall_zones ) { for my $zone1 ( off_firewall_zones ) {
my @interfaces = keys %{zone_interfaces( $zone1 )}; my @interfaces = keys %{zone_interfaces( $zone1 )};
@ -2659,6 +2657,25 @@ sub process_rules() {
} }
} }
for my $zone1 ( firewall_zone, vserver_zones ) {
for my $zone2 ( off_firewall_zones ) {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
my @interfaces = keys %{zone_interfaces( $zone2 )};
if ( @interfaces == 1 ) {
if ( my $chain1ref = $filter_table->{output_option_chain $interfaces[0]} ) {
push( @{$chainref->{rules}}, @{$chain1ref->{rules}} );
}
} else {
for my $interface ( @interfaces ) {
if ( my $chain1ref = $filter_table->{output_option_chain $interface} ) {
add_ijump ( $chainref , j => $chain1ref->{name}, imatch_dest_dev( $interface ) );
}
}
}
}
}
$fn = open_file 'rules'; $fn = open_file 'rules';
if ( $fn ) { if ( $fn ) {

2
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -249,7 +249,7 @@ sub process_tc_rule( ) {
if ( $dest ) { if ( $dest ) {
if ( $dest eq $fw ) { if ( $dest eq $fw ) {
fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classify; fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
$chain = 'tcin'; $chain = 'tcin';
$dest = ''; $dest = '';
} else { } else {