extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-15 12:14:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add restriction handling to tcrules processing

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8194 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-02-14 17:40:38 +00:00
parent cc8d035d1a
commit c0be049f3d
4 changed files with 36 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/changelog.txt
View File

@ -6,6 +6,10 @@ Changes in 4.1.5
3) Update modules file for 2.6.25. 3) Update modules file for 2.6.25.
4) Restore 3.4 code to work around busybox limination.
5) Add restriction handling in tcrules file.
Changes in 4.1.4 Changes in 4.1.4
1) Fix do_test() to accept 0 and to use the same mask as 1) Fix do_test() to accept 0 and to use the same mask as

24
Shorewall-common/releasenotes.txt
View File

@ -64,7 +64,29 @@ Migration Issues.
Problems corrected in 4.1.5. Problems corrected in 4.1.5.
None. 1) An optimization added to Shorewall-shell in 4.0.0 has been backed
out to work around a limitation of Busybox 'sed'.
2) Previously, Shorewall would accept both an interface and an IP
address in tcrules POSTROUTING entries (such as CLASSIFY).
Example:
1:11 eth1:192.168.4.9 - tcp 22
It also allows both a destination interface and address.
Example:
1:P - eth1:192.168.4.9 tcp 22
Because Netfilter does not allow an input interface to be specified
in POSTROUTING or an output interface to be specified in
PREROUTING, Shorewall must use the routing table to generate a list
of networks accessed through any interface specified in these
cases. Given that a specific address (or set of addresses) has
already been specified, it makes no sense qualify it (them) by
another list of addresses.
New Features in 4.1.5. New Features in 4.1.5.

3
Shorewall-perl/Shorewall/Chains.pm
View File

@ -1941,6 +1941,9 @@ sub expand_rule( $$$$$$$$$$ )
$dnets = ALLIPv4 unless $dnets; $dnets = ALLIPv4 unless $dnets;
$onets = ALLIPv4 unless $onets; $onets = ALLIPv4 unless $onets;
fatal_error "Input interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && $inets ne ALLIPv4;
fatal_error "Output interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && $dnets ne ALLIPv4;
if ( $iexcl || $dexcl || $oexcl ) { if ( $iexcl || $dexcl || $oexcl ) {
# #
# We have non-trivial exclusion -- need to create an exclusion chain # We have non-trivial exclusion -- need to create an exclusion chain

8
Shorewall-perl/Shorewall/Tc.pm
View File

@ -152,6 +152,10 @@ our %tcclasses;
our $prefix; our $prefix;
our %restrictions = ( tcpre => PREROUTE_RESTRICT ,
tcpost => POSTROUTE_RESTRICT ,
tcfor => NO_RESTRICT ,
tcout => OUTPUT_RESTRICT );
# #
# Initialize globals -- we take this novel approach to globals initialization to allow # Initialize globals -- we take this novel approach to globals initialization to allow
# the compiler to run multiple times in the same process. The # the compiler to run multiple times in the same process. The
@ -226,7 +230,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
$target = 'CLASSIFY --set-class'; $target = 'CLASSIFY --set-class';
} }
} }
my $mask = 0xffff; my $mask = 0xffff;
my ($cmd, $rest) = split( '/', $mark, 2 ); my ($cmd, $rest) = split( '/', $mark, 2 );
@ -275,7 +279,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
} }
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
NO_RESTRICT , $restrictions{$chain} ,
do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) , do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test( $testval, $mask ) . do_tos( $tos ) ,
$source , $source ,
$dest , $dest ,