mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-24 22:49:12 +01:00
Move section processing to the Rules module where it belongs
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
c03caf7c2f
commit
cf60752988
@ -35,7 +35,7 @@ use strict;
|
|||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( setup_accounting );
|
our @EXPORT = qw( setup_accounting );
|
||||||
our @EXPORT_OK = qw( );
|
our @EXPORT_OK = qw( );
|
||||||
our $VERSION = '4.4.17';
|
our $VERSION = '4.4.18';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Per-IP accounting tables. Each entry contains the associated network.
|
# Per-IP accounting tables. Each entry contains the associated network.
|
||||||
@ -244,7 +244,7 @@ sub process_accounting_rule( ) {
|
|||||||
|
|
||||||
if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
|
if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
|
||||||
expand_rule(
|
expand_rule(
|
||||||
ensure_filter_chain( 'accountout' , 0 ) ,
|
ensure_rules_chain ( 'accountout' ) ,
|
||||||
OUTPUT_RESTRICT ,
|
OUTPUT_RESTRICT ,
|
||||||
$rule ,
|
$rule ,
|
||||||
$source ,
|
$source ,
|
||||||
|
@ -86,6 +86,8 @@ our %EXPORT_TAGS = (
|
|||||||
no_comment
|
no_comment
|
||||||
macro_comment
|
macro_comment
|
||||||
clear_comment
|
clear_comment
|
||||||
|
push_coment
|
||||||
|
pop_comment
|
||||||
incr_cmd_level
|
incr_cmd_level
|
||||||
decr_cmd_level
|
decr_cmd_level
|
||||||
forward_chain
|
forward_chain
|
||||||
@ -119,7 +121,6 @@ our %EXPORT_TAGS = (
|
|||||||
new_builtin_chain
|
new_builtin_chain
|
||||||
new_nat_chain
|
new_nat_chain
|
||||||
ensure_filter_chain
|
ensure_filter_chain
|
||||||
finish_section
|
|
||||||
optimize_chain
|
optimize_chain
|
||||||
check_optimization
|
check_optimization
|
||||||
optimize_ruleset
|
optimize_ruleset
|
||||||
@ -180,8 +181,6 @@ our %EXPORT_TAGS = (
|
|||||||
preview_netfilter_load
|
preview_netfilter_load
|
||||||
create_chainlist_reload
|
create_chainlist_reload
|
||||||
create_stop_load
|
create_stop_load
|
||||||
$section
|
|
||||||
%sections
|
|
||||||
%targets
|
%targets
|
||||||
) ],
|
) ],
|
||||||
);
|
);
|
||||||
@ -242,15 +241,8 @@ our $raw_table;
|
|||||||
our $nat_table;
|
our $nat_table;
|
||||||
our $mangle_table;
|
our $mangle_table;
|
||||||
our $filter_table;
|
our $filter_table;
|
||||||
#
|
|
||||||
# It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file
|
|
||||||
# and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent
|
|
||||||
# on Shorewall::Rules.
|
|
||||||
#
|
|
||||||
our %sections;
|
|
||||||
our $section;
|
|
||||||
|
|
||||||
our $comment;
|
our $comment;
|
||||||
|
our @comments;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Target Types
|
# Target Types
|
||||||
@ -406,22 +398,11 @@ sub initialize( $ ) {
|
|||||||
$nat_table = $chain_table{nat};
|
$nat_table = $chain_table{nat};
|
||||||
$mangle_table = $chain_table{mangle};
|
$mangle_table = $chain_table{mangle};
|
||||||
$filter_table = $chain_table{filter};
|
$filter_table = $chain_table{filter};
|
||||||
|
|
||||||
#
|
|
||||||
# These are set to 1 as sections are encountered.
|
|
||||||
#
|
|
||||||
%sections = ( ESTABLISHED => 0,
|
|
||||||
RELATED => 0,
|
|
||||||
NEW => 0
|
|
||||||
);
|
|
||||||
#
|
|
||||||
# Current rules file section.
|
|
||||||
#
|
|
||||||
$section = '';
|
|
||||||
#
|
#
|
||||||
# Contents of last COMMENT line.
|
# Contents of last COMMENT line.
|
||||||
#
|
#
|
||||||
$comment = '';
|
$comment = '';
|
||||||
|
@comments = ();
|
||||||
#
|
#
|
||||||
# Used to sequence chain names.
|
# Used to sequence chain names.
|
||||||
#
|
#
|
||||||
@ -472,10 +453,30 @@ sub no_comment() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Clear the $comment variable
|
# Clear the $comment variable and the comment stack
|
||||||
#
|
#
|
||||||
sub clear_comment() {
|
sub clear_comment() {
|
||||||
$comment = '';
|
$comment = '';
|
||||||
|
@comments = ();
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Push and Pop comment stack
|
||||||
|
#
|
||||||
|
sub push_comment( $ ) {
|
||||||
|
push @comments, $comment;
|
||||||
|
$comment = shift;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub pop_comment() {
|
||||||
|
$comment = pop @comments;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set comment
|
||||||
|
#
|
||||||
|
sub set_comment( $ ) {
|
||||||
|
$comment = shift;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1312,10 +1313,8 @@ sub dont_move( $ ) {
|
|||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub finish_chain_section( $$ );
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
|
# Create a filter chain if necessary.
|
||||||
#
|
#
|
||||||
# Return a reference to the chain's table entry.
|
# Return a reference to the chain's table entry.
|
||||||
#
|
#
|
||||||
@ -1325,17 +1324,7 @@ sub ensure_filter_chain( $$ )
|
|||||||
|
|
||||||
my $chainref = ensure_chain 'filter', $chain;
|
my $chainref = ensure_chain 'filter', $chain;
|
||||||
|
|
||||||
unless ( $chainref->{referenced} ) {
|
|
||||||
if ( $populate ) {
|
|
||||||
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
|
||||||
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
|
|
||||||
} elsif ( $section eq 'RELATED' ) {
|
|
||||||
finish_chain_section $chainref , 'ESTABLISHED';
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
}
|
|
||||||
|
|
||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
@ -1554,60 +1543,6 @@ sub initialize_chain_table()
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
|
|
||||||
#
|
|
||||||
sub finish_chain_section ($$) {
|
|
||||||
my ($chainref, $state ) = @_;
|
|
||||||
my $chain = $chainref->{name};
|
|
||||||
my $savecomment = $comment;
|
|
||||||
|
|
||||||
$comment = '';
|
|
||||||
|
|
||||||
add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
|
|
||||||
|
|
||||||
if ($sections{NEW} ) {
|
|
||||||
if ( $chainref->{is_policy} ) {
|
|
||||||
if ( $chainref->{synparams} ) {
|
|
||||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
|
||||||
if ( $section eq 'DONE' ) {
|
|
||||||
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
|
|
||||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
my $policychainref = $filter_table->{$chainref->{policychain}};
|
|
||||||
if ( $policychainref->{synparams} ) {
|
|
||||||
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
|
||||||
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$chainref->{new} = @{$chainref->{rules}};
|
|
||||||
}
|
|
||||||
|
|
||||||
$comment = $savecomment;
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Do section-end processing
|
|
||||||
#
|
|
||||||
sub finish_section ( $ ) {
|
|
||||||
my $sections = $_[0];
|
|
||||||
|
|
||||||
$sections{$_} = 1 for split /,/, $sections;
|
|
||||||
|
|
||||||
for my $zone ( all_zones ) {
|
|
||||||
for my $zone1 ( all_zones ) {
|
|
||||||
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
|
|
||||||
finish_chain_section $chainref, $sections if $chainref->{referenced};
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT
|
# Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT
|
||||||
#
|
#
|
||||||
|
@ -12,7 +12,7 @@
|
|||||||
# as published by the Free Software Foundation.
|
# as published by the Free Software Foundation.
|
||||||
#
|
#
|
||||||
# This program is distributed in the hope that it will be useful,
|
# This program is distributed in the hope that it will be useful,
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
# but WITHOUT ANY WARRANTY; without even the implied warranty ofs
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
# GNU General Public License for more details.
|
# GNU General Public License for more details.
|
||||||
#
|
#
|
||||||
@ -1091,7 +1091,7 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
if ( $zoneref->{options}{in}{blacklist} ) {
|
if ( $zoneref->{options}{in}{blacklist} ) {
|
||||||
my $blackref = $filter_table->{blacklst};
|
my $blackref = $filter_table->{blacklst};
|
||||||
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
add_jump ensure_rules_chain( rules_chain( $zone, $_ ) ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
||||||
|
|
||||||
if ( $simple ) {
|
if ( $simple ) {
|
||||||
#
|
#
|
||||||
@ -1102,7 +1102,7 @@ sub generate_matrix() {
|
|||||||
my $ruleschainref = $filter_table->{$ruleschain};
|
my $ruleschainref = $filter_table->{$ruleschain};
|
||||||
|
|
||||||
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
|
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
|
||||||
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
|
add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1110,14 +1110,14 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( $zoneref->{options}{out}{blacklist} ) {
|
if ( $zoneref->{options}{out}{blacklist} ) {
|
||||||
my $blackref = $filter_table->{blackout};
|
my $blackref = $filter_table->{blackout};
|
||||||
add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, -1;
|
add_jump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , $blackref , 0, $state, 0, -1;
|
||||||
|
|
||||||
for my $zone1 ( @zones, @vservers ) {
|
for my $zone1 ( @zones, @vservers ) {
|
||||||
my $ruleschain = rules_chain( $zone1, $zone );
|
my $ruleschain = rules_chain( $zone1, $zone );
|
||||||
my $ruleschainref = $filter_table->{$ruleschain};
|
my $ruleschainref = $filter_table->{$ruleschain};
|
||||||
|
|
||||||
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
|
if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
|
||||||
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
|
add_jump( ensure_rules_chain( $ruleschain ), $blackref, 0, $state, 0, -1 );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -20,9 +20,10 @@
|
|||||||
# along with this program; if not, write to the Free Software
|
# along with this program; if not, write to the Free Software
|
||||||
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
#
|
#
|
||||||
# This module contains
|
# This module handles policies and rules. It contains:
|
||||||
|
#
|
||||||
# validate_policy() and it's associated helpers.
|
# validate_policy() and it's associated helpers.
|
||||||
# process_rule() and it's associated helpers for handling Actions and Macros.
|
# process_rules() and it's associated helpers for handling Actions and Macros.
|
||||||
#
|
#
|
||||||
# This module combines the former Policy, Rules and Actions modules.
|
# This module combines the former Policy, Rules and Actions modules.
|
||||||
#
|
#
|
||||||
@ -43,6 +44,7 @@ our @EXPORT = qw(
|
|||||||
complete_standard_chain
|
complete_standard_chain
|
||||||
setup_syn_flood_chains
|
setup_syn_flood_chains
|
||||||
save_policies
|
save_policies
|
||||||
|
ensure_rules_chain
|
||||||
optimize_policy_chains
|
optimize_policy_chains
|
||||||
process_actions1
|
process_actions1
|
||||||
process_actions2
|
process_actions2
|
||||||
@ -50,9 +52,11 @@ our @EXPORT = qw(
|
|||||||
);
|
);
|
||||||
|
|
||||||
our @EXPORT_OK = qw( initialize );
|
our @EXPORT_OK = qw( initialize );
|
||||||
our $VERSION = '4.4_17';
|
our $VERSION = '4.4_18';
|
||||||
|
|
||||||
# @policy_chains is a list of references to policy chains in the filter table
|
our %sections;
|
||||||
|
|
||||||
|
our $section;
|
||||||
|
|
||||||
our @policy_chains;
|
our @policy_chains;
|
||||||
|
|
||||||
@ -106,6 +110,17 @@ sub initialize( $ ) {
|
|||||||
REJECT => 'none' ,
|
REJECT => 'none' ,
|
||||||
ACCEPT => 'none' ,
|
ACCEPT => 'none' ,
|
||||||
QUEUE => 'none' );
|
QUEUE => 'none' );
|
||||||
|
#
|
||||||
|
# These are set to 1 as sections are encountered.
|
||||||
|
#
|
||||||
|
%sections = ( ESTABLISHED => 0,
|
||||||
|
RELATED => 0,
|
||||||
|
NEW => 0
|
||||||
|
);
|
||||||
|
#
|
||||||
|
# Current rules file section.
|
||||||
|
#
|
||||||
|
$section = '';
|
||||||
%macros = ();
|
%macros = ();
|
||||||
@actionstack = ();
|
@actionstack = ();
|
||||||
%active = ();
|
%active = ();
|
||||||
@ -120,6 +135,9 @@ sub initialize( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# Functions moved from the former Policy Module
|
||||||
|
###############################################################################
|
||||||
#
|
#
|
||||||
# Split the passed target into the basic target and parameter
|
# Split the passed target into the basic target and parameter
|
||||||
#
|
#
|
||||||
@ -500,6 +518,8 @@ sub default_policy( $$$ ) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub ensure_rules_chain( $ );
|
||||||
|
|
||||||
sub apply_policy_rules() {
|
sub apply_policy_rules() {
|
||||||
progress_message2 'Applying Policies...';
|
progress_message2 'Applying Policies...';
|
||||||
|
|
||||||
@ -521,9 +541,9 @@ sub apply_policy_rules() {
|
|||||||
# is a single jump. Generate_matrix() will just use the policy target when
|
# is a single jump. Generate_matrix() will just use the policy target when
|
||||||
# needed.
|
# needed.
|
||||||
#
|
#
|
||||||
ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
|
ensure_rules_chain $name if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
|
||||||
} else {
|
} else {
|
||||||
ensure_filter_chain $name, 1;
|
ensure_rules_chain $name;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -546,6 +566,9 @@ sub apply_policy_rules() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# Modules moved from the Chains module in 4.4.18
|
||||||
|
################################################################################
|
||||||
#
|
#
|
||||||
# Complete a standard chain
|
# Complete a standard chain
|
||||||
#
|
#
|
||||||
@ -620,6 +643,87 @@ sub optimize_policy_chains() {
|
|||||||
progress_message '';
|
progress_message '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub finish_chain_section( $$ );
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create a rules chain if necessary and populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
|
||||||
|
#
|
||||||
|
# Return a reference to the chain's table entry.
|
||||||
|
#
|
||||||
|
sub ensure_rules_chain( $ )
|
||||||
|
{
|
||||||
|
my ($chain) = @_;
|
||||||
|
|
||||||
|
my $chainref = ensure_chain 'filter', $chain;
|
||||||
|
|
||||||
|
unless ( $chainref->{referenced} ) {
|
||||||
|
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
||||||
|
finish_chain_section $chainref , 'ESTABLISHED,RELATED';
|
||||||
|
} elsif ( $section eq 'RELATED' ) {
|
||||||
|
finish_chain_section $chainref , 'ESTABLISHED';
|
||||||
|
}
|
||||||
|
|
||||||
|
$chainref->{referenced} = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
$chainref;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Add ESTABLISHED,RELATED rules and synparam jumps to the passed chain
|
||||||
|
#
|
||||||
|
sub finish_chain_section ($$) {
|
||||||
|
my ($chainref, $state ) = @_;
|
||||||
|
my $chain = $chainref->{name};
|
||||||
|
|
||||||
|
push_comment(''); #These rules should not have comments
|
||||||
|
|
||||||
|
add_rule $chainref, "$globals{STATEMATCH} $state -j ACCEPT" unless $config{FASTACCEPT};
|
||||||
|
|
||||||
|
if ($sections{NEW} ) {
|
||||||
|
if ( $chainref->{is_policy} ) {
|
||||||
|
if ( $chainref->{synparams} ) {
|
||||||
|
my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
|
||||||
|
if ( $section eq 'DONE' ) {
|
||||||
|
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
|
||||||
|
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
my $policychainref = $filter_table->{$chainref->{policychain}};
|
||||||
|
if ( $policychainref->{synparams} ) {
|
||||||
|
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
|
||||||
|
add_jump $chainref, $synchainref, 0, "-p tcp --syn ";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$chainref->{new} = @{$chainref->{rules}};
|
||||||
|
}
|
||||||
|
|
||||||
|
pop_comment;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Do section-end processing
|
||||||
|
#
|
||||||
|
sub finish_section ( $ ) {
|
||||||
|
my $sections = $_[0];
|
||||||
|
|
||||||
|
$sections{$_} = 1 for split /,/, $sections;
|
||||||
|
|
||||||
|
for my $zone ( all_zones ) {
|
||||||
|
for my $zone1 ( all_zones ) {
|
||||||
|
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
|
||||||
|
finish_chain_section $chainref, $sections if $chainref->{referenced};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
################################################################################
|
||||||
|
# Functions moved from the Actions module in 4.4.16
|
||||||
|
################################################################################
|
||||||
#
|
#
|
||||||
# Return ( action, level[:tag] ) from passed full action
|
# Return ( action, level[:tag] ) from passed full action
|
||||||
#
|
#
|
||||||
@ -1276,7 +1380,9 @@ sub process_actions2 () {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
################################################################################
|
||||||
|
# End of functions moved from the Actions module in 4.4.16
|
||||||
|
################################################################################
|
||||||
#
|
#
|
||||||
# Expand a macro rule from the rules file
|
# Expand a macro rule from the rules file
|
||||||
#
|
#
|
||||||
@ -1681,7 +1787,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# Mark the chain as referenced and add appropriate rules from earlier sections.
|
# Mark the chain as referenced and add appropriate rules from earlier sections.
|
||||||
#
|
#
|
||||||
$chainref = ensure_filter_chain $chain, 1;
|
$chainref = ensure_rules_chain $chain;
|
||||||
#
|
#
|
||||||
# Don't let the rules in this chain be moved elsewhere
|
# Don't let the rules in this chain be moved elsewhere
|
||||||
#
|
#
|
||||||
|
@ -28,13 +28,14 @@ use Shorewall::Config qw(:DEFAULT :internal);
|
|||||||
use Shorewall::Zones;
|
use Shorewall::Zones;
|
||||||
use Shorewall::IPAddrs;
|
use Shorewall::IPAddrs;
|
||||||
use Shorewall::Chains qw(:DEFAULT :internal);
|
use Shorewall::Chains qw(:DEFAULT :internal);
|
||||||
|
use Shorewall::Rules;
|
||||||
|
|
||||||
use strict;
|
use strict;
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw( setup_tunnels );
|
our @EXPORT = qw( setup_tunnels );
|
||||||
our @EXPORT_OK = ( );
|
our @EXPORT_OK = ( );
|
||||||
our $VERSION = '4.4_14';
|
our $VERSION = '4.4_18';
|
||||||
|
|
||||||
#
|
#
|
||||||
# Here starts the tunnel stuff -- we really should get rid of this crap...
|
# Here starts the tunnel stuff -- we really should get rid of this crap...
|
||||||
@ -83,8 +84,8 @@ sub setup_tunnels() {
|
|||||||
for my $zone ( split_list $gatewayzones, 'zone' ) {
|
for my $zone ( split_list $gatewayzones, 'zone' ) {
|
||||||
my $type = zone_type( $zone );
|
my $type = zone_type( $zone );
|
||||||
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
|
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
|
||||||
$inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
$inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
|
||||||
$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
|
||||||
|
|
||||||
unless ( have_ipsec ) {
|
unless ( have_ipsec ) {
|
||||||
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||||
@ -239,8 +240,8 @@ sub setup_tunnels() {
|
|||||||
|
|
||||||
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
|
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
|
||||||
|
|
||||||
my $inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
my $inchainref = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
|
||||||
my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
|
||||||
|
|
||||||
$gateway = ALLIP if $gateway eq '-';
|
$gateway = ALLIP if $gateway eq '-';
|
||||||
|
|
||||||
|
@ -4,6 +4,10 @@ Changes in Shorewall 4.4.18 Beta 4
|
|||||||
|
|
||||||
2) Change default value of MODULE_PREFIX.
|
2) Change default value of MODULE_PREFIX.
|
||||||
|
|
||||||
|
3) Combine Policy and Rules Modules
|
||||||
|
|
||||||
|
4) Move section processing to the Rules modules.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.18 Beta 3
|
Changes in Shorewall 4.4.18 Beta 3
|
||||||
|
|
||||||
1) Change default chain in FORWARD section of the accounting file.
|
1) Change default chain in FORWARD section of the accounting file.
|
||||||
|
@ -127,6 +127,9 @@ None.
|
|||||||
Netfilter releases which disallow the owner match in rules
|
Netfilter releases which disallow the owner match in rules
|
||||||
reachable from the INPUT and FORWARD hooks.
|
reachable from the INPUT and FORWARD hooks.
|
||||||
|
|
||||||
|
3) Internals Change: The Policy.pm module has been merged into the
|
||||||
|
Rules.pm module.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
I V. R E L E A S E 4 . 4 H I G H L I G H T S
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
Loading…
Reference in New Issue
Block a user