extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 08:03:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code

Browse Source
This commit is contained in:
Tom Eastep 2013-07-11 14:16:19 -07:00
commit d2725fcd87
1 changed files with 101 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -6915,6 +6915,45 @@ sub verify_source_interface( $$$$ ) {
$rule; $rule;
} }
sub iverify_source_interface( $$$$ ) {
my ( $iiface, $restriction, $table, $chainref ) = @_;
my @rule;
fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface;
if ( $restriction & POSTROUTE_RESTRICT ) {
#
# An interface in the SOURCE column of a masq file
#
fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
fatal_error "A wildcard interface ( $iiface) is not allowed in this context" if $iiface =~ /\+$/;
if ( $table eq 'nat' ) {
warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
} else {
warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
}
push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';
push @rule, ( s => '$source' );
} else {
if ( $restriction & OUTPUT_RESTRICT ) {
if ( $chainref->{accounting} ) {
fatal_error "Source Interface ($iiface) not allowed in the $chainref->{name} chain";
} else {
fatal_error "Source Interface ($iiface) not allowed when the SOURCE is the firewall";
}
}
$chainref->{restricted} |= $restriction;
push @rule, imatch_source_dev( $iiface );
}
@rule;
}
# #
# Splits an interface:address pair. Updates that passed rule and returns ($rule, $interface, $address ) # Splits an interface:address pair. Updates that passed rule and returns ($rule, $interface, $address )
# #
@ -7098,6 +7137,68 @@ sub handle_original_dest( $$$ ) {
( $onets, $oexcl, $rule ); ( $onets, $oexcl, $rule );
} }
sub ihandle_original_dest( $$;@ ) {
my ( $origdest, $chainref, @rule ) = @_;
my ( $onets, $oexcl );
if ( $origdest eq '-' || ! have_capability( 'CONNTRACK_MATCH' ) ) {
$onets = $oexcl = '';
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
#
# Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
#
my @interfaces = split /\s+/, $1;
if ( @interfaces > 1 ) {
my $list = "";
my $optional;
for my $interface ( @interfaces ) {
$optional++ if interface_is_optional $interface;
$list = join( ' ', $list , get_interface_address( $interface ) );
}
push_command( $chainref , "for address in $list; do" , 'done' );
push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
push @rule, ( conntrack => '--ctoregdst $address' );
} else {
my $interface = $interfaces[0];
my $variable = get_interface_address( $interface );
push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi' ) if interface_is_optional( $interface );
push @rule, ( conntrack => '--ctorigdst $variable' );
}
$onets = $oexcl = '';
} else {
fatal_error "Invalid ORIGINAL DEST" if $origdest =~ /^([^!]+)?,!([^!]+)$/ || $origdest =~ /.*!.*!/;
if ( $origdest =~ /^([^!]+)?!([^!]+)$/ ) {
#
# Exclusion
#
$onets = $1;
$oexcl = $2;
} else {
$oexcl = '';
$onets = $origdest;
}
unless ( $onets ) {
my @oexcl = split_host_list( $oexcl, $config{DEFER_DNS_RESOLUTION} );
if ( @oexcl == 1 ) {
push @rule, imatch_orig_dest( "!$oexcl" );
$oexcl = '';
}
}
}
( $onets, $oexcl, @rule );
}
# #
# Handles non-trivial exclusion. Updates the passed rule and returns ( $rule, $done ) # Handles non-trivial exclusion. Updates the passed rule and returns ( $rule, $done )
# #