mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 15:43:30 +01:00
Eliminate 'ORIGINAL_POLICY_MATCH'
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
90b68a05de
commit
d933aa602b
@ -2354,7 +2354,7 @@ sub match_ipsec_in( $$ ) {
|
||||
|
||||
if ( $zoneref->{type} eq 'ipsec' ) {
|
||||
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
|
||||
} elsif ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
} elsif ( have_ipsec ) {
|
||||
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
|
||||
} else {
|
||||
return '';
|
||||
@ -2378,7 +2378,7 @@ sub match_ipsec_out( $$ ) {
|
||||
|
||||
if ( $zoneref->{type} eq 'ipsec' ) {
|
||||
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
|
||||
} elsif ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
} elsif ( have_ipsec ) {
|
||||
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
|
||||
} else {
|
||||
return '';
|
||||
|
||||
@ -327,7 +327,6 @@ sub initialize( $ ) {
|
||||
%globals = ( SHAREDIR => '/usr/share/shorewall' ,
|
||||
SHAREDIRPL => '/usr/share/shorewall/' ,
|
||||
CONFDIR => '/etc/shorewall',
|
||||
ORIGINAL_POLICY_MATCH => '',
|
||||
LOGPARMS => '',
|
||||
TC_SCRIPT => '',
|
||||
EXPORT => 0,
|
||||
@ -2416,8 +2415,6 @@ sub get_configuration( $ ) {
|
||||
|
||||
get_capabilities( $export );
|
||||
|
||||
$globals{ORIGINAL_POLICY_MATCH} = $capabilities{POLICY_MATCH};
|
||||
|
||||
if ( $config{LOGRATE} || $config{LOGBURST} ) {
|
||||
if ( defined $config{LOGRATE} ) {
|
||||
fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE} =~ /^\d+\/(second|minute)$/;
|
||||
|
||||
@ -150,7 +150,7 @@ sub process_one_masq( )
|
||||
# Handle IPSEC options, if any
|
||||
#
|
||||
if ( $ipsec ne '-' ) {
|
||||
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless $globals{ORIGINAL_POLICY_MATCH};
|
||||
fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables" unless have_capability( 'POLICY_MATCH' );
|
||||
|
||||
if ( $ipsec =~ /^yes$/i ) {
|
||||
$baserule .= '-m policy --pol ipsec --dir out ';
|
||||
@ -159,7 +159,7 @@ sub process_one_masq( )
|
||||
} else {
|
||||
$baserule .= do_ipsec_options $ipsec;
|
||||
}
|
||||
} elsif ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
} elsif ( have_ipsec ) {
|
||||
$baserule .= '-m policy --pol none --dir out ';
|
||||
}
|
||||
|
||||
@ -372,7 +372,7 @@ sub do_one_nat( $$$$$ )
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
if ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
if ( have_ipsec ) {
|
||||
$policyin = ' -m policy --pol none --dir in';
|
||||
$policyout = '-m policy --pol none --dir out';
|
||||
}
|
||||
|
||||
@ -281,7 +281,7 @@ sub setup_blacklist() {
|
||||
for my $hostref ( @$hosts ) {
|
||||
my $interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $network = $hostref->[2];
|
||||
my $source = match_source_net $network;
|
||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||
@ -505,7 +505,7 @@ sub add_common_rules() {
|
||||
for my $hostref ( @$list ) {
|
||||
$interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||
|
||||
for $chain ( first_chains $interface ) {
|
||||
@ -597,7 +597,7 @@ sub add_common_rules() {
|
||||
for my $hostref ( @$list ) {
|
||||
my $interface = $hostref->[0];
|
||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $hostref->[1] --dir in " : '';
|
||||
my $policy = have_ipsec ? "-m policy --pol $hostref->[1] --dir in " : '';
|
||||
|
||||
for $chain ( first_chains $interface ) {
|
||||
add_jump $filter_table->{$chain} , $target, 0, join( '', '-p tcp ', match_source_net( $hostref->[2] ), $policy );
|
||||
@ -763,7 +763,7 @@ sub setup_mac_lists( $ ) {
|
||||
for my $hostref ( @$maclist_hosts ) {
|
||||
my $interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $policy = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $source = match_source_net $hostref->[2];
|
||||
|
||||
my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
|
||||
@ -1709,7 +1709,7 @@ sub generate_matrix() {
|
||||
#
|
||||
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
||||
|
||||
if ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
if ( have_ipsec ) {
|
||||
#
|
||||
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
|
||||
# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
|
||||
@ -2121,7 +2121,7 @@ sub setup_mss( ) {
|
||||
$option = "--set-mss $clampmss";
|
||||
}
|
||||
|
||||
$match .= '-m policy --pol none --dir out ' if have_capability( 'POLICY_MATCH' );
|
||||
$match .= '-m policy --pol none --dir out ' if have_ipsec;
|
||||
}
|
||||
|
||||
my $interfaces = find_interfaces_by_option( 'mss' );
|
||||
@ -2139,7 +2139,7 @@ sub setup_mss( ) {
|
||||
my $in_match = '';
|
||||
my $out_match = '';
|
||||
|
||||
if ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
if ( have_ipsec ) {
|
||||
$in_match = '-m policy --pol none --dir in ';
|
||||
$out_match = '-m policy --pol none --dir out ';
|
||||
}
|
||||
|
||||
@ -86,7 +86,7 @@ sub setup_tunnels() {
|
||||
$inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
||||
$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
||||
|
||||
unless ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
unless ( have_ipsec ) {
|
||||
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||
|
||||
|
||||
@ -72,6 +72,7 @@ our @EXPORT = qw( NOTHING
|
||||
validate_hosts_file
|
||||
find_hosts_by_option
|
||||
all_ipsets
|
||||
have_ipsec
|
||||
);
|
||||
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
@ -156,6 +157,7 @@ our @bport_zones;
|
||||
our %ipsets;
|
||||
our %physical;
|
||||
our $family;
|
||||
our $have_ipsec;
|
||||
|
||||
use constant { FIREWALL => 1,
|
||||
IP => 2,
|
||||
@ -199,6 +201,7 @@ sub initialize( $ ) {
|
||||
@zones = ();
|
||||
%zones = ();
|
||||
$firewall_zone = '';
|
||||
$have_ipsec = undef;
|
||||
|
||||
@interfaces = ();
|
||||
%interfaces = ();
|
||||
@ -1271,7 +1274,15 @@ sub validate_hosts_file()
|
||||
|
||||
$ipsec |= process_host while read_a_line;
|
||||
|
||||
set_capability( 'POLICY_MATCH' , '' ) unless $ipsec || haveipseczones;
|
||||
require_capability( 'POLICY_MATCH', 'ipsec zones or hosts', '' ) if $have_ipsec = $ipsec || haveipseczones;
|
||||
|
||||
}
|
||||
|
||||
#
|
||||
# Return an indication of whether IPSEC is present
|
||||
#
|
||||
sub have_ipsec() {
|
||||
return defined $have_ipsec ? $have_ipsec : have_capability 'POLICY_MATCH';
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user