extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-17 02:00:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix another accounting sectioning bug

Browse Source
This commit is contained in:
Tom Eastep 2011-02-13 14:32:11 -08:00
parent 46a99a7cd9
commit dd81eedb42
2 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -147,7 +147,7 @@ sub process_accounting_rule( ) {
sub jump_to_chain( $ ) {
my $jumpchain = $_[0];
fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
$jumpchainref = ensure_accounting_chain( $jumpchain, 0, $restriction );
$jumpchainref = ensure_accounting_chain( $jumpchain, 0, $defaultrestriction );
check_chain( $jumpchainref );
$disposition = $jumpchain;
$jumpchain;
@ -273,13 +273,15 @@ sub process_accounting_rule( ) {
$dir = $chainref->{ipsec};
fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
$rule .= do_ipsec( $dir , $ipsec );
} elsif ( $asection ) {
$restriction |= $chainref->{restriction};
}
if ( $jumpchainref ) {
if ( $asection ) {
fatal_error "Chain $chain jumps to itself" if $chainref eq $jumpchainref;
my $jumprestrict = $jumpchainref->{restriction} || $restriction;
fatal_error "Chain $jumpchainref->{name} contains rules that are incompatible with the $sectionname section" if $restriction && $jumprestrict ne $restriction;
fatal_error "Chain $jumpchainref->{name} contains rules that are incompatible with the $sectionname section" if $jumprestrict && $jumprestrict ne $restriction;
}
$accountingjumps{$jumpchainref->{name}}{$chain} = 1;

18
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1327,6 +1327,7 @@ sub ensure_accounting_chain( $$$ )
if ( $chainref ) {
fatal_error "Non-accounting chain ($chain) used in an accounting rule" unless $chainref->{accounting};
$chainref->{restriction} |= $restriction;
} else {
fatal_error "Chain name ($chain) too long" if length $chain > 29;
fatal_error "Invalid Chain name ($chain)" unless $chain =~ /^[-\w]+$/;
@ -3686,7 +3687,14 @@ sub expand_rule( $$$$$$$$$$;$ )
$rule .= '-s $source ';
} else {
fatal_error "Source Interface ($iiface) not allowed when the SOURCE is the firewall" if $restriction & OUTPUT_RESTRICT;
if ( $restriction & OUTPUT_RESTRICT ) {
if ( $chainref->{accounting} ) {
fatal_error "Source Interface ($iiface) not allowed in the $chainref->{name} chain";
} else {
fatal_error "Source Interface ($iiface) not allowed when the SOURCE is the firewall";
}
}
$chainref->{restriction} |= $restriction;
$rule .= match_source_dev( $iiface );
}
@ -3773,7 +3781,13 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall" if $restriction & INPUT_RESTRICT;
fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFACE_DISALLOW;
if ( $restriction & DESTIFACE_DISALLOW ) {
if ( $chainref->{accounting} ) {
fatal_error "Destination Interface ($diface) not allowed in the $chainref->{name} chain";
} else {
fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
}
}
if ( $iiface ) {
my $bridge = port_to_bridge( $diface );