mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 10:18:58 +02:00
Remove a level of indirection for 'complex' zone flag.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
01d99d4873
commit
e0b360513c
@ -1474,7 +1474,7 @@ sub generate_matrix() {
|
|||||||
for my $zone ( @zones ) {
|
for my $zone ( @zones ) {
|
||||||
my $zoneref = find_zone( $zone );
|
my $zoneref = find_zone( $zone );
|
||||||
|
|
||||||
next if @zones <= 2 && ! $zoneref->{options}{complex};
|
next if @zones <= 2 && ! $zoneref->{complex};
|
||||||
#
|
#
|
||||||
# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
|
# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
|
||||||
#
|
#
|
||||||
@ -1553,7 +1553,6 @@ sub generate_matrix() {
|
|||||||
my $source_hosts_ref = $zoneref->{hosts};
|
my $source_hosts_ref = $zoneref->{hosts};
|
||||||
my $chain1 = rules_target firewall_zone , $zone;
|
my $chain1 = rules_target firewall_zone , $zone;
|
||||||
my $chain2 = rules_target $zone, firewall_zone;
|
my $chain2 = rules_target $zone, firewall_zone;
|
||||||
my $complex = $zoneref->{options}{complex} || 0;
|
|
||||||
my $type = $zoneref->{type};
|
my $type = $zoneref->{type};
|
||||||
my $frwd_ref = $filter_table->{zone_forward_chain $zone};
|
my $frwd_ref = $filter_table->{zone_forward_chain $zone};
|
||||||
my $chain = 0;
|
my $chain = 0;
|
||||||
|
|||||||
@ -2461,8 +2461,7 @@ sub process_rule ( ) {
|
|||||||
sub intrazone_allowed( $$ ) {
|
sub intrazone_allowed( $$ ) {
|
||||||
my ( $zone, $zoneref ) = @_;
|
my ( $zone, $zoneref ) = @_;
|
||||||
|
|
||||||
$zoneref->{options}{complex} &&
|
$zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
|
||||||
$filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2477,7 +2476,7 @@ sub classic_blacklist() {
|
|||||||
|
|
||||||
for my $zone ( @zones ) {
|
for my $zone ( @zones ) {
|
||||||
my $zoneref = find_zone( $zone );
|
my $zoneref = find_zone( $zone );
|
||||||
my $simple = @zones <= 2 && ! $zoneref->{options}{complex};
|
my $simple = @zones <= 2 && ! $zoneref->{complex};
|
||||||
|
|
||||||
if ( $zoneref->{options}{in}{blacklist} ) {
|
if ( $zoneref->{options}{in}{blacklist} ) {
|
||||||
my $blackref = $filter_table->{blacklst};
|
my $blackref = $filter_table->{blacklst};
|
||||||
|
|||||||
@ -114,9 +114,9 @@ use constant { IN_OUT => 1,
|
|||||||
#
|
#
|
||||||
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
|
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
|
||||||
#
|
#
|
||||||
# %zones{<zone1> => {type = > <zone type> FIREWALL, IP, IPSEC, BPORT;
|
# %zones{<zone1> => {type => <zone type> FIREWALL, IP, IPSEC, BPORT;
|
||||||
# options => { complex => 0|1
|
# complex => 0|1
|
||||||
# nested => 0|1
|
# options => { nested => 0|1
|
||||||
# super => 0|1
|
# super => 0|1
|
||||||
# in_out => < policy match string >
|
# in_out => < policy match string >
|
||||||
# in => < policy match string >
|
# in => < policy match string >
|
||||||
@ -490,10 +490,10 @@ sub process_zone( \$ ) {
|
|||||||
options => { in_out => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
|
options => { in_out => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
|
||||||
in => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
|
in => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
|
||||||
out => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
|
out => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
|
||||||
complex => ( $type & IPSEC || $complex ) ,
|
|
||||||
nested => @parents > 0 ,
|
nested => @parents > 0 ,
|
||||||
super => 0 ,
|
super => 0 ,
|
||||||
} ,
|
} ,
|
||||||
|
complex => ( $type & IPSEC || $complex ) ,
|
||||||
interfaces => {} ,
|
interfaces => {} ,
|
||||||
children => [] ,
|
children => [] ,
|
||||||
hosts => {}
|
hosts => {}
|
||||||
@ -509,7 +509,7 @@ sub process_zone( \$ ) {
|
|||||||
fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
|
fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
|
||||||
$mark = $zonemark;
|
$mark = $zonemark;
|
||||||
$zonemark += $zonemarkincr;
|
$zonemark += $zonemarkincr;
|
||||||
$zoneref->{options}{complex} = 1;
|
$zoneref->{complex} = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -778,7 +778,7 @@ sub add_group_to_zone($$$$$)
|
|||||||
|
|
||||||
fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
|
fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
|
||||||
|
|
||||||
$zoneref->{options}{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
|
$zoneref->{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
|
||||||
|
|
||||||
push @{$interfaceref}, { options => $options,
|
push @{$interfaceref}, { options => $options,
|
||||||
hosts => \@newnetworks,
|
hosts => \@newnetworks,
|
||||||
@ -841,7 +841,7 @@ sub all_parent_zones() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub complex_zones() {
|
sub complex_zones() {
|
||||||
grep( $zones{$_}{options}{complex} , @zones );
|
grep( $zones{$_}{complex} , @zones );
|
||||||
}
|
}
|
||||||
|
|
||||||
sub vserver_zones() {
|
sub vserver_zones() {
|
||||||
@ -1841,7 +1841,7 @@ sub process_host( ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $hosts =~ /^!?\+/ ) {
|
if ( $hosts =~ /^!?\+/ ) {
|
||||||
$zoneref->{options}{complex} = 1;
|
$zoneref->{complex} = 1;
|
||||||
fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
|
fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
|
||||||
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
|
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
|
||||||
}
|
}
|
||||||
@ -1865,7 +1865,7 @@ sub process_host( ) {
|
|||||||
if ( $option eq 'ipsec' ) {
|
if ( $option eq 'ipsec' ) {
|
||||||
require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
|
require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
|
||||||
$type = IPSEC;
|
$type = IPSEC;
|
||||||
$zoneref->{options}{complex} = 1;
|
$zoneref->{complex} = 1;
|
||||||
$ipsec = $interfaceref->{ipsec} = 1;
|
$ipsec = $interfaceref->{ipsec} = 1;
|
||||||
} elsif ( $option eq 'norfc1918' ) {
|
} elsif ( $option eq 'norfc1918' ) {
|
||||||
warning_message "The 'norfc1918' host option is no longer supported"
|
warning_message "The 'norfc1918' host option is no longer supported"
|
||||||
@ -1939,7 +1939,7 @@ sub validate_hosts_file()
|
|||||||
|
|
||||||
$have_ipsec = $ipsec || haveipseczones;
|
$have_ipsec = $ipsec || haveipseczones;
|
||||||
|
|
||||||
$_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
|
$_->{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user