Remove a level of indirection for 'complex' zone flag.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-03-13 09:47:31 -07:00
parent 01d99d4873
commit e0b360513c
3 changed files with 13 additions and 15 deletions

View File

@ -1474,7 +1474,7 @@ sub generate_matrix() {
for my $zone ( @zones ) { for my $zone ( @zones ) {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
next if @zones <= 2 && ! $zoneref->{options}{complex}; next if @zones <= 2 && ! $zoneref->{complex};
# #
# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain # Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
# #
@ -1553,7 +1553,6 @@ sub generate_matrix() {
my $source_hosts_ref = $zoneref->{hosts}; my $source_hosts_ref = $zoneref->{hosts};
my $chain1 = rules_target firewall_zone , $zone; my $chain1 = rules_target firewall_zone , $zone;
my $chain2 = rules_target $zone, firewall_zone; my $chain2 = rules_target $zone, firewall_zone;
my $complex = $zoneref->{options}{complex} || 0;
my $type = $zoneref->{type}; my $type = $zoneref->{type};
my $frwd_ref = $filter_table->{zone_forward_chain $zone}; my $frwd_ref = $filter_table->{zone_forward_chain $zone};
my $chain = 0; my $chain = 0;

View File

@ -2461,8 +2461,7 @@ sub process_rule ( ) {
sub intrazone_allowed( $$ ) { sub intrazone_allowed( $$ ) {
my ( $zone, $zoneref ) = @_; my ( $zone, $zoneref ) = @_;
$zoneref->{options}{complex} && $zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
$filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
} }
# #
@ -2477,7 +2476,7 @@ sub classic_blacklist() {
for my $zone ( @zones ) { for my $zone ( @zones ) {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
my $simple = @zones <= 2 && ! $zoneref->{options}{complex}; my $simple = @zones <= 2 && ! $zoneref->{complex};
if ( $zoneref->{options}{in}{blacklist} ) { if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst}; my $blackref = $filter_table->{blacklst};

View File

@ -114,9 +114,9 @@ use constant { IN_OUT => 1,
# #
# @zones contains the ordered list of zones with sub-zones appearing before their parents. # @zones contains the ordered list of zones with sub-zones appearing before their parents.
# #
# %zones{<zone1> => {type = > <zone type> FIREWALL, IP, IPSEC, BPORT; # %zones{<zone1> => {type => <zone type> FIREWALL, IP, IPSEC, BPORT;
# options => { complex => 0|1 # complex => 0|1
# nested => 0|1 # options => { nested => 0|1
# super => 0|1 # super => 0|1
# in_out => < policy match string > # in_out => < policy match string >
# in => < policy match string > # in => < policy match string >
@ -490,10 +490,10 @@ sub process_zone( \$ ) {
options => { in_out => parse_zone_option_list( $options , $type, $complex , IN_OUT ) , options => { in_out => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
in => parse_zone_option_list( $in_options , $type , $complex , IN ) , in => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
out => parse_zone_option_list( $out_options , $type , $complex , OUT ) , out => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
complex => ( $type & IPSEC || $complex ) ,
nested => @parents > 0 , nested => @parents > 0 ,
super => 0 , super => 0 ,
} , } ,
complex => ( $type & IPSEC || $complex ) ,
interfaces => {} , interfaces => {} ,
children => [] , children => [] ,
hosts => {} hosts => {}
@ -509,7 +509,7 @@ sub process_zone( \$ ) {
fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit; fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
$mark = $zonemark; $mark = $zonemark;
$zonemark += $zonemarkincr; $zonemark += $zonemarkincr;
$zoneref->{options}{complex} = 1; $zoneref->{complex} = 1;
} }
} }
@ -778,7 +778,7 @@ sub add_group_to_zone($$$$$)
fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref; fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
$zoneref->{options}{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback}; $zoneref->{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
push @{$interfaceref}, { options => $options, push @{$interfaceref}, { options => $options,
hosts => \@newnetworks, hosts => \@newnetworks,
@ -841,7 +841,7 @@ sub all_parent_zones() {
} }
sub complex_zones() { sub complex_zones() {
grep( $zones{$_}{options}{complex} , @zones ); grep( $zones{$_}{complex} , @zones );
} }
sub vserver_zones() { sub vserver_zones() {
@ -1841,7 +1841,7 @@ sub process_host( ) {
} }
if ( $hosts =~ /^!?\+/ ) { if ( $hosts =~ /^!?\+/ ) {
$zoneref->{options}{complex} = 1; $zoneref->{complex} = 1;
fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/; fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/; fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
} }
@ -1865,7 +1865,7 @@ sub process_host( ) {
if ( $option eq 'ipsec' ) { if ( $option eq 'ipsec' ) {
require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's'; require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
$type = IPSEC; $type = IPSEC;
$zoneref->{options}{complex} = 1; $zoneref->{complex} = 1;
$ipsec = $interfaceref->{ipsec} = 1; $ipsec = $interfaceref->{ipsec} = 1;
} elsif ( $option eq 'norfc1918' ) { } elsif ( $option eq 'norfc1918' ) {
warning_message "The 'norfc1918' host option is no longer supported" warning_message "The 'norfc1918' host option is no longer supported"
@ -1939,7 +1939,7 @@ sub validate_hosts_file()
$have_ipsec = $ipsec || haveipseczones; $have_ipsec = $ipsec || haveipseczones;
$_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones; $_->{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
} }
# #