mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-18 19:48:19 +01:00
Fix exclusion in masq SOURCE column
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6145 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
849615da17
commit
e8a4bb4469
@ -136,6 +136,8 @@ our @VERSION = 1.00;
|
|||||||
# synparams => <burst/limit>
|
# synparams => <burst/limit>
|
||||||
# default => <default action>
|
# default => <default action>
|
||||||
# policy_chain => <ref to policy chain -- self-reference if this is a policy chain>
|
# policy_chain => <ref to policy chain -- self-reference if this is a policy chain>
|
||||||
|
# loopcount => <number of open loops in runtime commands>
|
||||||
|
# cmdcount => <number of client open loops or blocks in runtime commands>
|
||||||
# rules => [ <rule1>
|
# rules => [ <rule1>
|
||||||
# <rule2>
|
# <rule2>
|
||||||
# ...
|
# ...
|
||||||
@ -248,35 +250,22 @@ my $chainseq;
|
|||||||
# Chain reference , Command
|
# Chain reference , Command
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
|
||||||
# Count of the number of unclosed loops in generated shell code. We insert shell code
|
|
||||||
# into the Chain tables 'rules' array (proceeded by '~'). create_netfilter_load()
|
|
||||||
# emits that code inline for execution at run-time.
|
|
||||||
#
|
|
||||||
my $loopcount = 0;
|
|
||||||
|
|
||||||
#
|
|
||||||
# External count that clients of the module can manipulate to cause commands to be
|
|
||||||
# generated rather than rules.
|
|
||||||
#
|
|
||||||
my $cmdcount = 0;
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Functions to manipulate cmdcount
|
# Functions to manipulate cmdcount
|
||||||
#
|
#
|
||||||
sub push_cmd_mode() {
|
sub push_cmd_mode( $ ) {
|
||||||
$cmdcount++;
|
$_[0]->{cmdcount}++;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub pop_cmd_mode() {
|
sub pop_cmd_mode() {
|
||||||
fatal_error "Internal error in pop_cmd_mode()" if --$cmdcount < 0;
|
fatal_error "Internal error in pop_cmd_mode()" if --$_[0]->{cmdcount} < 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
sub add_command($$)
|
sub add_command($$)
|
||||||
{
|
{
|
||||||
my ($chainref, $command) = @_;
|
my ($chainref, $command) = @_;
|
||||||
|
|
||||||
push @{$chainref->{rules}}, join ('', '~', ' ' x ( $loopcount + $cmdcount ), $command );
|
push @{$chainref->{rules}}, join ('', '~', ' ' x ( $chainref->{loopcount} + $chainref->{cmdcount} ), $command );
|
||||||
|
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
}
|
}
|
||||||
@ -285,7 +274,7 @@ sub add_commands {
|
|||||||
my $chainref = shift @_;
|
my $chainref = shift @_;
|
||||||
|
|
||||||
for my $command ( @_ ) {
|
for my $command ( @_ ) {
|
||||||
push @{$chainref->{rules}}, join ('', '~', ' ' x ( $loopcount + $cmdcount ), $command );
|
push @{$chainref->{rules}}, join ('', '~', ' ' x ( $chainref->{loopcount} + $chainref->{cmdcount} ), $command );
|
||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{referenced} = 1;
|
$chainref->{referenced} = 1;
|
||||||
@ -329,7 +318,7 @@ sub add_rule($$)
|
|||||||
|
|
||||||
$rule .= " -m comment --comment \"$comment\"" if $comment;
|
$rule .= " -m comment --comment \"$comment\"" if $comment;
|
||||||
|
|
||||||
if ( $loopcount || $cmdcount ) {
|
if ( $chainref->{loopcount} || $chainref->{cmdcount} ) {
|
||||||
add_command $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
|
add_command $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
|
||||||
} else {
|
} else {
|
||||||
push @{$chainref->{rules}}, $rule;
|
push @{$chainref->{rules}}, $rule;
|
||||||
@ -349,7 +338,7 @@ sub insert_rule($$$)
|
|||||||
{
|
{
|
||||||
my ($chainref, $number, $rule) = @_;
|
my ($chainref, $number, $rule) = @_;
|
||||||
|
|
||||||
fatal_error 'Internal Error in insert_rule()' if $loopcount || $cmdcount;
|
fatal_error 'Internal Error in insert_rule()' if $chainref->{loopcount} || $chainref->{cmdcount};
|
||||||
|
|
||||||
$rule .= "-m comment --comment \"$comment\"" if $comment;
|
$rule .= "-m comment --comment \"$comment\"" if $comment;
|
||||||
|
|
||||||
@ -495,6 +484,8 @@ sub new_chain($$)
|
|||||||
$ch{rules} = [];
|
$ch{rules} = [];
|
||||||
$ch{table} = $table;
|
$ch{table} = $table;
|
||||||
$ch{loglevel} = '';
|
$ch{loglevel} = '';
|
||||||
|
$ch{loopcount} = 0;
|
||||||
|
$ch{cmdcount} = 0;
|
||||||
$chain_table{$table}{$chain} = \%ch;
|
$chain_table{$table}{$chain} = \%ch;
|
||||||
\%ch;
|
\%ch;
|
||||||
}
|
}
|
||||||
@ -1309,7 +1300,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
# While $loopcount > 0, calls to 'add_rule()' will be converted to calls to 'add_command()'
|
# While $loopcount > 0, calls to 'add_rule()' will be converted to calls to 'add_command()'
|
||||||
#
|
#
|
||||||
$loopcount++;
|
$chainref->{loopcount}++;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line"
|
fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line"
|
||||||
if $restriction & OUTPUT_RESTRICT;
|
if $restriction & OUTPUT_RESTRICT;
|
||||||
@ -1339,7 +1330,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
add_command( $chainref , "for address in $list; do" );
|
add_command( $chainref , "for address in $list; do" );
|
||||||
|
|
||||||
$rule .= '-d $address ';
|
$rule .= '-d $address ';
|
||||||
$loopcount++;
|
$chainref->{loopcount}++;
|
||||||
} else {
|
} else {
|
||||||
$rule .= join ( '', '-d ', get_interface_address( $interfaces[0] ), ' ' );
|
$rule .= join ( '', '-d ', get_interface_address( $interfaces[0] ), ' ' );
|
||||||
}
|
}
|
||||||
@ -1369,7 +1360,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
add_command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do' );
|
add_command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do' );
|
||||||
$rule .= '-d $dest';
|
$rule .= '-d $dest';
|
||||||
$loopcount++;
|
$chainref->{loopcount}++;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Destination Interface ( $diface ) not allowed when the destination zone is $firewall_zone: $line"
|
fatal_error "Destination Interface ( $diface ) not allowed when the destination zone is $firewall_zone: $line"
|
||||||
if $restriction & INPUT_RESTRICT;
|
if $restriction & INPUT_RESTRICT;
|
||||||
@ -1395,7 +1386,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
|
|
||||||
add_command( $chainref , "for address in $list; do" );
|
add_command( $chainref , "for address in $list; do" );
|
||||||
$rule .= '-m conntrack --ctorigdst $address ';
|
$rule .= '-m conntrack --ctorigdst $address ';
|
||||||
$loopcount++;
|
$chainref->{loopcount}++;
|
||||||
} else {
|
} else {
|
||||||
get_interface_address $interfaces[0];
|
get_interface_address $interfaces[0];
|
||||||
$rule .= join( '', '-m conntrack --ctorigdst $', interface_address ( $interfaces[0] ), ' ' );
|
$rule .= join( '', '-m conntrack --ctorigdst $', interface_address ( $interfaces[0] ), ' ' );
|
||||||
@ -1441,7 +1432,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
$iexcl = '';
|
$iexcl = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
unless ( $inets ) {
|
unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
|
||||||
my @iexcl = mysplit $iexcl;
|
my @iexcl = mysplit $iexcl;
|
||||||
if ( @iexcl == 1 ) {
|
if ( @iexcl == 1 ) {
|
||||||
$rule .= match_source_net "!$iexcl ";
|
$rule .= match_source_net "!$iexcl ";
|
||||||
@ -1566,8 +1557,8 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
while ( $loopcount > 0 ) {
|
while ( $chainref->{loopcount} > 0 ) {
|
||||||
$loopcount--;
|
$chainref->{loopcount}--;
|
||||||
add_command $chainref, 'done';
|
add_command $chainref, 'done';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user