extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-03 03:19:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make the calling sequence of 'build_exclusion_chain' more rational

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2488 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-13 21:39:34 +00:00
parent daef55a295
commit ea1bf1a7c8
1 changed files with 23 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
Shorewall/firewall
View File

@ -2879,25 +2879,34 @@ setup_ecn() # $1 = file name
} }
# #
# Set up an exclusion chain and return it's name # Set up an exclusion chain
# #
build_exclusion_chain() # $1 = table, $2 = SOURCE exclusion list, $3 = DESTINATION exclusion list build_exclusion_chain() # $1 = variableto store chain name in $2 = table, $3 = SOURCE exclusion list, $4 = DESTINATION exclusion list
{ {
local chain=excl_${EXCLUSION_SEQ} net local c=excl_${EXCLUSION_SEQ} net
EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 )) EXCLUSION_SEQ=$(( $EXCLUSION_SEQ + 1 ))
run_iptables -t $1 -N $chain run_iptables -t $2 -N $c
for net in $(separate_list $2); do
run_iptables -t $1 -A $chain $(source_ip_range $net) -j RETURN
done
for net in $(separate_list $3); do for net in $(separate_list $3); do
run_iptables -t $1 -A $chain $(dest_ip_range $net) -j RETURN run_iptables -t $2 -A $c $(source_ip_range $net) -j RETURN
done done
echo $chain for net in $(separate_list $4); do
run_iptables -t $2 -A $c $(dest_ip_range $net) -j RETURN
done
case $2 in
filter)
eval exists_${c}=Yes
;;
nat)
eval exists_nat_${c}=Yes
;;
esac
eval $1=$c
} }
# #
@ -4696,9 +4705,7 @@ add_nat_rule() {
if [ $COMMAND != check ]; then if [ $COMMAND != check ]; then
if [ "$source" = "$FW" ]; then if [ "$source" = "$FW" ]; then
if [ -n "$excludedests" ]; then if [ -n "$excludedests" ]; then
chain=$(build_exclusion_chain nat "" $excludedests) build_exclusion_chain chain nat "" $excludedests
eval exists_nat_${chain}=Yes
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain run_iptables2 -t nat -A OUTPUT $cli $proto $userandgroup $multiport $sports $dports $(dest_ip_range $adr) -j $chain
@ -4721,9 +4728,7 @@ add_nat_rule() {
fi fi
else else
if [ -n "${excludezones}${excludedests}" ]; then if [ -n "${excludezones}${excludedests}" ]; then
chain=$( build_exclusion_chain nat "" $excludedests ) build_exclusion_chain chain nat "" $excludedests
eval exists_nat_${chain}=Yes
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain addnatrule $(dnat_chain $source) $cli $proto $multiport $sports $dports $(dest_ip_range $adr) -j $chain
@ -6304,9 +6309,7 @@ setup_masq()
case $destnets in case $destnets in
!*) !*)
destnets=${destnets#!} destnets=${destnets#!}
newchain=$( build_exclusion_chain nat "$nomasq" "$destnets" ) build_exclusion_chain newchain nat "$nomasq" "$destnets"
eval exists_nat_${newchain}=Yes
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for s in $networks; do for s in $networks; do
@ -6327,9 +6330,7 @@ setup_masq()
;; ;;
*) *)
if [ -n "$nomasq" ]; then if [ -n "$nomasq" ]; then
newchain=$( build_exclusion_chain nat $nomasq ) build_exclusion_chain newchain nat $nomasq
eval exists_nat_${newchain}=Yes
if [ -n "$networks" ]; then if [ -n "$networks" ]; then
for s in $networks; do for s in $networks; do