Simplify wildcard rule handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6473 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-06 16:20:33 +00:00
parent fa86a2dc39
commit eef7aaafae

View File

@ -870,14 +870,15 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
my ( $basictarget, $param ) = split '/', $action; my ( $basictarget, $param ) = split '/', $action;
my $rule = ''; my $rule = '';
my $actionchainref; my $actionchainref;
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
$param = '' unless defined $param; $param = '' unless defined $param;
# #
# Determine the validity of the action # Determine the validity of the action
# #
my $actiontype = $targets{$basictarget} || find_macro( $basictarget ); my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
fatal_error "Unknown action ($action)" unless $actiontype; fatal_error "Unknown action ($action)" unless $actiontype;
if ( $actiontype == MACRO ) { if ( $actiontype == MACRO ) {
@ -890,7 +891,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
push @param_stack, $current_param; push @param_stack, $current_param;
$current_param = $param; $current_param = $param;
} }
process_macro( $macros{$basictarget}, process_macro( $macros{$basictarget},
$target , $target ,
$current_param, $current_param,
@ -906,7 +907,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
$wildcard ); $wildcard );
$macro_nest_level--; $macro_nest_level--;
$current_param = pop @param_stack if $param ne ''; $current_param = pop @param_stack if $param ne '';
return; return;
@ -945,7 +946,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
# #
my $sourcezone; my $sourcezone;
my $destzone; my $destzone;
if ( $source =~ /^(.+?):(.*)/ ) { if ( $source =~ /^(.+?):(.*)/ ) {
$sourcezone = $1; $sourcezone = $1;
$source = $2; $source = $2;
@ -961,7 +962,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
$destzone = $dest; $destzone = $dest;
$dest = ALLIPv4; $dest = ALLIPv4;
} }
fatal_error "Missing source zone" if $sourcezone eq '-'; fatal_error "Missing source zone" if $sourcezone eq '-';
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone}; fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
fatal_error "Missing destination zone" if $destzone eq '-'; fatal_error "Missing destination zone" if $destzone eq '-';
@ -1000,6 +1001,17 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
fatal_error "Rules may not override a NONE policy"; fatal_error "Rules may not override a NONE policy";
} }
# #
# Handle Optimization
#
if ( $optimize > 0 ) {
my $loglevel = $chainref->{policychain}{loglevel};
if ( $loglevel ne '' ) {
return 1 if $target eq "${policy}:$loglevel}";
} else {
return 1 if $basictarget eq $policy;
}
}
#
# For compatibility with older Shorewall versions # For compatibility with older Shorewall versions
# #
$origdest = ALLIPv4 if $origdest eq 'all'; $origdest = ALLIPv4 if $origdest eq 'all';
@ -1223,17 +1235,6 @@ sub process_rule ( $$$$$$$$$$ ) {
for my $zone1 ( @zones ) { for my $zone1 ( @zones ) {
if ( $includedstfw || ( $zones{$zone1}{type} ne 'firewall' ) ) { if ( $includedstfw || ( $zones{$zone1}{type} ne 'firewall' ) ) {
if ( $intrazone || ( $zone ne $zone1 ) ) { if ( $intrazone || ( $zone ne $zone1 ) ) {
my $policychainref = $filter_table->{"${zone}2${zone1}"}{policychain};
fatal_error "No policy from zone $zone to zone $zone1" unless $policychainref;
my $policy = $policychainref->{policy};
if ( $optimize > 0 ) {
my $loglevel = $policychainref->{loglevel};
if ( $loglevel ne '' ) {
next if $target eq "${policy}:$loglevel}";
} else {
next if $action eq $policy;
}
}
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1; process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
} }
} }
@ -1241,18 +1242,7 @@ sub process_rule ( $$$$$$$$$$ ) {
} else { } else {
my $destzone = (split( /:/, $dest, 2 ) )[0]; my $destzone = (split( /:/, $dest, 2 ) )[0];
$destzone = $firewall_zone unless $zones{$destzone}; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid $destzone = $firewall_zone unless $zones{$destzone}; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
my $policychainref = $filter_table->{"${zone}2${destzone}"}{policychain};
if ( $intrazone || ( $zone ne $destzone ) ) { if ( $intrazone || ( $zone ne $destzone ) ) {
fatal_error "No policy from zone $zone to zone $destzone" unless $policychainref;
my $policy = $policychainref->{policy};
if ( $optimize > 0 ) {
my $loglevel = $policychainref->{loglevel};
if ( $loglevel ne '') {
next if $target eq "${policy}:$loglevel}";
} else {
next if $action eq $policy;
}
}
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1; process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
} }
} }
@ -1262,17 +1252,6 @@ sub process_rule ( $$$$$$$$$$ ) {
for my $zone ( @zones ) { for my $zone ( @zones ) {
my $sourcezone = ( split( /:/, $source, 2 ) )[0]; my $sourcezone = ( split( /:/, $source, 2 ) )[0];
if ( ( $includedstfw || ( $zones{$zone}{type} ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) { if ( ( $includedstfw || ( $zones{$zone}{type} ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
my $policychainref = $filter_table->{"${sourcezone}2${zone}"}{policychain};
my $policy = $policychainref->{policy};
if ( $optimize > 0 ) {
my $loglevel = $policychainref->{loglevel};
if ( $loglevel ne '' ) {
next if $target eq "${policy}:$loglevel}";
} else {
next if $action eq $policy;
}
}
process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1; process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
} }
} }