mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-16 03:10:39 +01:00
Simplify wildcard rule handling
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6473 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
fa86a2dc39
commit
eef7aaafae
@ -870,14 +870,15 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
my ( $basictarget, $param ) = split '/', $action;
|
my ( $basictarget, $param ) = split '/', $action;
|
||||||
my $rule = '';
|
my $rule = '';
|
||||||
my $actionchainref;
|
my $actionchainref;
|
||||||
|
my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;
|
||||||
|
|
||||||
$param = '' unless defined $param;
|
$param = '' unless defined $param;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Determine the validity of the action
|
# Determine the validity of the action
|
||||||
#
|
#
|
||||||
my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
|
my $actiontype = $targets{$basictarget} || find_macro( $basictarget );
|
||||||
|
|
||||||
fatal_error "Unknown action ($action)" unless $actiontype;
|
fatal_error "Unknown action ($action)" unless $actiontype;
|
||||||
|
|
||||||
if ( $actiontype == MACRO ) {
|
if ( $actiontype == MACRO ) {
|
||||||
@ -890,7 +891,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
push @param_stack, $current_param;
|
push @param_stack, $current_param;
|
||||||
$current_param = $param;
|
$current_param = $param;
|
||||||
}
|
}
|
||||||
|
|
||||||
process_macro( $macros{$basictarget},
|
process_macro( $macros{$basictarget},
|
||||||
$target ,
|
$target ,
|
||||||
$current_param,
|
$current_param,
|
||||||
@ -906,7 +907,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
$wildcard );
|
$wildcard );
|
||||||
|
|
||||||
$macro_nest_level--;
|
$macro_nest_level--;
|
||||||
|
|
||||||
$current_param = pop @param_stack if $param ne '';
|
$current_param = pop @param_stack if $param ne '';
|
||||||
|
|
||||||
return;
|
return;
|
||||||
@ -945,7 +946,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
my $sourcezone;
|
my $sourcezone;
|
||||||
my $destzone;
|
my $destzone;
|
||||||
|
|
||||||
if ( $source =~ /^(.+?):(.*)/ ) {
|
if ( $source =~ /^(.+?):(.*)/ ) {
|
||||||
$sourcezone = $1;
|
$sourcezone = $1;
|
||||||
$source = $2;
|
$source = $2;
|
||||||
@ -961,7 +962,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
$destzone = $dest;
|
$destzone = $dest;
|
||||||
$dest = ALLIPv4;
|
$dest = ALLIPv4;
|
||||||
}
|
}
|
||||||
|
|
||||||
fatal_error "Missing source zone" if $sourcezone eq '-';
|
fatal_error "Missing source zone" if $sourcezone eq '-';
|
||||||
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
|
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
|
||||||
fatal_error "Missing destination zone" if $destzone eq '-';
|
fatal_error "Missing destination zone" if $destzone eq '-';
|
||||||
@ -1000,6 +1001,17 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
|||||||
fatal_error "Rules may not override a NONE policy";
|
fatal_error "Rules may not override a NONE policy";
|
||||||
}
|
}
|
||||||
#
|
#
|
||||||
|
# Handle Optimization
|
||||||
|
#
|
||||||
|
if ( $optimize > 0 ) {
|
||||||
|
my $loglevel = $chainref->{policychain}{loglevel};
|
||||||
|
if ( $loglevel ne '' ) {
|
||||||
|
return 1 if $target eq "${policy}:$loglevel}";
|
||||||
|
} else {
|
||||||
|
return 1 if $basictarget eq $policy;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#
|
||||||
# For compatibility with older Shorewall versions
|
# For compatibility with older Shorewall versions
|
||||||
#
|
#
|
||||||
$origdest = ALLIPv4 if $origdest eq 'all';
|
$origdest = ALLIPv4 if $origdest eq 'all';
|
||||||
@ -1223,17 +1235,6 @@ sub process_rule ( $$$$$$$$$$ ) {
|
|||||||
for my $zone1 ( @zones ) {
|
for my $zone1 ( @zones ) {
|
||||||
if ( $includedstfw || ( $zones{$zone1}{type} ne 'firewall' ) ) {
|
if ( $includedstfw || ( $zones{$zone1}{type} ne 'firewall' ) ) {
|
||||||
if ( $intrazone || ( $zone ne $zone1 ) ) {
|
if ( $intrazone || ( $zone ne $zone1 ) ) {
|
||||||
my $policychainref = $filter_table->{"${zone}2${zone1}"}{policychain};
|
|
||||||
fatal_error "No policy from zone $zone to zone $zone1" unless $policychainref;
|
|
||||||
my $policy = $policychainref->{policy};
|
|
||||||
if ( $optimize > 0 ) {
|
|
||||||
my $loglevel = $policychainref->{loglevel};
|
|
||||||
if ( $loglevel ne '' ) {
|
|
||||||
next if $target eq "${policy}:$loglevel}";
|
|
||||||
} else {
|
|
||||||
next if $action eq $policy;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
|
process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1241,18 +1242,7 @@ sub process_rule ( $$$$$$$$$$ ) {
|
|||||||
} else {
|
} else {
|
||||||
my $destzone = (split( /:/, $dest, 2 ) )[0];
|
my $destzone = (split( /:/, $dest, 2 ) )[0];
|
||||||
$destzone = $firewall_zone unless $zones{$destzone}; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
|
$destzone = $firewall_zone unless $zones{$destzone}; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
|
||||||
my $policychainref = $filter_table->{"${zone}2${destzone}"}{policychain};
|
|
||||||
if ( $intrazone || ( $zone ne $destzone ) ) {
|
if ( $intrazone || ( $zone ne $destzone ) ) {
|
||||||
fatal_error "No policy from zone $zone to zone $destzone" unless $policychainref;
|
|
||||||
my $policy = $policychainref->{policy};
|
|
||||||
if ( $optimize > 0 ) {
|
|
||||||
my $loglevel = $policychainref->{loglevel};
|
|
||||||
if ( $loglevel ne '') {
|
|
||||||
next if $target eq "${policy}:$loglevel}";
|
|
||||||
} else {
|
|
||||||
next if $action eq $policy;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
|
process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1262,17 +1252,6 @@ sub process_rule ( $$$$$$$$$$ ) {
|
|||||||
for my $zone ( @zones ) {
|
for my $zone ( @zones ) {
|
||||||
my $sourcezone = ( split( /:/, $source, 2 ) )[0];
|
my $sourcezone = ( split( /:/, $source, 2 ) )[0];
|
||||||
if ( ( $includedstfw || ( $zones{$zone}{type} ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
|
if ( ( $includedstfw || ( $zones{$zone}{type} ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
|
||||||
fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
|
|
||||||
my $policychainref = $filter_table->{"${sourcezone}2${zone}"}{policychain};
|
|
||||||
my $policy = $policychainref->{policy};
|
|
||||||
if ( $optimize > 0 ) {
|
|
||||||
my $loglevel = $policychainref->{loglevel};
|
|
||||||
if ( $loglevel ne '' ) {
|
|
||||||
next if $target eq "${policy}:$loglevel}";
|
|
||||||
} else {
|
|
||||||
next if $action eq $policy;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
|
process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user