extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-23 14:48:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Clarify provisional policy handling.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-03-26 08:02:49 -07:00
parent ad08d2195e
commit f30cd7e287
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -212,7 +212,8 @@ our $VERSION = '4.4_8';
# }
#
# 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1.
# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1 as are intra-zone
# ACCEPT policies.
#
# Only 'referenced' chains get written to the iptables-restore input.
#
@ -257,6 +258,7 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and
POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed
};
our $iprangematch;
our $chainseq;
our $idiotcount;

14
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
our @EXPORT_OK = qw( );
our $VERSION = '4.4_7';
our $VERSION = '4.4_9';
# @policy_chains is a list of references to policy chains in the filter table
@ -66,11 +66,11 @@ sub convert_to_policy_chain($$$$$)
#
sub new_policy_chain($$$$)
{
my ($source, $dest, $policy, $optional) = @_;
my ($source, $dest, $policy, $provisional) = @_;
my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional );
$chainref;
}
@ -115,7 +115,7 @@ sub set_policy_chain($$$$$)
#
# Process the policy file
#
use constant { OPTIONAL => 1 };
use constant { PROVISIONAL => 1 };
sub add_or_modify_policy_chain( $$ ) {
my ( $zone, $zone1 ) = @_;
@ -124,11 +124,11 @@ sub add_or_modify_policy_chain( $$ ) {
if ( $chainref ) {
unless( $chainref->{is_policy} ) {
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL );
push @policy_chains, $chainref;
}
} else {
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL );
}
}
@ -329,7 +329,7 @@ sub validate_policy()
}
for $zone ( all_zones ) {
push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', PROVISIONAL );
if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
for my $zone1 ( all_zones ) {