From f30cd7e2874dfb79169d39afccc90a2e01aa5538 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 26 Mar 2010 08:02:49 -0700 Subject: [PATCH] Clarify provisional policy handling. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 4 +++- Shorewall/Perl/Shorewall/Policy.pm | 14 +++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 5ed15f42a..1d4e482ce 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -212,7 +212,8 @@ our $VERSION = '4.4_8'; # } # # 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be -# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. +# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1 as are intra-zone +# ACCEPT policies. # # Only 'referenced' chains get written to the iptables-restore input. # @@ -257,6 +258,7 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s
using main routing table ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed }; + our $iprangematch; our $chainseq; our $idiotcount; diff --git a/Shorewall/Perl/Shorewall/Policy.pm b/Shorewall/Perl/Shorewall/Policy.pm index 2d88aea08..9f194969f 100644 --- a/Shorewall/Perl/Shorewall/Policy.pm +++ b/Shorewall/Perl/Shorewall/Policy.pm @@ -34,7 +34,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains); our @EXPORT_OK = qw( ); -our $VERSION = '4.4_7'; +our $VERSION = '4.4_9'; # @policy_chains is a list of references to policy chains in the filter table @@ -66,11 +66,11 @@ sub convert_to_policy_chain($$$$$) # sub new_policy_chain($$$$) { - my ($source, $dest, $policy, $optional) = @_; + my ($source, $dest, $policy, $provisional) = @_; my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) ); - convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional ); + convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional ); $chainref; } @@ -115,7 +115,7 @@ sub set_policy_chain($$$$$) # # Process the policy file # -use constant { OPTIONAL => 1 }; +use constant { PROVISIONAL => 1 }; sub add_or_modify_policy_chain( $$ ) { my ( $zone, $zone1 ) = @_; @@ -124,11 +124,11 @@ sub add_or_modify_policy_chain( $$ ) { if ( $chainref ) { unless( $chainref->{is_policy} ) { - convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL ); + convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL ); push @policy_chains, $chainref; } } else { - push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); + push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL ); } } @@ -329,7 +329,7 @@ sub validate_policy() } for $zone ( all_zones ) { - push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL ); + push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', PROVISIONAL ); if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) { for my $zone1 ( all_zones ) {