extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

POC of new rule interface

Browse Source 
Also removed FAKE_AUDIT option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-07-17 08:35:09 -07:00
parent 950c32d46b
commit f3f535abac
5 changed files with 108 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -36,13 +36,14 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( our @EXPORT = qw(
add_rule add_rule
add_irule
add_jump add_jump
insert_rule insert_rule
rule_target rule_target
clear_rule_target clear_rule_target
set_rule_target set_rule_target
set_rule_option set_rule_option
add_transformed_rule add_trule
add_commands add_commands
incr_cmd_level incr_cmd_level
decr_cmd_level decr_cmd_level
@ -142,7 +143,7 @@ our %EXPORT_TAGS = (
clearrule clearrule
port_count port_count
do_proto do_proto
mac_match do_mac
verify_mark verify_mark
verify_small_mark verify_small_mark
validate_mark validate_mark
@ -341,6 +342,7 @@ our $family;
# #
my %builtin_target = ( ACCEPT => 1, my %builtin_target = ( ACCEPT => 1,
ACCOUNT => 1, ACCOUNT => 1,
AUDIT => 1,
CHAOS => 1, CHAOS => 1,
CHECKSUM => 1, CHECKSUM => 1,
CLASSIFY => 1, CLASSIFY => 1,
@ -675,7 +677,7 @@ sub set_rule_target( $$$ ) {
} }
# #
# Convert a transformed rule into iptables input # Convert an trule into iptables input
# #
# First, a helper function # First, a helper function
# #
@ -812,7 +814,10 @@ sub push_rule( $$ ) {
$ruleref; $ruleref;
} }
sub add_transformed_rule( $$ ) { #
# Add a Transformed rule
#
sub add_trule( $$ ) {
my ( $chainref, $ruleref ) = @_; my ( $chainref, $ruleref ) = @_;
assert( reftype $ruleref ); assert( reftype $ruleref );
@ -820,6 +825,8 @@ sub add_transformed_rule( $$ ) {
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug; trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug;
$ruleref;
} }
# #
@ -944,6 +951,41 @@ sub add_rule($$;$) {
} }
} }
#
# New add_rule implementation
#
sub add_irule( $$$;@ ) {
my ( $chainref, $jump, $target, @matches ) = @_;
( $target, my $targetopts ) = split ' ', $target, 2;
my $ruleref = {};
$ruleref->{mode} = $ruleref->{cmdlevel} = $chainref->{cmdlevel} ? CMD_MODE : CAT_MODE;
if ( $jump ) {
$ruleref->{jump} = $jump;
$ruleref->{target} = $target;
$ruleref->{targetopts} = $targetopts if $targetopts;
}
unless ( $ruleref->{simple} = ! @matches ) {
while ( @matches ) {
my ( $option, $value ) = ( shift @matches, shift @matches );
$ruleref->{$option} = $value;
}
}
if ( $comment ) {
$ruleref->{comment} = $comment unless $ruleref->{comment};
}
push @{$chainref->{rules}}, $ruleref;
$chainref->{referenced} = 1;
$ruleref;
}
# #
# Make the first chain a referent of the second # Make the first chain a referent of the second
# #
@ -1836,12 +1878,7 @@ sub ensure_audit_chain( $;$$ ) {
$tgt ||= $action; $tgt ||= $action;
if ( $config{FAKE_AUDIT} ) {
add_rule( $ref, '-j AUDIT -m comment --comment "--type ' . lc $action . '"' );
} else {
add_rule $ref, '-j AUDIT --type ' . lc $action; add_rule $ref, '-j AUDIT --type ' . lc $action;
}
if ( $tgt eq 'REJECT' ) { if ( $tgt eq 'REJECT' ) {
add_jump $ref , 'reject', 1; add_jump $ref , 'reject', 1;
@ -1991,12 +2028,6 @@ sub initialize_chain_table($) {
# #
# Create these chains early in case they are needed by Policy actions # Create these chains early in case they are needed by Policy actions
# #
if ( $config{FAKE_AUDIT} ) {
dont_delete new_standard_chain 'AUDIT', 0;
} else {
$builtin_target{AUDIT} = 1;
}
dont_move new_standard_chain 'reject'; dont_move new_standard_chain 'reject';
} }
} }
@ -2733,7 +2764,8 @@ sub do_proto( $$$;$ )
$output; $output;
} }
sub mac_match( $ ) {
sub do_mac( $ ) {
my $mac = $_[0]; my $mac = $_[0];
$mac =~ s/^(!?)~//; $mac =~ s/^(!?)~//;
@ -3261,7 +3293,7 @@ sub match_source_net( $;$\$ ) {
if ( $net =~ /^!?~/ ) { if ( $net =~ /^!?~/ ) {
fatal_error "A MAC address($net) cannot be used in this context" if $restriction >= OUTPUT_RESTRICT; fatal_error "A MAC address($net) cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
$$macref = 1 if $macref; $$macref = 1 if $macref;
return mac_match $net; return do_mac $net;
} }
if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?/ ) { if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?/ ) {

5
Shorewall/Perl/Shorewall/Config.pm
View File

@ -557,7 +557,6 @@ sub initialize( $ ) {
COMPLETE => undef, COMPLETE => undef,
EXPORTMODULES => undef, EXPORTMODULES => undef,
LEGACY_FASTSTART => undef, LEGACY_FASTSTART => undef,
FAKE_AUDIT => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -2636,7 +2635,7 @@ sub Account_Target() {
} }
sub Audit_Target() { sub Audit_Target() {
$config{FAKE_AUDIT} || qt1( "$iptables -A $sillyname -j AUDIT --type drop" ); qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
} }
our %detect_capability = our %detect_capability =
@ -2935,7 +2934,7 @@ sub update_config_file( $ ) {
# #
# Undocumented options -- won't be listed in the template # Undocumented options -- won't be listed in the template
# #
my @undocumented = ( qw( TC_BITS PROVIDER_BITS PROVIDER_OFFSET MASK_BITS FAKE_AUDIT ) ); my @undocumented = ( qw( TC_BITS PROVIDER_BITS PROVIDER_OFFSET MASK_BITS ) );
if ( -f $fn ) { if ( -f $fn ) {
my ( $template, $output ); my ( $template, $output );

136
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -223,15 +223,8 @@ sub setup_blacklist() {
log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' ); log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add', '' );
if ( $audit ) { add_irule( $logchainref, j => 'AUDIT --type ' . lc $target ) if $audit;
if ( $config{FAKE_AUDIT} ) { add_jump( $logchainref, $target, 1 );
add_rule( $logchainref, '-j AUDIT -m comment --comment "--type ' . lc $target . '"' );
} else {
add_rule( $logchainref, '-j AUDIT --type ' . lc $target );
}
}
add_jump $logchainref, $target, 1;
$target = 'blacklog'; $target = 'blacklog';
} elsif ( $audit ) { } elsif ( $audit ) {
@ -509,7 +502,7 @@ sub add_common_rules() {
log_rule $level , $chainref , $policy , '' if $level ne ''; log_rule $level , $chainref , $policy , '' if $level ne '';
add_rule( $chainref, '-j AUDIT --type ' . lc $policy ) if $audit; add_irule( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1; add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
@ -518,11 +511,10 @@ sub add_common_rules() {
if ( $ipsec ) { if ( $ipsec ) {
$chainref = new_standard_chain 'sfilter1'; $chainref = new_standard_chain 'sfilter1';
add_rule ( $chainref, '-m policy --pol ipsec --dir out -j RETURN' ); add_irule ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
log_rule $level , $chainref , $policy , '' if $level ne ''; log_rule $level , $chainref , $policy , '' if $level ne '';
add_rule( $chainref, '-j AUDIT --type ' . lc $policy ) if $audit; add_irule( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1; add_jump $chainref, $policy eq 'REJECT' ? 'reject' : $policy , 1;
@ -599,15 +591,8 @@ sub add_common_rules() {
'', '',
'add', 'add',
'' ); '' );
if ( $smurfdest eq 'A_DROP' ) { add_irule( $smurfref, j => 'AUDIT --type drop' ) if $smurfdest eq 'A_DROP';
if ( $config{FAKE_AUDIT} ) { add_irule( $smurfref, j => 'DROP' );
add_rule( $smurfref, '-j AUDIT -m comment --comment "--type drop"' );
} else {
add_rule( $smurfref, '-j AUDIT --type drop' );
}
}
add_rule( $smurfref, '-j DROP' );
$smurfdest = 'smurflog'; $smurfdest = 'smurflog';
} else { } else {
@ -616,9 +601,9 @@ sub add_common_rules() {
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_rule $chainref , '-s 0.0.0.0 -j RETURN'; add_irule $chainref , j => 'RETURN', s => '0.0.0.0'; ;
} else { } else {
add_rule $chainref , '-s :: -j RETURN'; add_irule $chainref , j => 'RETURN', s => '::';
} }
add_jump( $chainref, $smurfdest, 1, '-m addrtype --src-type BROADCAST ' ) ; add_jump( $chainref, $smurfdest, 1, '-m addrtype --src-type BROADCAST ' ) ;
@ -659,7 +644,7 @@ sub add_common_rules() {
} }
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP'; add_irule $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
} else { } else {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_commands $rejectref, 'for address in $ALL_BCASTS; do'; add_commands $rejectref, 'for address in $ALL_BCASTS; do';
@ -668,32 +653,32 @@ sub add_common_rules() {
} }
incr_cmd_level $rejectref; incr_cmd_level $rejectref;
add_rule $rejectref, '-d $address -j DROP'; add_irule $rejectref, j => 'DROP', d => '$address';
decr_cmd_level $rejectref; decr_cmd_level $rejectref;
add_commands $rejectref, 'done'; add_commands $rejectref, 'done';
} }
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_rule $rejectref , '-s 224.0.0.0/4 -j DROP'; add_irule $rejectref , j => 'DROP', s => '224.0.0.0/4';
} else { } else {
add_rule $rejectref , '-s ' . IPv6_MULTICAST . ' -j DROP'; add_irule $rejectref , j => 'DROP', s => IPv6_MULTICAST;
} }
add_rule $rejectref , '-p 2 -j DROP'; add_irule $rejectref , j => 'DROP', p => 2;
add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset'; add_irule $rejectref , j => 'REJECT --reject-with tcp-reset', p => 6;
if ( have_capability( 'ENHANCED_REJECT' ) ) { if ( have_capability( 'ENHANCED_REJECT' ) ) {
add_rule $rejectref , '-p 17 -j REJECT'; add_irule $rejectref , j => 'REJECT', p => 17;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_rule $rejectref, '-p 1 -j REJECT --reject-with icmp-host-unreachable'; add_irule $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
add_rule $rejectref, '-j REJECT --reject-with icmp-host-prohibited'; add_irule $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
} else { } else {
add_rule $rejectref, '-p 58 -j REJECT --reject-with icmp6-addr-unreachable'; add_irule $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
add_rule $rejectref, '-j REJECT --reject-with icmp6-adm-prohibited'; add_irule $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
} }
} else { } else {
add_rule $rejectref , '-j REJECT'; add_irule $rejectref , j => 'REJECT';
} }
$list = find_interfaces_by_option 'dhcp'; $list = find_interfaces_by_option 'dhcp';
@ -707,8 +692,7 @@ sub add_common_rules() {
set_interface_option $interface, 'use_input_chain', 1; set_interface_option $interface, 'use_input_chain', 1;
set_interface_option $interface, 'use_forward_chain', 1; set_interface_option $interface, 'use_forward_chain', 1;
set_rule_option( add_rule( $filter_table->{$_} , set_rule_option( add_irule( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
"-p udp --dport $ports -j ACCEPT" ) ,
'dhcp', 'dhcp',
1 ) for input_chain( $interface ), output_chain( $interface ); 1 ) for input_chain( $interface ), output_chain( $interface );
@ -744,18 +728,13 @@ sub add_common_rules() {
if ( $audit ) { if ( $audit ) {
$disposition =~ s/^A_//; $disposition =~ s/^A_//;
add_irule( $logflagsref, j => 'AUDIT --type ' . lc $disposition );
if ( $config{FAKE_AUDIT} ) {
add_rule( $logflagsref, '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
} else {
add_rule( $logflagsref, '-j AUDIT --type ' . lc $disposition );
}
} }
if ( $disposition eq 'REJECT' ) { if ( $disposition eq 'REJECT' ) {
add_rule $logflagsref , '-p 6 -j REJECT --reject-with tcp-reset'; add_irule $logflagsref , j => 'REJECT --reject-with tcp-reset', p => 6;
} else { } else {
add_rule $logflagsref , "-j $disposition"; add_irule $logflagsref , j => $disposition;
} }
$disposition = 'logflags'; $disposition = 'logflags';
@ -864,18 +843,18 @@ sub setup_mac_lists( $ ) {
my $chainref = new_chain $table , mac_chain $interface; my $chainref = new_chain $table , mac_chain $interface;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN' add_irule $chainref , j => 'RETURN', s => '0.0.0.0', d => '255.255.255.255', p => 'udp --dport 67:68'
if $table eq 'mangle' && get_interface_option( $interface, 'dhcp'); if $table eq 'mangle' && get_interface_option( $interface, 'dhcp');
} else { } else {
# #
# Accept any packet with a link-level source or destination address # Accept any packet with a link-level source or destination address
# #
add_rule $chainref , '-s ff80::/10 -j RETURN'; add_irule $chainref , j => 'RETURN', s => 'ff80::/10';
add_rule $chainref , '-d ff80::/10 -j RETURN'; add_irule $chainref , j => 'RETURN', d => 'ff80::/10';
# #
# Accept Multicast # Accept Multicast
# #
add_rule $chainref , '-d ' . IPv6_MULTICAST . ' -j RETURN'; add_irule $chainref , j => 'RETURN', d => IPv6_MULTICAST;
} }
if ( $ttl ) { if ( $ttl ) {
@ -883,10 +862,10 @@ sub setup_mac_lists( $ ) {
my $chain = $chainref->{name}; my $chain = $chainref->{name};
add_rule $chainref, "-m recent --rcheck --seconds $ttl --name $chain -j RETURN"; add_irule $chainref, j => 'RETURN', recent => "--rcheck --seconds $ttl --name $chain";
add_jump $chainref, $chain1ref, 0; add_jump $chainref, $chain1ref, 0;
add_rule $chainref, "-m recent --update --name $chain -j RETURN"; add_irule $chainref, j => 'RETURN', recent => "--update --name $chain";
add_rule $chainref, "-m recent --set --name $chain"; add_irule $chainref, '', '', recent => "--set --name $chain";
} }
} }
@ -918,7 +897,7 @@ sub setup_mac_lists( $ ) {
fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses; fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
$mac = mac_match $mac if $mac; $mac = do_mac $mac if $mac;
if ( $addresses ) { if ( $addresses ) {
for my $address ( split ',', $addresses ) { for my $address ( split ',', $addresses ) {
@ -926,29 +905,15 @@ sub setup_mac_lists( $ ) {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}" log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
if supplied $level; if supplied $level;
if ( $audit && $disposition ne 'ACCEPT' ) { add_irule( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
if ( $config{FAKE_AUDIT} ) { add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
} else {
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition );
}
}
add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
} }
} else { } else {
log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
if supplied $level; if supplied $level;
if ( $audit && $disposition ne 'ACCEPT' ) { add_irule( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
if ( $config{FAKE_AUDIT} ) { add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $disposition . '"' );
} else {
add_rule( $chainref , '-j AUDIT --type ' . lc $disposition );
}
}
add_jump $chainref , $targetref->{target}, 0, "$mac";
} }
progress_message " Maclist entry \"$currentline\" $done"; progress_message " Maclist entry \"$currentline\" $done";
@ -997,8 +962,8 @@ sub setup_mac_lists( $ ) {
if ( have_capability( 'ADDRTYPE' ) ) { if ( have_capability( 'ADDRTYPE' ) ) {
add_commands( $chainref, "for address in $variable; do" ); add_commands( $chainref, "for address in $variable; do" );
incr_cmd_level( $chainref ); incr_cmd_level( $chainref );
add_rule( $chainref, '-s $address -m addrtype --dst-type BROADCAST -j RETURN' ); add_irule( $chainref, j => 'RETURN', s => '$address', addrtype => '--dst-type BROADCAST' );
add_rule( $chainref, '-s $address -d 224.0.0.0/4 -j RETURN' ); add_irule( $chainref, j => 'RETURN', s => '$address', d => '224.0.0.0/4' );
decr_cmd_level( $chainref ); decr_cmd_level( $chainref );
add_commands( $chainref, 'done' ); add_commands( $chainref, 'done' );
} else { } else {
@ -1011,7 +976,7 @@ sub setup_mac_lists( $ ) {
if ( $bridgeref->{broadcasts} ) { if ( $bridgeref->{broadcasts} ) {
for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) { for my $address ( @{$bridgeref->{broadcasts}}, '255.255.255.255' ) {
add_rule( $chainref, qq( -s \$address -d $address -j RETURN") ); add_irule( $chainref, j => 'RETURN', s => '$address', d => $address );
} }
} else { } else {
my $variable1 = get_interface_bcasts $bridge; my $variable1 = get_interface_bcasts $bridge;
@ -1019,12 +984,12 @@ sub setup_mac_lists( $ ) {
add_commands( $chainref, add_commands( $chainref,
" for address1 in $variable1; do" ); " for address1 in $variable1; do" );
incr_cmd_level( $chainref ); incr_cmd_level( $chainref );
add_rule( $chainref, 's $address -d $address1 -j RETURN' ); add_irule( $chainref, j => 'RETURN', s => '$address', d => '$address1' );
decr_cmd_level( $chainref ); decr_cmd_level( $chainref );
add_commands( $chainref, 'done' ); add_commands( $chainref, 'done' );
} }
add_rule( $chainref, '-s $address -d 224.0.0.0/4 -j RETURN' ); add_irule( $chainref, j => 'RETURN', s => '$address', d => '224.0.0.0/4' );
decr_cmd_level( $chainref ); decr_cmd_level( $chainref );
add_commands( $chainref, 'done' ); add_commands( $chainref, 'done' );
} }
@ -1167,7 +1132,7 @@ sub handle_loopback_traffic() {
} }
} }
add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT'; add_irule $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo';
} }
# #
@ -2062,21 +2027,20 @@ EOF
add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains; add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains;
if ( $family == F_IPV6 ) { if ( $family == F_IPV6 ) {
add_rule $input, '-s ' . IPv6_LINKLOCAL . ' -j ACCEPT'; add_irule $input, j => 'ACCEPT', s => IPv6_LINKLOCAL;
add_rule $input, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT'; add_irule $input, j => 'ACCEPT', d => IPv6_LINKLOCAL;
add_rule $input, '-d ' . IPv6_MULTICAST . ' -j ACCEPT'; add_irule $input, j => 'ACCEPT', d => IPv6_MULTICAST;
unless ( $config{ADMINISABSENTMINDED} ) { unless ( $config{ADMINISABSENTMINDED} ) {
add_rule $output, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT'; add_irule $output, j => 'ACCEPT', d => IPv6_LINKLOCAL;
add_rule $output, '-d ' . IPv6_MULTICAST . ' -j ACCEPT'; add_irule $output, j => 'ACCEPT', d => IPv6_MULTICAST;
} }
} }
process_routestopped; process_routestopped;
add_rule $input, '-i lo -j ACCEPT'; add_irule $input, j => 'ACCEPT', i => 'lo';
add_irule $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};
add_rule $output, '-o lo -j ACCEPT' unless $config{ADMINISABSENTMINDED};
my $interfaces = find_interfaces_by_option 'dhcp'; my $interfaces = find_interfaces_by_option 'dhcp';

8
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -1120,10 +1120,10 @@ sub handle_stickiness( $ ) {
$rule2 = ''; $rule2 = '';
} }
add_transformed_rule $chainref, $rule1; add_trule $chainref, $rule1;
if ( $rule2 ) { if ( $rule2 ) {
add_transformed_rule $chainref, $rule2; add_trule $chainref, $rule2;
} }
} }
} }
@ -1153,10 +1153,10 @@ sub handle_stickiness( $ ) {
$rule2 = ''; $rule2 = '';
} }
add_transformed_rule $chainref, $rule1; add_trule $chainref, $rule1;
if ( $rule2 ) { if ( $rule2 ) {
add_transformed_rule $chainref, $rule2; add_trule $chainref, $rule2;
} }
} }
} }

9
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -533,14 +533,7 @@ sub policy_rules( $$$$$ ) {
log_rule $loglevel , $chainref , $target , '' if $loglevel ne ''; log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
fatal_error "Null target in policy_rules()" unless $target; fatal_error "Null target in policy_rules()" unless $target;
if ( $chainref->{audit} ) { add_rule( $chainref , '-j AUDIT --type ' . lc $target ) if $chainref->{audit};
if ( $config{FAKE_AUDIT} ) {
add_rule( $chainref , '-j AUDIT -m comment --comment "--type ' . lc $target . '"' );
} else {
add_rule( $chainref , '-j AUDIT --type ' . lc $target );
}
}
add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE'; add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
} }
} }