Make the sfilter logic cleaner and add a comment

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-09-01 14:15:15 -07:00
parent 678f6b4091
commit f5c2e9b211

View File

@ -501,7 +501,10 @@ sub add_common_rules() {
my $audit = $policy =~ s/^A_//;
my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : ();
if ( $level || $audit || @ipsec ) {
if ( $level || $audit ) {
#
# Create a chain to log and/or audit
#
$chainref = new_standard_chain 'sfilter';
log_rule $level , $chainref , $policy , '' if $level ne '';
@ -511,8 +514,16 @@ sub add_common_rules() {
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target = 'sfilter';
} elsif ( ( $target = $policy ) eq 'REJECT' ) {
$target = 'reject';
}
if ( @ipsec ) {
#
# sfilter1 will be used in the FORWARD chain where we allow traffic entering the interface
# to leave the interface encrypted. We need a separate chain because '--dir out' cannot be
# used in the input chain
#
$chainref = new_standard_chain 'sfilter1';
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
@ -523,12 +534,12 @@ sub add_common_rules() {
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target1 = 'sfilter1';
} else {
#
# No IPSEC -- use the same target in both INPUT and FORWARD
#
$target1 = $target;
}
} elsif ( ( $target = $policy ) eq 'REJECT' ) {
$target = 'reject';
}
$target1 = $target unless $target1;
for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );