extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-03-11 21:08:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove anacronistic logic from the Rules module

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-08-31 16:02:22 -07:00
parent ed90360b4c
commit f5d9e87c59
2 changed files with 15 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -837,7 +837,7 @@ sub compiler {
# #
# Process the rules file. # Process the rules file.
# #
process_rules( $update ); process_rules();
# #
# Process the conntrack file # Process the conntrack file
# #

83
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -3349,77 +3349,12 @@ sub intrazone_allowed( $$ ) {
$zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE'; $zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
} }
#
# Add jumps to the blacklst and blackout chains
#
sub classic_blacklist() {
my $fw = firewall_zone;
my @zones = off_firewall_zones;
my @vservers = vserver_zones;
my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
my $result;
for my $zone ( @zones ) {
my $zoneref = find_zone( $zone );
my $simple = @zones <= 2 && ! $zoneref->{complex};
if ( my $blackref = $filter_table->{blacklst} ) {
if ( $zoneref->{options}{in}{blacklist} ) {
add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
if ( $simple ) {
#
# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
#
for my $zone1 ( @zones ) {
my $ruleschain = rules_chain( $zone, $zone1 );
my $ruleschainref = $filter_table->{$ruleschain};
if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
}
}
}
$result = 1;
}
if ( $zoneref->{options}{out}{blacklist} ) {
$blackref = $filter_table->{blackout};
add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
for my $zone1 ( @zones, @vservers ) {
my $ruleschain = rules_chain( $zone1, $zone );
my $ruleschainref = $filter_table->{$ruleschain};
if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
}
}
$result = 1;
}
}
unless ( $simple ) {
#
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
#
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $filter_table->{blacklst} && $zoneref->{options}{in}{blacklist};
}
}
$result;
}
# #
# Process the BLRules and Rules Files # Process the BLRules and Rules Files
# #
sub process_rules( $ ) { sub process_rules() {
my $convert = shift;
my $blrules = 0; my $blrules = 0;
my @zones = off_firewall_zones;
# #
# Populate the state table # Populate the state table
# #
@ -3434,9 +3369,19 @@ sub process_rules( $ ) {
INVALID_SECTION, 'INVALID', INVALID_SECTION, 'INVALID',
UNTRACKED_SECTION, 'UNTRACKED' ); UNTRACKED_SECTION, 'UNTRACKED' );
# #
# Generate jumps to the classic blacklist chains # Create zone-forwarding chains if required
# #
$blrules = classic_blacklist unless $convert; for my $zone ( @zones ) {
my $zoneref = find_zone( $zone );
my $simple = @zones <= 2 && ! $zoneref->{complex};
unless ( @zones <= 2 && ! $zoneref->{complex} ) {
#
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
#
new_standard_chain zone_forward_chain( $zone );
}
}
# #
# Process the blrules file # Process the blrules file
# #