mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-31 09:59:59 +01:00
Avoid inconsistencies and errors in refresh
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
30f2fbff60
commit
ffe7a1b777
@ -281,15 +281,15 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i an
|
|||||||
#
|
#
|
||||||
# See initialize() below for additional comments on these variables
|
# See initialize() below for additional comments on these variables
|
||||||
#
|
#
|
||||||
|
|
||||||
my $iprangematch;
|
my $iprangematch;
|
||||||
my $chainseq;
|
my %chainseq;
|
||||||
my $idiotcount;
|
my $idiotcount;
|
||||||
my $idiotcount1;
|
my $idiotcount1;
|
||||||
my $warningcount;
|
my $warningcount;
|
||||||
my $hashlimitset;
|
my $hashlimitset;
|
||||||
my $global_variables;
|
my $global_variables;
|
||||||
my $ipset_rules;
|
my $ipset_rules;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Determines the commands for which a particular interface-oriented shell variable needs to be set
|
# Determines the commands for which a particular interface-oriented shell variable needs to be set
|
||||||
#
|
#
|
||||||
@ -408,9 +408,9 @@ sub initialize( $$$ ) {
|
|||||||
$comment = '';
|
$comment = '';
|
||||||
@comments = ();
|
@comments = ();
|
||||||
#
|
#
|
||||||
# Used to sequence chain names.
|
# Used to sequence chain names in each table.
|
||||||
#
|
#
|
||||||
$chainseq = 0;
|
%chainseq = () if $hard;
|
||||||
#
|
#
|
||||||
# Used to suppress duplicate match specifications for old iptables binaries.
|
# Used to suppress duplicate match specifications for old iptables binaries.
|
||||||
#
|
#
|
||||||
@ -2092,13 +2092,13 @@ sub setup_zone_mss() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub newexclusionchain() {
|
sub newexclusionchain( $ ) {
|
||||||
my $seq = $chainseq++;
|
my $seq = $chainseq{$_[0]}++;
|
||||||
"~excl${seq}";
|
"~excl${seq}";
|
||||||
}
|
}
|
||||||
|
|
||||||
sub newlogchain() {
|
sub newlogchain( $ ) {
|
||||||
my $seq = $chainseq++;
|
my $seq = $chainseq{$_[0]}++;
|
||||||
"~log${seq}";
|
"~log${seq}";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2115,7 +2115,7 @@ sub logchain( $$$$$$ ) {
|
|||||||
my $logchainref = $chainref->{logchains}{$key};
|
my $logchainref = $chainref->{logchains}{$key};
|
||||||
|
|
||||||
unless ( $logchainref ) {
|
unless ( $logchainref ) {
|
||||||
$logchainref = $chainref->{logchains}{$key} = new_chain $chainref->{table}, newlogchain;
|
$logchainref = $chainref->{logchains}{$key} = new_chain $chainref->{table}, newlogchain( $chainref->{table} ) ;
|
||||||
#
|
#
|
||||||
# Now add the log rule and target rule without matches to the log chain.
|
# Now add the log rule and target rule without matches to the log chain.
|
||||||
#
|
#
|
||||||
@ -2135,7 +2135,7 @@ sub logchain( $$$$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub newnonatchain() {
|
sub newnonatchain() {
|
||||||
my $seq = $chainseq++;
|
my $seq = $chainseq{nat}++;
|
||||||
"nonat${seq}";
|
"nonat${seq}";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2167,7 +2167,9 @@ sub source_exclusion( $$ ) {
|
|||||||
|
|
||||||
return $target unless @$exclusions;
|
return $target unless @$exclusions;
|
||||||
|
|
||||||
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
|
my $table = reftype $target ? $target->{table} : 'filter';
|
||||||
|
|
||||||
|
my $chainref = new_chain( $table , newexclusionchain( $table ) );
|
||||||
|
|
||||||
add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
||||||
add_jump( $chainref, $target, 1 );
|
add_jump( $chainref, $target, 1 );
|
||||||
@ -2180,7 +2182,9 @@ sub dest_exclusion( $$ ) {
|
|||||||
|
|
||||||
return $target unless @$exclusions;
|
return $target unless @$exclusions;
|
||||||
|
|
||||||
my $chainref = new_chain( reftype $target ? $target->{table} : 'filter' , newexclusionchain );
|
my $table = reftype $target ? $target->{table} : 'filter';
|
||||||
|
|
||||||
|
my $chainref = new_chain( $table , newexclusionchain( $table ) );
|
||||||
|
|
||||||
add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
||||||
add_jump( $chainref, $target, 1 );
|
add_jump( $chainref, $target, 1 );
|
||||||
@ -4057,7 +4061,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
|||||||
#
|
#
|
||||||
# Create the Exclusion Chain
|
# Create the Exclusion Chain
|
||||||
#
|
#
|
||||||
my $echain = newexclusionchain;
|
my $echain = newexclusionchain( $table );
|
||||||
|
|
||||||
my $echainref = new_chain $table, $echain;
|
my $echainref = new_chain $table, $echain;
|
||||||
#
|
#
|
||||||
@ -4704,21 +4708,33 @@ sub create_chainlist_reload($) {
|
|||||||
|
|
||||||
my %chains;
|
my %chains;
|
||||||
|
|
||||||
|
my %tables;
|
||||||
|
|
||||||
for my $chain ( @chains ) {
|
for my $chain ( @chains ) {
|
||||||
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
|
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
|
||||||
|
|
||||||
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
|
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
|
||||||
|
|
||||||
$chains{$table} = [] unless $chains{$table};
|
$chains{$table} = {} unless $chains{$table};
|
||||||
|
|
||||||
if ( $chain ) {
|
if ( $chain ) {
|
||||||
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain};
|
my $chainref;
|
||||||
fatal_error "Built-in chains may not be refreshed" if $chain_table{table}{$chain}{builtin};
|
fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
|
||||||
push @{$chains{$table}}, $chain;
|
fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
|
||||||
|
|
||||||
|
if ( $chainseq{$table} && @{$chainref->{rules}} ) {
|
||||||
|
$tables{$table} = 1;
|
||||||
} else {
|
} else {
|
||||||
while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
|
$chains{$table}{$chain} = $chainref;
|
||||||
push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin};
|
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
$tables{$table} = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for $table ( keys %tables ) {
|
||||||
|
while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) {
|
||||||
|
$chains{$table}{$chain} = $chainref if $chainref->{referenced} && ! $chainref->{builtin};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -4727,14 +4743,14 @@ sub create_chainlist_reload($) {
|
|||||||
enter_cat_mode;
|
enter_cat_mode;
|
||||||
|
|
||||||
for $table qw(raw nat mangle filter) {
|
for $table qw(raw nat mangle filter) {
|
||||||
next unless $chains{$table};
|
my $tableref=$chains{$table};
|
||||||
|
|
||||||
|
next unless $tableref;
|
||||||
|
|
||||||
|
@chains = sort keys %$tableref;
|
||||||
|
|
||||||
emit_unindented "*$table";
|
emit_unindented "*$table";
|
||||||
|
|
||||||
my $tableref=$chain_table{$table};
|
|
||||||
|
|
||||||
@chains = sort @{$chains{$table}};
|
|
||||||
|
|
||||||
for my $chain ( @chains ) {
|
for my $chain ( @chains ) {
|
||||||
my $chainref = $tableref->{$chain};
|
my $chainref = $tableref->{$chain};
|
||||||
emit_unindented ":$chainref->{name} - [0:0]";
|
emit_unindented ":$chainref->{name} - [0:0]";
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user