forked from extern/shorewall_code
Add an argument to ensure_filter_chain()
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7323 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
8a9b9c2714
commit
0075879b4c
@ -124,7 +124,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
|
||||
$chain = 'accounting' unless $chain and $chain ne '-';
|
||||
if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIPv4 ) {
|
||||
expand_rule(
|
||||
ensure_filter_chain( 'accountout' , 0 ) ,
|
||||
ensure_filter_chain( IPv4, 'accountout' , 0 ) ,
|
||||
OUTPUT_RESTRICT ,
|
||||
$rule ,
|
||||
$source ,
|
||||
@ -141,7 +141,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
|
||||
$dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all';
|
||||
}
|
||||
|
||||
my $chainref = ensure_filter_chain $chain , 0;
|
||||
my $chainref = ensure_filter_chain IPv4, $chain , 0;
|
||||
|
||||
check_for_builtin( $chainref );
|
||||
|
||||
|
||||
@ -612,13 +612,13 @@ sub finish_chain_section( $$ );
|
||||
#
|
||||
# Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting.
|
||||
#
|
||||
sub ensure_filter_chain( $$ )
|
||||
sub ensure_filter_chain( $$$ )
|
||||
{
|
||||
my ($chain, $populate) = @_;
|
||||
my ($ipv, $chain, $populate) = @_;
|
||||
|
||||
my $chainref = $filter_table->{4}{$chain};
|
||||
|
||||
$chainref = new_chain 'filter', IPv4, $chain unless $chainref;
|
||||
$chainref = new_chain 'filter', $ipv, $chain unless $chainref;
|
||||
|
||||
if ( $populate and ! $chainref->{referenced} ) {
|
||||
if ( $section eq 'NEW' or $section eq 'DONE' ) {
|
||||
@ -697,13 +697,14 @@ sub initialize_chain_table()
|
||||
sub finish_chain_section ($$) {
|
||||
my ($chainref, $state ) = @_;
|
||||
my $chain = $chainref->{name};
|
||||
my $ipv = $chainref->{ipv};
|
||||
|
||||
add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT};
|
||||
|
||||
if ($sections{RELATED} ) {
|
||||
if ( $chainref->{is_policy} ) {
|
||||
if ( $chainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $chainref;
|
||||
my $synchainref = ensure_chain 'filter', $ipv, syn_flood_chain $chainref;
|
||||
if ( $section eq 'DONE' ) {
|
||||
if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
@ -713,9 +714,9 @@ sub finish_chain_section ($$) {
|
||||
}
|
||||
}
|
||||
} else {
|
||||
my $policychainref = $filter_table->{4}{$chainref->{policychain}};
|
||||
my $policychainref = $filter_table->{$ipv}{$chainref->{policychain}};
|
||||
if ( $policychainref->{synparams} ) {
|
||||
my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $policychainref;
|
||||
my $synchainref = ensure_chain 'filter', $ipv, syn_flood_chain $policychainref;
|
||||
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
|
||||
}
|
||||
}
|
||||
|
||||
@ -407,7 +407,7 @@ sub apply_policy_rules() {
|
||||
|
||||
if ( $policy ne 'NONE' ) {
|
||||
if ( ! $chainref->{referenced} && ( ! $optional && $policy ne 'CONTINUE' ) ) {
|
||||
ensure_filter_chain $name, 1;
|
||||
ensure_filter_chain IPv4, $name, 1;
|
||||
}
|
||||
|
||||
if ( $name =~ /^all2|2all$/ ) {
|
||||
|
||||
@ -1087,7 +1087,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
|
||||
#
|
||||
# Mark the chain as referenced and add appropriate rules from earlier sections.
|
||||
#
|
||||
$chainref = ensure_filter_chain $chain, 1;
|
||||
$chainref = ensure_filter_chain IPv4, $chain, 1;
|
||||
#
|
||||
# For compatibility with older Shorewall versions
|
||||
#
|
||||
@ -1515,7 +1515,7 @@ sub generate_matrix() {
|
||||
my $in_ref = new_standard_chain "${zone}_input";
|
||||
my $out_ref = new_standard_chain "${zone}_output";
|
||||
|
||||
add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT';
|
||||
add_rule ensure_filter_chain( IPv4, "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT';
|
||||
|
||||
for my $host ( @$exclusions ) {
|
||||
my ( $interface, $net ) = split /:/, $host;
|
||||
@ -1757,7 +1757,7 @@ sub generate_matrix() {
|
||||
unless ( $chain1 ) {
|
||||
$chain1 = newexclusionchain;
|
||||
$policy_exclusions{"${chain}_${zone1}"} = $chain1;
|
||||
my $chain1ref = ensure_filter_chain $chain1, 0;
|
||||
my $chain1ref = ensure_filter_chain IPv4, $chain1, 0;
|
||||
add_exclusions $chain1ref, $exclusions1;
|
||||
add_rule $chain1ref, "-j $chain";
|
||||
}
|
||||
|
||||
@ -83,8 +83,8 @@ sub setup_tunnels() {
|
||||
for my $zone ( split /,/, $gatewayzones ) {
|
||||
my $type = zone_type( $zone );
|
||||
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == ZT_FIREWALL || $type & ZT_BPORT;
|
||||
$inchainref = ensure_filter_chain "${zone}2${fw}", 1;
|
||||
$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
|
||||
$inchainref = ensure_filter_chain IPv4, "${zone}2${fw}", 1;
|
||||
$outchainref = ensure_filter_chain IPv4, "${fw}2${zone}", 1;
|
||||
|
||||
unless ( $capabilities{POLICY_MATCH} ) {
|
||||
add_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
@ -230,8 +230,8 @@ sub setup_tunnels() {
|
||||
|
||||
fatal_error "Invalid zone ($zone) for tunnel ZONE" if $zonetype == ZT_FIREWALL || $zonetype & ZT_BPORT;
|
||||
|
||||
my $inchainref = ensure_filter_chain "${zone}2${fw}", 1;
|
||||
my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
|
||||
my $inchainref = ensure_filter_chain IPv4, "${zone}2${fw}", 1;
|
||||
my $outchainref = ensure_filter_chain IPv4, "${fw}2${zone}", 1;
|
||||
|
||||
my $source = match_source_net $gateway;
|
||||
my $dest = match_dest_net $gateway;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user