forked from extern/shorewall_code
Support interface exclusion
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
43543b5c32
commit
0632723a6c
@ -5868,36 +5868,48 @@ sub do_nfacct( $ ) {
|
|||||||
# Match Source Interface
|
# Match Source Interface
|
||||||
#
|
#
|
||||||
sub match_source_dev( $;$ ) {
|
sub match_source_dev( $;$ ) {
|
||||||
my ( $interface, $nodev ) = @_;;
|
my ( $interface, $nodev ) = @_;
|
||||||
|
my $invert = ( $interface =~ s/^!// ) ? '!' : '';
|
||||||
my $interfaceref = known_interface( $interface );
|
my $interfaceref = known_interface( $interface );
|
||||||
$interface = $interfaceref->{physical} if $interfaceref;
|
$interface = $interfaceref->{physical} if $interfaceref;
|
||||||
return '' if $interface eq '+';
|
|
||||||
|
if ( $interface eq '+' ) {
|
||||||
|
fatal_error "Invalid interface (!+)" if $invert;
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
|
||||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||||
if ( $nodev ) {
|
if ( $nodev ) {
|
||||||
"-m physdev --physdev-in $interface ";
|
"${invert}-m physdev --physdev-in $interface ";
|
||||||
} else {
|
} else {
|
||||||
my $bridgeref = find_interface $interfaceref->{bridge};
|
my $bridgeref = find_interface $interfaceref->{bridge};
|
||||||
"-i $bridgeref->{physical} -m physdev --physdev-in $interface ";
|
"-i $bridgeref->{physical} ${invert}-m physdev --physdev-in $interface ";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
"-i $interface ";
|
"${invert}-i $interface ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub imatch_source_dev( $;$ ) {
|
sub imatch_source_dev( $;$ ) {
|
||||||
my ( $interface, $nodev ) = @_;;
|
my ( $interface, $nodev ) = @_;
|
||||||
|
my $invert = ( $interface =~ s/^!// ) ? '! ' : '';
|
||||||
my $interfaceref = known_interface( $interface );
|
my $interfaceref = known_interface( $interface );
|
||||||
$interface = $interfaceref->{physical} if $interfaceref;
|
$interface = $interfaceref->{physical} if $interfaceref;
|
||||||
return () if $interface eq '+';
|
|
||||||
|
if ( $interface eq '+' ) {
|
||||||
|
fatal_error "Invalid interface (!+)" if $invert;
|
||||||
|
return ();
|
||||||
|
}
|
||||||
|
|
||||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||||
if ( $nodev ) {
|
if ( $nodev ) {
|
||||||
( physdev => "--physdev-in $interface" );
|
( physdev => "${invert}--physdev-in $interface" );
|
||||||
} else {
|
} else {
|
||||||
my $bridgeref = find_interface $interfaceref->{bridge};
|
my $bridgeref = find_interface $interfaceref->{bridge};
|
||||||
( i => $bridgeref->{physical}, physdev => "--physdev-in $interface" );
|
( i => $bridgeref->{physical}, physdev => "${invert}--physdev-in $interface" );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
( i => $interface );
|
( i => $invert . $interface );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5905,54 +5917,66 @@ sub imatch_source_dev( $;$ ) {
|
|||||||
# Match Dest device
|
# Match Dest device
|
||||||
#
|
#
|
||||||
sub match_dest_dev( $;$ ) {
|
sub match_dest_dev( $;$ ) {
|
||||||
my ( $interface, $nodev ) = @_;;
|
my ( $interface, $nodev ) = @_;
|
||||||
my $interfaceref = known_interface( $interface );
|
my $interfaceref = known_interface( $interface );
|
||||||
|
my $invert = ( $interface =~ s/^!// ) ? '! ' : '';
|
||||||
$interface = $interfaceref->{physical} if $interfaceref;
|
$interface = $interfaceref->{physical} if $interfaceref;
|
||||||
return '' if $interface eq '+';
|
|
||||||
|
if ( $interface eq '+' ) {
|
||||||
|
fatal_error "Invalid interface (!+)" if $invert;
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
|
||||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||||
if ( $nodev ) {
|
if ( $nodev ) {
|
||||||
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||||
"-m physdev --physdev-is-bridged --physdev-out $interface ";
|
"${invert}-m physdev --physdev-is-bridged --physdev-out $interface ";
|
||||||
} else {
|
} else {
|
||||||
"-m physdev --physdev-out $interface ";
|
"${invert}-m physdev --physdev-out $interface ";
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
my $bridgeref = find_interface $interfaceref->{bridge};
|
my $bridgeref = find_interface $interfaceref->{bridge};
|
||||||
|
|
||||||
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||||
"-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface ";
|
"-o $bridgeref->{physical} ${invert}-m physdev --physdev-is-bridged --physdev-out $interface ";
|
||||||
} else {
|
} else {
|
||||||
"-o $bridgeref->{physical} -m physdev --physdev-out $interface ";
|
"-o $bridgeref->{physical} ${invert}-m physdev --physdev-out $interface ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
"-o $interface ";
|
"${invert}-o $interface ";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub imatch_dest_dev( $;$ ) {
|
sub imatch_dest_dev( $;$ ) {
|
||||||
my ( $interface, $nodev ) = @_;;
|
my ( $interface, $nodev ) = @_;
|
||||||
|
my $invert = ( $interface =~ s/^!// ) ? '!' : '';
|
||||||
my $interfaceref = known_interface( $interface );
|
my $interfaceref = known_interface( $interface );
|
||||||
$interface = $interfaceref->{physical} if $interfaceref;
|
$interface = $interfaceref->{physical} if $interfaceref;
|
||||||
return () if $interface eq '+';
|
|
||||||
|
if ( $interface eq '+' ) {
|
||||||
|
fatal_error "Invalid interface (!+)" if $invert;
|
||||||
|
return ();
|
||||||
|
}
|
||||||
|
|
||||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||||
if ( $nodev ) {
|
if ( $nodev ) {
|
||||||
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||||
( physdev => "--physdev-is-bridged --physdev-out $interface" );
|
( physdev => "${invert}--physdev-is-bridged --physdev-out $interface" );
|
||||||
} else {
|
} else {
|
||||||
( physdev => "--physdev-out $interface" );
|
( physdev => "${invert}--physdev-out $interface" );
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
my $bridgeref = find_interface $interfaceref->{bridge};
|
my $bridgeref = find_interface $interfaceref->{bridge};
|
||||||
|
|
||||||
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||||
( o => $bridgeref->{physical}, physdev => "--physdev-is-bridged --physdev-out $interface" );
|
( o => $bridgeref->{physical}, physdev => "${invert}--physdev-is-bridged --physdev-out $interface" );
|
||||||
} else {
|
} else {
|
||||||
( o => $bridgeref->{physical}, physdev => "--physdev-out $interface" );
|
( o => $bridgeref->{physical}, physdev => "${invert}--physdev-out $interface" );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
( o => $interface );
|
( o => $invert . $interface );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -7568,6 +7592,11 @@ sub verify_source_interface( $$$$ ) {
|
|||||||
my ( $iiface, $restriction, $table, $chainref ) = @_;
|
my ( $iiface, $restriction, $table, $chainref ) = @_;
|
||||||
|
|
||||||
my $rule = '';
|
my $rule = '';
|
||||||
|
my $oiiface = $iiface;
|
||||||
|
#
|
||||||
|
# Ignore exclusion for now
|
||||||
|
#
|
||||||
|
$iiface =~ s/^!//;
|
||||||
|
|
||||||
fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface;
|
fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface;
|
||||||
|
|
||||||
@ -7597,7 +7626,7 @@ sub verify_source_interface( $$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{restricted} |= $restriction;
|
$chainref->{restricted} |= $restriction;
|
||||||
$rule .= match_source_dev( $iiface );
|
$rule .= match_source_dev( $oiiface );
|
||||||
}
|
}
|
||||||
|
|
||||||
$rule;
|
$rule;
|
||||||
@ -7692,6 +7721,11 @@ sub verify_dest_interface( $$$$ ) {
|
|||||||
my ( $diface, $restriction, $chainref, $iiface ) = @_;
|
my ( $diface, $restriction, $chainref, $iiface ) = @_;
|
||||||
|
|
||||||
my $rule = '';
|
my $rule = '';
|
||||||
|
my $odiface = $diface;
|
||||||
|
#
|
||||||
|
# Ignore exclusion for now
|
||||||
|
#
|
||||||
|
$diface =~ s/^!//;
|
||||||
|
|
||||||
fatal_error "Unknown Interface ($diface)" unless known_interface $diface;
|
fatal_error "Unknown Interface ($diface)" unless known_interface $diface;
|
||||||
|
|
||||||
@ -7721,7 +7755,7 @@ sub verify_dest_interface( $$$$ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$chainref->{restricted} |= $restriction;
|
$chainref->{restricted} |= $restriction;
|
||||||
$rule .= match_dest_dev( $diface );
|
$rule .= match_dest_dev( $odiface );
|
||||||
}
|
}
|
||||||
|
|
||||||
$rule;
|
$rule;
|
||||||
|
Loading…
Reference in New Issue
Block a user