holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Omit STATE-orientated rules in wildcard policy chains

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-06-07 20:57:55 -07:00
parent 1d875b2909
commit 220e89755e
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 61 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -320,6 +320,7 @@ our $VERSION = 'MODULEVERSION';
# %chain_table { <table> => { <chain1> => { name => <chain name> # %chain_table { <table> => { <chain1> => { name => <chain name>
# table => <table name> # table => <table name>
# is_policy => undef|1 -- if 1, this is a policy chain # is_policy => undef|1 -- if 1, this is a policy chain
# wild => undef|1 -- If 1, source or dest is 'all'. Only applies to policy chains
# provisional => undef|1 -- See below. # provisional => undef|1 -- See below.
# referenced => undef|1 -- If 1, will be written to the iptables-restore-input. # referenced => undef|1 -- If 1, will be written to the iptables-restore-input.
# builtin => undef|1 -- If 1, one of Netfilter's built-in chains. # builtin => undef|1 -- If 1, one of Netfilter's built-in chains.

6
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -443,6 +443,7 @@ sub convert_to_policy_chain($$$$$$)
my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_; my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_;
$chainref->{is_policy} = 1; $chainref->{is_policy} = 1;
$chainref->{wild} = $source eq 'all' || $dest eq 'all';
$chainref->{policy} = $policy; $chainref->{policy} = $policy;
$chainref->{provisional} = $provisional; $chainref->{provisional} = $provisional;
$chainref->{audit} = $audit; $chainref->{audit} = $audit;
@ -1147,7 +1148,7 @@ sub complete_policy_chains() {
} }
} }
if ( $name =~ /^all[-2]|[-2]all$/ ) { if ( $chainref->{wild} ) {
add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST}; add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
} }
} }
@ -1252,6 +1253,7 @@ sub finish_chain_section ($$$) {
$state ) = @_; $state ) = @_;
my $chain = $chainref->{name}; my $chain = $chainref->{name};
my $save_comment = push_comment; my $save_comment = push_comment;
my $wild = $chainref->{wild} && ! $config{EXPAND_RULES};
my %state; my %state;
$state{$_} = 1 for split ',', $state; $state{$_} = 1 for split ',', $state;
@ -1262,6 +1264,7 @@ sub finish_chain_section ($$$) {
$chain1ref->{sections}{$_} = 1 for keys %state; $chain1ref->{sections}{$_} = 1 for keys %state;
unless ( $wild ) {
for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) { for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
if ( $state{$_} ) { if ( $state{$_} ) {
my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}}; my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
@ -1331,6 +1334,7 @@ sub finish_chain_section ($$$) {
add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state; add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
} }
}
if ($sections{NEW} ) { if ($sections{NEW} ) {
if ( $chain1ref->{is_policy} ) { if ( $chain1ref->{is_policy} ) {