holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Copy option rules into interface chains if no blacklist

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-12-29 09:32:16 -08:00
parent bddfb4f41c
commit 2c441b5393
1 changed files with 67 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -116,6 +116,10 @@ my %auditpolicies = ( ACCEPT => 1,
DROP => 1, DROP => 1,
REJECT => 1 REJECT => 1
); );
#
# Set to true if we have any entries in blacklist or blrules
#
my $blrules;
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
@ -185,6 +189,8 @@ sub initialize( $ ) {
} else { } else {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/; @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
} }
$blrules = 0;
} }
############################################################################### ###############################################################################
@ -2480,6 +2486,8 @@ sub initiate_blacklist() {
} elsif ( have_capability 'AUDIT_TARGET' ) { } elsif ( have_capability 'AUDIT_TARGET' ) {
verify_audit( 'A_' . $disposition ); verify_audit( 'A_' . $disposition );
} }
$blrules = 1;
} }
# #
@ -2620,8 +2628,10 @@ sub process_rules() {
} }
$section = ''; $section = '';
if ( $blrules ) {
# #
# Now insert all interface option rules into the rules chains # Insert all interface option rules into the rules chains
# #
for my $zone1 ( off_firewall_zones ) { for my $zone1 ( off_firewall_zones ) {
my @interfaces = keys %{zone_interfaces( $zone1 )}; my @interfaces = keys %{zone_interfaces( $zone1 )};
@ -2630,26 +2640,26 @@ sub process_rules() {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) { if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) {
if ( @interfaces ==1 ) { if ( @interfaces == 1 ) {
if ( my $chain1ref = $filter_table->{input_option_chain $interfaces[0]} ) { if ( my $chain1ref = $filter_table->{input_option_chain $interfaces[0]} ) {
push( @{$chainref->{rules}}, @{$chain1ref->{rules}} ); push @{$chainref->{rules}} , @{$chain1ref->{rules}};
}
} else {
for my $interface ( @interfaces ) {
if ( my $chain1ref = $filter_table->{input_option_chain $interface} ) {
add_ijump ( $chainref , j => $chain1ref->{name}, imatch_source_dev( $interface ) );
}
}
}
} else {
if ( @interfaces ==1 ) {
if ( my $chain1ref = $filter_table->{forward_option_chain $interfaces[0]} ) {
push( @{$chainref->{rules}}, @{$chain1ref->{rules}} );
} }
} else { } else {
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
if ( my $chain1ref = $filter_table->{forward_option_chain $interface} ) { if ( my $chain1ref = $filter_table->{forward_option_chain $interface} ) {
add_ijump ( $chainref , j => $chain1ref->{name}, imatch_source_dev( $interface ) ); add_ijump ( $chainref , j => $chain1ref->{name}, @interfaces > 1 ? imatch_source_dev( $interface ) : () );
}
}
}
} else {
if ( @interfaces == 1 ) {
if ( my $chain1ref = $filter_table->{forward_option_chain $interfaces[0]} ) {
push @{$chainref->{rules}} , @{$chain1ref->{rules}};
}
} else {
for my $interface ( @interfaces ) {
if ( my $chain1ref = $filter_table->{forward_option_chain $interface} ) {
add_ijump ( $chainref , j => $chain1ref->{name}, @interfaces > 1 ? imatch_source_dev( $interface ) : () );
} }
} }
} }
@ -2662,18 +2672,30 @@ sub process_rules() {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
my @interfaces = keys %{zone_interfaces( $zone2 )}; my @interfaces = keys %{zone_interfaces( $zone2 )};
if ( @interfaces == 1 ) {
if ( my $chain1ref = $filter_table->{output_option_chain $interfaces[0]} ) {
push( @{$chainref->{rules}}, @{$chain1ref->{rules}} );
}
} else {
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
if ( my $chain1ref = $filter_table->{output_option_chain $interface} ) { if ( my $chain1ref = $filter_table->{output_option_chain $interface} ) {
add_ijump ( $chainref , j => $chain1ref->{name}, imatch_dest_dev( $interface ) ); add_ijump ( $chainref , j => $chain1ref->{name}, @interfaces > 1 ? imatch_dest_dev( $interface ) : () );
} }
} }
} }
} }
} else {
#
# Simply copy the option chain rules into the interface chains
#
for my $interface ( grep $_ ne '%vserver%', all_interfaces ) {
if ( my $chainref = $filter_table->{input_option_chain $interface} ) {
push @{$filter_table->{input_chain $interface}->{rules}}, @{$chainref->{rules}};
}
if ( my $chainref = $filter_table->{forward_option_chain $interface} ) {
push @{$filter_table->{forward_chain $interface}->{rules}}, @{$chainref->{rules}};
}
if ( my $chainref = $filter_table->{output_option_chain $interface} ) {
push @{$filter_table->{output_chain $interface}->{rules}}, @{$chainref->{rules}};
}
}
} }
$fn = open_file 'rules'; $fn = open_file 'rules';