Copy option rules into interface chains if no blacklist

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-12-29 09:32:16 -08:00
parent bddfb4f41c
commit 2c441b5393

View File

@ -116,6 +116,10 @@ my %auditpolicies = ( ACCEPT => 1,
DROP => 1, DROP => 1,
REJECT => 1 REJECT => 1
); );
#
# Set to true if we have any entries in blacklist or blrules
#
my $blrules;
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
@ -185,6 +189,8 @@ sub initialize( $ ) {
} else { } else {
@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/; @builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
} }
$blrules = 0;
} }
############################################################################### ###############################################################################
@ -2466,8 +2472,8 @@ sub process_rule ( ) {
sub initiate_blacklist() { sub initiate_blacklist() {
my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' }; my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
my $audit = $disposition =~ /^A_/; my $audit = $disposition =~ /^A_/;
my $target = $disposition eq 'REJECT' ? 'reject' : $disposition; my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
progress_message2 "$doing $currentfilename..."; progress_message2 "$doing $currentfilename...";
@ -2480,6 +2486,8 @@ sub initiate_blacklist() {
} elsif ( have_capability 'AUDIT_TARGET' ) { } elsif ( have_capability 'AUDIT_TARGET' ) {
verify_audit( 'A_' . $disposition ); verify_audit( 'A_' . $disposition );
} }
$blrules = 1;
} }
# #
@ -2620,60 +2628,74 @@ sub process_rules() {
} }
$section = ''; $section = '';
#
# Now insert all interface option rules into the rules chains
#
for my $zone1 ( off_firewall_zones ) {
my @interfaces = keys %{zone_interfaces( $zone1 )};
for my $zone2 ( all_zones ) { if ( $blrules ) {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; #
# Insert all interface option rules into the rules chains
#
for my $zone1 ( off_firewall_zones ) {
my @interfaces = keys %{zone_interfaces( $zone1 )};
if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) { for my $zone2 ( all_zones ) {
if ( @interfaces ==1 ) { my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
if ( my $chain1ref = $filter_table->{input_option_chain $interfaces[0]} ) {
push( @{$chainref->{rules}}, @{$chain1ref->{rules}} ); if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) {
} if ( @interfaces == 1 ) {
} else { if ( my $chain1ref = $filter_table->{input_option_chain $interfaces[0]} ) {
for my $interface ( @interfaces ) { push @{$chainref->{rules}} , @{$chain1ref->{rules}};
if ( my $chain1ref = $filter_table->{input_option_chain $interface} ) { }
add_ijump ( $chainref , j => $chain1ref->{name}, imatch_source_dev( $interface ) ); } else {
for my $interface ( @interfaces ) {
if ( my $chain1ref = $filter_table->{forward_option_chain $interface} ) {
add_ijump ( $chainref , j => $chain1ref->{name}, @interfaces > 1 ? imatch_source_dev( $interface ) : () );
}
} }
} }
}
} else {
if ( @interfaces ==1 ) {
if ( my $chain1ref = $filter_table->{forward_option_chain $interfaces[0]} ) {
push( @{$chainref->{rules}}, @{$chain1ref->{rules}} );
}
} else { } else {
for my $interface ( @interfaces ) { if ( @interfaces == 1 ) {
if ( my $chain1ref = $filter_table->{forward_option_chain $interface} ) { if ( my $chain1ref = $filter_table->{forward_option_chain $interfaces[0]} ) {
add_ijump ( $chainref , j => $chain1ref->{name}, imatch_source_dev( $interface ) ); push @{$chainref->{rules}} , @{$chain1ref->{rules}};
}
} else {
for my $interface ( @interfaces ) {
if ( my $chain1ref = $filter_table->{forward_option_chain $interface} ) {
add_ijump ( $chainref , j => $chain1ref->{name}, @interfaces > 1 ? imatch_source_dev( $interface ) : () );
}
} }
} }
} }
} }
} }
}
for my $zone1 ( firewall_zone, vserver_zones ) { for my $zone1 ( firewall_zone, vserver_zones ) {
for my $zone2 ( off_firewall_zones ) { for my $zone2 ( off_firewall_zones ) {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
my @interfaces = keys %{zone_interfaces( $zone2 )}; my @interfaces = keys %{zone_interfaces( $zone2 )};
if ( @interfaces == 1 ) {
if ( my $chain1ref = $filter_table->{output_option_chain $interfaces[0]} ) {
push( @{$chainref->{rules}}, @{$chain1ref->{rules}} );
}
} else {
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
if ( my $chain1ref = $filter_table->{output_option_chain $interface} ) { if ( my $chain1ref = $filter_table->{output_option_chain $interface} ) {
add_ijump ( $chainref , j => $chain1ref->{name}, imatch_dest_dev( $interface ) ); add_ijump ( $chainref , j => $chain1ref->{name}, @interfaces > 1 ? imatch_dest_dev( $interface ) : () );
} }
} }
} }
} }
} else {
#
# Simply copy the option chain rules into the interface chains
#
for my $interface ( grep $_ ne '%vserver%', all_interfaces ) {
if ( my $chainref = $filter_table->{input_option_chain $interface} ) {
push @{$filter_table->{input_chain $interface}->{rules}}, @{$chainref->{rules}};
}
if ( my $chainref = $filter_table->{forward_option_chain $interface} ) {
push @{$filter_table->{forward_chain $interface}->{rules}}, @{$chainref->{rules}};
}
if ( my $chainref = $filter_table->{output_option_chain $interface} ) {
push @{$filter_table->{output_chain $interface}->{rules}}, @{$chainref->{rules}};
}
}
} }
$fn = open_file 'rules'; $fn = open_file 'rules';