From 2d6e206a5fb2aa32ed6a29da28199382d0c168ec Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 2 Feb 2008 01:27:39 +0000 Subject: [PATCH] Long overdue cleanup of validate_interface_file() git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8134 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 16 ++++++++++++---- Shorewall-perl/Shorewall/Rules.pm | 26 +++++++++++++------------- Shorewall-perl/Shorewall/Zones.pm | 27 +++++++++++++++++---------- 3 files changed, 42 insertions(+), 27 deletions(-) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index e7144c1c2..87dedd981 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -589,11 +589,15 @@ sub use_input_chain($) { # We must use the interfaces's chain if the interface is associated with multiple zone nets # return 1 if $interfaceref->{nets} != 1; - + # + # Interface associated with a single zone -- use the zone's input chain if it has one + # my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}}; return 1 if $chainref; - + # + # Use the '2fw' chain if it is referenced. + # $chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )}; ! $chainref->{referenced}; @@ -624,11 +628,15 @@ sub use_output_chain($) { # We must use the interfaces's chain if the interface is associated with multiple zone nets # return 1 if $interfaceref->{nets} != 1; - + # + # Interface associated with a single zone -- use the zone's output chain if it has one + # my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}}; return 1 if $chainref; - + # + # Use the 'fw2' chain if it is referenced. + # $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )}; ! $chainref->{referenced}; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index a3ea4d7b6..a72468899 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -1502,19 +1502,6 @@ sub generate_matrix() { my $preroutingref = ensure_chain 'nat', 'dnat'; my $fw = firewall_zone; - # - # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT - # - for my $interface ( @interfaces ) { - - add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface if use_forward_chain $interface; - add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain($interface) if use_input_chain $interface; - - if ( use_output_chain $interface ) { - add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' ); - } - } - # # Set up forwarding chain for each zone # @@ -1883,6 +1870,19 @@ sub generate_matrix() { addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface ); } + # + # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT + # + for my $interface ( @interfaces ) { + + add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface if use_forward_chain $interface; + add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain($interface) if use_input_chain $interface; + + if ( use_output_chain $interface ) { + add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' ); + } + } + my $chainref = $filter_table->{"${fw}2${fw}"}; add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' ); diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index c054ea8f0..5bd711550 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -633,27 +633,26 @@ sub validate_interfaces_file( $ ) fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/; - $interfaces{$port}{bridge} = $bridge = $interface; + $bridge = $interface; $interface = $port; } else { fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface}; fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4'; - $interfaces{$interface}{bridge} = $interface; + $bridge = $interface; } - $interfaces{$interface}{name} = $interface; - $interfaces{$interface}{nets} = 0; - $interfaces{$interface}{number} = ++$num; - my $wildcard = 0; + my $root; if ( $interface =~ /\+$/ ) { $wildcard = 1; - $interfaces{$interface}{root} = substr( $interface, 0, -1 ); + $root = substr( $interface, 0, -1 ); } else { - $interfaces{$interface}{root} = $interface; + $root = $interface; } + my $broadcasts; + unless ( $networks eq '' || $networks eq 'detect' ) { my @broadcasts = split $networks, 'address'; @@ -664,7 +663,7 @@ sub validate_interfaces_file( $ ) if ( $capabilities{ADDRTYPE} ) { warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available'; } else { - $interfaces{$interface}{broadcasts} = \@broadcasts; + $broadcasts = \@broadcasts; } } @@ -728,8 +727,16 @@ sub validate_interfaces_file( $ ) $options{port} = 1; } - $interfaces{$interface}{options} = $optionsref = \%options; + $optionsref = \%options; + $interfaces{$interface} = { name => $interface , + bridge => $bridge , + nets => 0 , + number => ++$num , + root => $root , + broadcasts => $broadcasts , + options => $optionsref }; + push @ifaces, $interface; my @networks = allipv4;