forked from extern/shorewall_code
Long overdue cleanup of validate_interface_file()
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8134 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
9a396bee3b
commit
2d6e206a5f
@ -589,11 +589,15 @@ sub use_input_chain($) {
|
|||||||
# We must use the interfaces's chain if the interface is associated with multiple zone nets
|
# We must use the interfaces's chain if the interface is associated with multiple zone nets
|
||||||
#
|
#
|
||||||
return 1 if $interfaceref->{nets} != 1;
|
return 1 if $interfaceref->{nets} != 1;
|
||||||
|
#
|
||||||
|
# Interface associated with a single zone -- use the zone's input chain if it has one
|
||||||
|
#
|
||||||
my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}};
|
my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}};
|
||||||
|
|
||||||
return 1 if $chainref;
|
return 1 if $chainref;
|
||||||
|
#
|
||||||
|
# Use the '<zone>2fw' chain if it is referenced.
|
||||||
|
#
|
||||||
$chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )};
|
$chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )};
|
||||||
|
|
||||||
! $chainref->{referenced};
|
! $chainref->{referenced};
|
||||||
@ -624,11 +628,15 @@ sub use_output_chain($) {
|
|||||||
# We must use the interfaces's chain if the interface is associated with multiple zone nets
|
# We must use the interfaces's chain if the interface is associated with multiple zone nets
|
||||||
#
|
#
|
||||||
return 1 if $interfaceref->{nets} != 1;
|
return 1 if $interfaceref->{nets} != 1;
|
||||||
|
#
|
||||||
|
# Interface associated with a single zone -- use the zone's output chain if it has one
|
||||||
|
#
|
||||||
my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
|
my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
|
||||||
|
|
||||||
return 1 if $chainref;
|
return 1 if $chainref;
|
||||||
|
#
|
||||||
|
# Use the 'fw2<zone>' chain if it is referenced.
|
||||||
|
#
|
||||||
$chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
|
$chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
|
||||||
|
|
||||||
! $chainref->{referenced};
|
! $chainref->{referenced};
|
||||||
|
|||||||
@ -1502,19 +1502,6 @@ sub generate_matrix() {
|
|||||||
my $preroutingref = ensure_chain 'nat', 'dnat';
|
my $preroutingref = ensure_chain 'nat', 'dnat';
|
||||||
my $fw = firewall_zone;
|
my $fw = firewall_zone;
|
||||||
|
|
||||||
#
|
|
||||||
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
|
|
||||||
#
|
|
||||||
for my $interface ( @interfaces ) {
|
|
||||||
|
|
||||||
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface if use_forward_chain $interface;
|
|
||||||
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain($interface) if use_input_chain $interface;
|
|
||||||
|
|
||||||
if ( use_output_chain $interface ) {
|
|
||||||
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Set up forwarding chain for each zone
|
# Set up forwarding chain for each zone
|
||||||
#
|
#
|
||||||
@ -1883,6 +1870,19 @@ sub generate_matrix() {
|
|||||||
addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
|
addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
|
||||||
|
#
|
||||||
|
for my $interface ( @interfaces ) {
|
||||||
|
|
||||||
|
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface if use_forward_chain $interface;
|
||||||
|
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain($interface) if use_input_chain $interface;
|
||||||
|
|
||||||
|
if ( use_output_chain $interface ) {
|
||||||
|
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
my $chainref = $filter_table->{"${fw}2${fw}"};
|
my $chainref = $filter_table->{"${fw}2${fw}"};
|
||||||
|
|
||||||
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
|
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
|
||||||
|
|||||||
@ -633,27 +633,26 @@ sub validate_interfaces_file( $ )
|
|||||||
|
|
||||||
fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
|
fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
|
||||||
|
|
||||||
$interfaces{$port}{bridge} = $bridge = $interface;
|
$bridge = $interface;
|
||||||
$interface = $port;
|
$interface = $port;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
|
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
|
||||||
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4';
|
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4';
|
||||||
$interfaces{$interface}{bridge} = $interface;
|
$bridge = $interface;
|
||||||
}
|
}
|
||||||
|
|
||||||
$interfaces{$interface}{name} = $interface;
|
|
||||||
$interfaces{$interface}{nets} = 0;
|
|
||||||
$interfaces{$interface}{number} = ++$num;
|
|
||||||
|
|
||||||
my $wildcard = 0;
|
my $wildcard = 0;
|
||||||
|
my $root;
|
||||||
|
|
||||||
if ( $interface =~ /\+$/ ) {
|
if ( $interface =~ /\+$/ ) {
|
||||||
$wildcard = 1;
|
$wildcard = 1;
|
||||||
$interfaces{$interface}{root} = substr( $interface, 0, -1 );
|
$root = substr( $interface, 0, -1 );
|
||||||
} else {
|
} else {
|
||||||
$interfaces{$interface}{root} = $interface;
|
$root = $interface;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
my $broadcasts;
|
||||||
|
|
||||||
unless ( $networks eq '' || $networks eq 'detect' ) {
|
unless ( $networks eq '' || $networks eq 'detect' ) {
|
||||||
my @broadcasts = split $networks, 'address';
|
my @broadcasts = split $networks, 'address';
|
||||||
|
|
||||||
@ -664,7 +663,7 @@ sub validate_interfaces_file( $ )
|
|||||||
if ( $capabilities{ADDRTYPE} ) {
|
if ( $capabilities{ADDRTYPE} ) {
|
||||||
warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
|
warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
|
||||||
} else {
|
} else {
|
||||||
$interfaces{$interface}{broadcasts} = \@broadcasts;
|
$broadcasts = \@broadcasts;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -728,7 +727,15 @@ sub validate_interfaces_file( $ )
|
|||||||
$options{port} = 1;
|
$options{port} = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
$interfaces{$interface}{options} = $optionsref = \%options;
|
$optionsref = \%options;
|
||||||
|
|
||||||
|
$interfaces{$interface} = { name => $interface ,
|
||||||
|
bridge => $bridge ,
|
||||||
|
nets => 0 ,
|
||||||
|
number => ++$num ,
|
||||||
|
root => $root ,
|
||||||
|
broadcasts => $broadcasts ,
|
||||||
|
options => $optionsref };
|
||||||
|
|
||||||
push @ifaces, $interface;
|
push @ifaces, $interface;
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user