forked from extern/shorewall_code
Long overdue cleanup of validate_interface_file()
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8134 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
9a396bee3b
commit
2d6e206a5f
@ -589,11 +589,15 @@ sub use_input_chain($) {
|
||||
# We must use the interfaces's chain if the interface is associated with multiple zone nets
|
||||
#
|
||||
return 1 if $interfaceref->{nets} != 1;
|
||||
|
||||
#
|
||||
# Interface associated with a single zone -- use the zone's input chain if it has one
|
||||
#
|
||||
my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}};
|
||||
|
||||
return 1 if $chainref;
|
||||
|
||||
#
|
||||
# Use the '<zone>2fw' chain if it is referenced.
|
||||
#
|
||||
$chainref = $filter_table->{join( '' , $interfaceref->{zone} , '2' , firewall_zone )};
|
||||
|
||||
! $chainref->{referenced};
|
||||
@ -624,11 +628,15 @@ sub use_output_chain($) {
|
||||
# We must use the interfaces's chain if the interface is associated with multiple zone nets
|
||||
#
|
||||
return 1 if $interfaceref->{nets} != 1;
|
||||
|
||||
#
|
||||
# Interface associated with a single zone -- use the zone's output chain if it has one
|
||||
#
|
||||
my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
|
||||
|
||||
return 1 if $chainref;
|
||||
|
||||
#
|
||||
# Use the 'fw2<zone>' chain if it is referenced.
|
||||
#
|
||||
$chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
|
||||
|
||||
! $chainref->{referenced};
|
||||
|
||||
@ -1502,19 +1502,6 @@ sub generate_matrix() {
|
||||
my $preroutingref = ensure_chain 'nat', 'dnat';
|
||||
my $fw = firewall_zone;
|
||||
|
||||
#
|
||||
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
|
||||
#
|
||||
for my $interface ( @interfaces ) {
|
||||
|
||||
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface if use_forward_chain $interface;
|
||||
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain($interface) if use_input_chain $interface;
|
||||
|
||||
if ( use_output_chain $interface ) {
|
||||
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Set up forwarding chain for each zone
|
||||
#
|
||||
@ -1883,6 +1870,19 @@ sub generate_matrix() {
|
||||
addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
|
||||
}
|
||||
|
||||
#
|
||||
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
|
||||
#
|
||||
for my $interface ( @interfaces ) {
|
||||
|
||||
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface if use_forward_chain $interface;
|
||||
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain($interface) if use_input_chain $interface;
|
||||
|
||||
if ( use_output_chain $interface ) {
|
||||
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
|
||||
}
|
||||
}
|
||||
|
||||
my $chainref = $filter_table->{"${fw}2${fw}"};
|
||||
|
||||
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
|
||||
|
||||
@ -633,27 +633,26 @@ sub validate_interfaces_file( $ )
|
||||
|
||||
fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
|
||||
|
||||
$interfaces{$port}{bridge} = $bridge = $interface;
|
||||
$bridge = $interface;
|
||||
$interface = $port;
|
||||
} else {
|
||||
fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
|
||||
fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} eq 'bport4';
|
||||
$interfaces{$interface}{bridge} = $interface;
|
||||
$bridge = $interface;
|
||||
}
|
||||
|
||||
$interfaces{$interface}{name} = $interface;
|
||||
$interfaces{$interface}{nets} = 0;
|
||||
$interfaces{$interface}{number} = ++$num;
|
||||
|
||||
my $wildcard = 0;
|
||||
my $root;
|
||||
|
||||
if ( $interface =~ /\+$/ ) {
|
||||
$wildcard = 1;
|
||||
$interfaces{$interface}{root} = substr( $interface, 0, -1 );
|
||||
$root = substr( $interface, 0, -1 );
|
||||
} else {
|
||||
$interfaces{$interface}{root} = $interface;
|
||||
$root = $interface;
|
||||
}
|
||||
|
||||
my $broadcasts;
|
||||
|
||||
unless ( $networks eq '' || $networks eq 'detect' ) {
|
||||
my @broadcasts = split $networks, 'address';
|
||||
|
||||
@ -664,7 +663,7 @@ sub validate_interfaces_file( $ )
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
|
||||
} else {
|
||||
$interfaces{$interface}{broadcasts} = \@broadcasts;
|
||||
$broadcasts = \@broadcasts;
|
||||
}
|
||||
}
|
||||
|
||||
@ -728,7 +727,15 @@ sub validate_interfaces_file( $ )
|
||||
$options{port} = 1;
|
||||
}
|
||||
|
||||
$interfaces{$interface}{options} = $optionsref = \%options;
|
||||
$optionsref = \%options;
|
||||
|
||||
$interfaces{$interface} = { name => $interface ,
|
||||
bridge => $bridge ,
|
||||
nets => 0 ,
|
||||
number => ++$num ,
|
||||
root => $root ,
|
||||
broadcasts => $broadcasts ,
|
||||
options => $optionsref };
|
||||
|
||||
push @ifaces, $interface;
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user