forked from extern/shorewall_code
Disallow :P in CLASSIFY rules and complain if :F is used when the SOURCE or DEST is $FW.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
2ca7984f60
commit
5b2f960db3
@ -104,8 +104,7 @@ my %flow_keys = ( 'src' => 1,
|
|||||||
'sk-gid' => 1,
|
'sk-gid' => 1,
|
||||||
'vlan-tag' => 1 );
|
'vlan-tag' => 1 );
|
||||||
|
|
||||||
my %designator = ( P => 'tcpre' ,
|
my %designator = ( F => 'tcfor' ,
|
||||||
F => 'tcfor' ,
|
|
||||||
T => 'tcpost' );
|
T => 'tcpost' );
|
||||||
|
|
||||||
my %tosoptions = ( 'tos-minimize-delay' => '0x10/0x10' ,
|
my %tosoptions = ( 'tos-minimize-delay' => '0x10/0x10' ,
|
||||||
@ -212,6 +211,7 @@ sub process_tc_rule( ) {
|
|||||||
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
|
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
|
||||||
|
|
||||||
my $chain = $globals{MARKING_CHAIN};
|
my $chain = $globals{MARKING_CHAIN};
|
||||||
|
my $classid = 0;
|
||||||
|
|
||||||
if ( $remainder ) {
|
if ( $remainder ) {
|
||||||
if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
|
if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
|
||||||
@ -222,32 +222,39 @@ sub process_tc_rule( ) {
|
|||||||
$designator =~ /^([0-9a-fA-F]+)$/ &&
|
$designator =~ /^([0-9a-fA-F]+)$/ &&
|
||||||
( $chain = $designator{$remainder} ) );
|
( $chain = $designator{$remainder} ) );
|
||||||
$mark = join( ':', $mark, $designator );
|
$mark = join( ':', $mark, $designator );
|
||||||
|
$classid = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my $target = 'MARK --set-mark';
|
my $target = 'MARK --set-mark';
|
||||||
my $tcsref;
|
my $tcsref;
|
||||||
my $connmark = 0;
|
my $connmark = 0;
|
||||||
my $classid = 0;
|
|
||||||
my $device = '';
|
my $device = '';
|
||||||
my $fw = firewall_zone;
|
my $fw = firewall_zone;
|
||||||
my $list;
|
my $list;
|
||||||
|
|
||||||
if ( $source ) {
|
if ( $source ) {
|
||||||
if ( $source eq $fw ) {
|
if ( $source eq $fw ) {
|
||||||
$chain = 'tcout';
|
if ( $classid ) {
|
||||||
$source = '';
|
fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
|
||||||
} else {
|
} else {
|
||||||
$chain = 'tcout' if $source =~ s/^($fw)://;
|
$chain = 'tcout';
|
||||||
|
}
|
||||||
|
$source = '';
|
||||||
|
} elsif ( $source =~ s/^($fw):// ) {
|
||||||
|
fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
|
||||||
|
$chain = 'tcout';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $dest ) {
|
if ( $dest ) {
|
||||||
if ( $dest eq $fw ) {
|
if ( $dest eq $fw ) {
|
||||||
|
fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
|
||||||
$chain = 'tcin';
|
$chain = 'tcin';
|
||||||
$dest = '';
|
$dest = '';
|
||||||
} else {
|
} elsif ( $dest =~ s/^($fw):// ) {
|
||||||
$chain = 'tcin' if $dest =~ s/^($fw)://;
|
fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
|
||||||
|
$chain = 'tcin';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -268,8 +275,9 @@ sub process_tc_rule( ) {
|
|||||||
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
|
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
unless ( $remainder ) {
|
unless ( $classid ) {
|
||||||
fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
|
fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
|
||||||
|
fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
|
||||||
$chain = 'tcpost';
|
$chain = 'tcpost';
|
||||||
$mark = $originalmark;
|
$mark = $originalmark;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -216,19 +216,11 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term>P</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>PREROUTING chain.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>T</term>
|
<term>T</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>POSTROUTING chain.</para>
|
<para>POSTROUTING chain (default).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|||||||
@ -216,19 +216,11 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
|
||||||
<term>P</term>
|
|
||||||
|
|
||||||
<listitem>
|
|
||||||
<para>PREROUTING chain.</para>
|
|
||||||
</listitem>
|
|
||||||
</varlistentry>
|
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term>T</term>
|
<term>T</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>POSTROUTING chain.</para>
|
<para>POSTROUTING chain (default).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user