forked from extern/shorewall_code
Use goto from exclusion chains, if available
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9175 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
e706310804
commit
5f9aaa3e93
@ -107,6 +107,8 @@ our %EXPORT_TAGS = (
|
|||||||
finish_section
|
finish_section
|
||||||
setup_zone_mss
|
setup_zone_mss
|
||||||
newexclusionchain
|
newexclusionchain
|
||||||
|
source_exclusion
|
||||||
|
dest_exclusion
|
||||||
clearrule
|
clearrule
|
||||||
do_proto
|
do_proto
|
||||||
mac_match
|
mac_match
|
||||||
@ -1110,6 +1112,59 @@ sub newexclusionchain() {
|
|||||||
"excl${seq}";
|
"excl${seq}";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# If the passed exclusion array is non-empty then:
|
||||||
|
#
|
||||||
|
# Create a new exclusion chain in the table of the passed chain
|
||||||
|
# (Note: If the chain is not in the filter table then a
|
||||||
|
# reference to the chain's chain table entry must be
|
||||||
|
# passed).
|
||||||
|
#
|
||||||
|
# Add RETURN rules for each element of the exclusion array
|
||||||
|
#
|
||||||
|
# Add a jump to the passed chain
|
||||||
|
#
|
||||||
|
# Return the exclusion chain. The type of the returned value
|
||||||
|
# matches what was passed (reference
|
||||||
|
# or name).
|
||||||
|
#
|
||||||
|
# Otherwise
|
||||||
|
#
|
||||||
|
# Return the passed chain.
|
||||||
|
#
|
||||||
|
# There are two versions of the function; one for source exclusion and
|
||||||
|
# one for destination exclusion.
|
||||||
|
#
|
||||||
|
sub source_exclusion( $$ ) {
|
||||||
|
my ( $exclusions, $targetref ) = @_;
|
||||||
|
|
||||||
|
return $targetref unless @$exclusions;
|
||||||
|
|
||||||
|
$targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref;
|
||||||
|
|
||||||
|
my $chainref = new_chain( $targetref->{table}, newexclusionchain );
|
||||||
|
|
||||||
|
add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
||||||
|
add_jump( $chainref, $targetref, 1 );
|
||||||
|
|
||||||
|
reftype $_[1] ? $chainref : $chainref->{name};
|
||||||
|
}
|
||||||
|
|
||||||
|
sub dest_exclusion( $$ ) {
|
||||||
|
my ( $exclusions, $targetref ) = @_;
|
||||||
|
|
||||||
|
return $targetref unless @$exclusions;
|
||||||
|
|
||||||
|
$targetref = ensure_filter_chain( $targetref, 0 ) unless reftype $targetref;
|
||||||
|
|
||||||
|
my $chainref = new_chain( $targetref->{table}, newexclusionchain );
|
||||||
|
|
||||||
|
add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
||||||
|
add_jump( $chainref, $targetref, 1 );
|
||||||
|
|
||||||
|
reftype $_[1] ? $targetref : $targetref->{name};
|
||||||
|
}
|
||||||
|
|
||||||
sub clearrule() {
|
sub clearrule() {
|
||||||
$iprangematch = 0;
|
$iprangematch = 0;
|
||||||
}
|
}
|
||||||
|
@ -347,18 +347,8 @@ sub setup_blacklist() {
|
|||||||
my $ipsec = $hostref->[1];
|
my $ipsec = $hostref->[1];
|
||||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||||
my $network = $hostref->[2];
|
my $network = $hostref->[2];
|
||||||
my $exclusions = $hostref->[3];
|
|
||||||
my $source = match_source_net $network;
|
my $source = match_source_net $network;
|
||||||
my $target = 'blacklst';
|
my $target = source_exclusion( $hostref->[3], 'blacklst' );
|
||||||
|
|
||||||
if ( @$exclusions ) {
|
|
||||||
my $chainref = ensure_filter_chain( $target = newexclusionchain, 0 );
|
|
||||||
for ( @$exclusions ) {
|
|
||||||
add_rule $chainref, match_source_net( $_ ) . "-j RETURN";
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $chainref, "-j blacklist";
|
|
||||||
}
|
|
||||||
|
|
||||||
for my $chain ( first_chains $interface ) {
|
for my $chain ( first_chains $interface ) {
|
||||||
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j $target";
|
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j $target";
|
||||||
@ -600,18 +590,8 @@ sub add_common_rules() {
|
|||||||
for my $hostref ( @$list ) {
|
for my $hostref ( @$list ) {
|
||||||
$interface = $hostref->[0];
|
$interface = $hostref->[0];
|
||||||
my $ipsec = $hostref->[1];
|
my $ipsec = $hostref->[1];
|
||||||
my $exclusions = $hostref->[3];
|
|
||||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||||
my $target = 'smurfs';
|
my $target = source_exclusion( $hostref->[3], 'smurfs' );
|
||||||
|
|
||||||
if ( @$exclusions ) {
|
|
||||||
my $chainref = ensure_filter_chain( $target = newexclusionchain, 0 );
|
|
||||||
for ( @$exclusions ) {
|
|
||||||
add_rule $chainref, match_source_net( $_ ) . "-j RETURN";
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $chainref, "-j smurfs";
|
|
||||||
}
|
|
||||||
|
|
||||||
for $chain ( first_chains $interface ) {
|
for $chain ( first_chains $interface ) {
|
||||||
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j $target" );
|
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j $target" );
|
||||||
@ -702,19 +682,9 @@ sub add_common_rules() {
|
|||||||
|
|
||||||
for my $hostref ( @$list ) {
|
for my $hostref ( @$list ) {
|
||||||
my $interface = $hostref->[0];
|
my $interface = $hostref->[0];
|
||||||
my $exclusions = $hostref->[3];
|
my $target = source_exclusion( $hostref->[3], 'tcpflags' );
|
||||||
my $target = 'tcpflags';
|
|
||||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : '';
|
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : '';
|
||||||
|
|
||||||
if ( @$exclusions ) {
|
|
||||||
my $chainref = ensure_filter_chain( $target = newexclusionchain, 0 );
|
|
||||||
for ( @$exclusions ) {
|
|
||||||
add_rule $chainref, match_source_net( $_ ) . "-j RETURN";
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $chainref, "-j tcpflags";
|
|
||||||
}
|
|
||||||
|
|
||||||
for $chain ( first_chains $interface ) {
|
for $chain ( first_chains $interface ) {
|
||||||
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j $target" );
|
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j $target" );
|
||||||
}
|
}
|
||||||
@ -858,20 +828,9 @@ sub setup_mac_lists( $ ) {
|
|||||||
my $ipsec = $hostref->[1];
|
my $ipsec = $hostref->[1];
|
||||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||||
my $source = match_source_net $hostref->[2];
|
my $source = match_source_net $hostref->[2];
|
||||||
my $exclusions = $hostref->[3];
|
|
||||||
my $target = mac_chain $interface;
|
|
||||||
|
|
||||||
if ( $table eq 'filter' ) {
|
if ( $table eq 'filter' ) {
|
||||||
if ( @$exclusions ) {
|
my $target = source_exclusion( $hostref->[3], mac_chain $interface );
|
||||||
my $chainref = ensure_filter_chain( newexclusionchain, 0 );
|
|
||||||
for ( @$exclusions ) {
|
|
||||||
add_rule $chainref, match_source_net( $_ ) . "-j RETURN";
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $chainref, "-j $target";
|
|
||||||
|
|
||||||
$target = $chainref->{name};
|
|
||||||
}
|
|
||||||
|
|
||||||
for my $chain ( first_chains $interface ) {
|
for my $chain ( first_chains $interface ) {
|
||||||
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
||||||
@ -880,18 +839,8 @@ sub setup_mac_lists( $ ) {
|
|||||||
set_interface_option $interface, 'use_input_chain', 1;
|
set_interface_option $interface, 'use_input_chain', 1;
|
||||||
set_interface_option $interface, 'use_forward_chain', 1;
|
set_interface_option $interface, 'use_forward_chain', 1;
|
||||||
} else {
|
} else {
|
||||||
if ( @$exclusions ) {
|
my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
|
||||||
my $chainref = ensure_mangle_chain( newexclusionchain );
|
add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $chainref->{name}";
|
||||||
for ( @$exclusions ) {
|
|
||||||
add_rule $chainref, match_source_net( $_ ) . "-j RETURN";
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $chainref, "-j $target";
|
|
||||||
|
|
||||||
$target = $chainref->{name};
|
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -1660,36 +1609,6 @@ sub generate_matrix() {
|
|||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub source_exclusion( $$ ) {
|
|
||||||
my ( $exclusions, $targetref ) = @_;
|
|
||||||
|
|
||||||
return $targetref unless @$exclusions;
|
|
||||||
|
|
||||||
$targetref = $filter_table->{$targetref} unless reftype $targetref;
|
|
||||||
|
|
||||||
my $chainref = new_chain( $targetref->{table}, newexclusionchain );
|
|
||||||
|
|
||||||
add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
|
||||||
add_rule( $chainref, "-j $targetref->{name}" );
|
|
||||||
|
|
||||||
reftype $_[0] ? $chainref : $chainref->{name};
|
|
||||||
}
|
|
||||||
|
|
||||||
sub dest_exclusion( $$ ) {
|
|
||||||
my ( $exclusions, $targetref ) = @_;
|
|
||||||
|
|
||||||
return $targetref unless @$exclusions;
|
|
||||||
|
|
||||||
$targetref = $filter_table->{$targetref} unless reftype $targetref;
|
|
||||||
|
|
||||||
my $chainref = new_chain( $targetref->{table}, newexclusionchain );
|
|
||||||
|
|
||||||
add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
|
|
||||||
add_rule( $chainref, "-j $targetref->{name}" );
|
|
||||||
|
|
||||||
reftype $_[0] ? $targetref : $targetref->{name};
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Set a breakpoint in this function if you want to step through generate_matrix().
|
# Set a breakpoint in this function if you want to step through generate_matrix().
|
||||||
#
|
#
|
||||||
@ -2012,6 +1931,7 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
for my $hostref ( @$arrayref ) {
|
for my $hostref ( @$arrayref ) {
|
||||||
next if $hostref->{options}{destonly};
|
next if $hostref->{options}{destonly};
|
||||||
|
my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
for my $type1ref ( values %$dest_hosts_ref ) {
|
for my $type1ref ( values %$dest_hosts_ref ) {
|
||||||
for my $interface1 ( keys %$type1ref ) {
|
for my $interface1 ( keys %$type1ref ) {
|
||||||
@ -2025,7 +1945,7 @@ sub generate_matrix() {
|
|||||||
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
|
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
|
||||||
#
|
#
|
||||||
add_jump(
|
add_jump(
|
||||||
source_exclusion( $hostref->{exclusions}, $chain3ref ),
|
$excl3ref ,
|
||||||
dest_exclusion( $host1ref->{exclusions}, $chain ),
|
dest_exclusion( $host1ref->{exclusions}, $chain ),
|
||||||
0,
|
0,
|
||||||
join( '',
|
join( '',
|
||||||
|
@ -372,7 +372,6 @@ sub zone_report()
|
|||||||
my $hostref = $zoneref->{hosts};
|
my $hostref = $zoneref->{hosts};
|
||||||
my $type = $zoneref->{type};
|
my $type = $zoneref->{type};
|
||||||
my $optionref = $zoneref->{options};
|
my $optionref = $zoneref->{options};
|
||||||
my $exclusions = $zoneref->{exclusions};
|
|
||||||
|
|
||||||
$type = $ipzone if $type eq 'ip';
|
$type = $ipzone if $type eq 'ip';
|
||||||
|
|
||||||
@ -387,10 +386,11 @@ sub zone_report()
|
|||||||
for my $interface ( sort keys %$interfaceref ) {
|
for my $interface ( sort keys %$interfaceref ) {
|
||||||
my $arrayref = $interfaceref->{$interface};
|
my $arrayref = $interfaceref->{$interface};
|
||||||
for my $groupref ( @$arrayref ) {
|
for my $groupref ( @$arrayref ) {
|
||||||
my $hosts = $groupref->{hosts};
|
my $hosts = $groupref->{hosts};
|
||||||
|
my $exclusions = join ',', @{$groupref->{exclusions}};
|
||||||
if ( $hosts ) {
|
if ( $hosts ) {
|
||||||
my $grouplist = join ',', ( @$hosts );
|
my $grouplist = join ',', ( @$hosts );
|
||||||
$grouplist = join '!', (@{$groupref->{exclusions}}) if @{$groupref->{exclusions}};
|
$grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
progress_message_nocompress " $interface:$grouplist";
|
progress_message_nocompress " $interface:$grouplist";
|
||||||
} else {
|
} else {
|
||||||
@ -447,12 +447,12 @@ sub dump_zone_contents()
|
|||||||
my $arrayref = $interfaceref->{$interface};
|
my $arrayref = $interfaceref->{$interface};
|
||||||
for my $groupref ( @$arrayref ) {
|
for my $groupref ( @$arrayref ) {
|
||||||
my $hosts = $groupref->{hosts};
|
my $hosts = $groupref->{hosts};
|
||||||
my $exclusions = $groupref->{exclusions};
|
my $exclusions = join ',', @{$groupref->{exclusions}};
|
||||||
|
|
||||||
if ( $hosts ) {
|
if ( $hosts ) {
|
||||||
my $grouplist = join ',', ( @$hosts );
|
my $grouplist = join ',', ( @$hosts );
|
||||||
|
|
||||||
$grouplist = join '!', ( @$exclusions ) if @$exclusions;
|
$grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions;
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
$entry .= " $interface:$grouplist";
|
$entry .= " $interface:$grouplist";
|
||||||
|
Loading…
Reference in New Issue
Block a user