From 8463d545802a1606bd932683a0068f57cd740b1c Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 10 Apr 2008 23:09:22 +0000 Subject: [PATCH] Fix one bug plus clean up more chain-to-chain jump generation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8415 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 16 ++++++++++++---- Shorewall-perl/Shorewall/Policy.pm | 6 +++--- Shorewall-perl/Shorewall/Rules.pm | 18 +++++++++--------- 3 files changed, 24 insertions(+), 16 deletions(-) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index e661b878a..1e0e244dc 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -493,8 +493,8 @@ sub add_rule($$;$) # # Add a jump from the chain represented by the reference in the first argument to -# the chain named in the second argument. The optional third argument specifies any -# matches to be included in the rule and must end with a space character if it is passed. +# the target in the second argument. The optional third argument specifies any +# matches to be included in the rule and must end with a space character if it is non-null. # sub add_jump( $$;$ ) { @@ -503,14 +503,22 @@ sub add_jump( $$;$ ) { $predicate |= ''; my $toref; - + # + # The second argument may be a scalar (chain name or builtin target) or a chain reference + # if ( reftype $to ) { $toref = $to; $to = $toref->{name}; } else { + # + # Ensure that we have the chain unless it is a builtin like 'ACCEPT' + # $toref = ensure_chain( $fromref->{table} , $to ) unless ($targets{$to} | 0 ) & STANDARD; } - + + # + # If the destination is a chain, mark it referenced + # $toref->{referenced} = 1 if $toref; add_rule ($fromref, join( '', $predicate, "-j $to" ) ); diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index 7e7705f47..081dc0ce5 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -352,7 +352,7 @@ sub policy_rules( $$$$$ ) { fatal_error "Null target in policy_rules()" unless $target; $target = 'reject' if $target eq 'REJECT'; - add_rule( $chainref , "-j $target" ) unless $target eq 'CONTINUE'; + add_jump( $chainref , $target ) unless $target eq 'CONTINUE'; } } @@ -378,7 +378,7 @@ sub default_policy( $$$ ) { report_syn_flood_protection; policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; } else { - add_rule $chainref, "-j $policyref->{name}"; + add_jump $chainref, $policyref; $chainref = $policyref; } } elsif ( $policy eq 'CONTINUE' ) { @@ -386,7 +386,7 @@ sub default_policy( $$$ ) { policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST}; } else { report_syn_flood_protection if $synparams; - add_rule $chainref , "-j $policyref->{name}"; + add_jump $chainref , $policyref; $chainref = $policyref; } } diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index ba8bdf31f..5dc7fcdb0 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -1480,6 +1480,8 @@ sub generate_matrix() { return $chain if $chainref && $chainref->{referenced}; return 'ACCEPT' if $zone eq $zone1; + fatal_error "Internal Error in rules_target()" unless $chainref; + if ( $chainref->{policy} ne 'CONTINUE' ) { my $policyref = $filter_table->{$chainref->{policychain}}; return $policyref->{name} if $policyref; @@ -1494,9 +1496,7 @@ sub generate_matrix() { # sub create_zone_dyn_chain( $$ ) { my ( $zone , $chainref ) = @_; - my $name = "${zone}_dyn"; - new_standard_chain $name; - add_rule $chainref, "-j $name"; + add_jump $chainref, "${zone}_dyn"; } # @@ -1576,8 +1576,7 @@ sub generate_matrix() { my $source_ref = ( $zoneref->{hosts}{ipsec4} ) || {}; if ( $config{DYNAMIC_ZONES} ) { - no warnings; - create_zone_dyn_chain $zone, $frwd_ref if (%$source_ref || $type eq 'ipsec4' ); + create_zone_dyn_chain $zone, $frwd_ref if ( scalar keys %$source_ref ) || ( $type eq 'ipsec4' ); } for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { @@ -1597,9 +1596,10 @@ sub generate_matrix() { for my $hostref ( @{$arrayref} ) { my $ipsec_match = match_ipsec_in $zone , $hostref; for my $net ( @{$hostref->{hosts}} ) { - add_rule( + add_jump( $sourcechainref, - join( '', $interfacematch , match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" ) + $frwd_ref, + join( '', $interfacematch , match_source_net( $net ), $ipsec_match ) ); } } @@ -1752,9 +1752,9 @@ sub generate_matrix() { if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) { if ( use_forward_chain $interface ) { - add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" ); + add_jump $filter_table->{forward_chain $interface} , $frwd_ref, join( '', $source, $ipsec_in_match ); } else { - add_rule $filter_table->{FORWARD} , join( '', match_source_dev( $interface ) , $source, $ipsec_in_match. "-j $frwd_ref->{name}" ); + add_jump $filter_table->{FORWARD} , $frwd_ref, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match ); move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref ); } }