holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Handle exclusion correctly when DEFER_DNS_RESOLUTION=No

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-18 12:09:54 -08:00
parent e76c0c8187
commit 8ccd1ab52b
2 changed files with 52 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3716,6 +3716,8 @@ sub source_exclusion( $$ ) {
reftype $target ? $chainref : $chainref->{name};
}
sub split_host_list( $;$ );
sub source_iexclusion( $$$$$;@ ) {
my $chainref = shift;
my $jump = shift;
@ -5009,8 +5011,6 @@ sub load_isocodes() {
$isocodes{substr(basename($_),0,2)} = 1 for @codes;
}
sub split_host_list( $;$ );
#
# Match a Source.
#
@ -5607,19 +5607,30 @@ sub split_host_list( $;$ ) {
unless ( $config{DEFER_DNS_RESOLUTION} ) {
my @result1;
for ( @result ) {
if ( m|[-\+\[~/^&]| ) {
push @result1, $_;
} elsif ( /^.+\..+\./ ) {
/^(!)?(.*)$/;
if ( valid_address( $2 ) ) {
push @result1, $_;
for my $element ( @result ) {
my @list = split '!', $element, 3;
fatal_error "Invalid host list ($input)" if @list > 2;
my @pair;
for ( @list ) {
unless ( supplied $_ ) {
push @pair, '';
} elsif ( m|[-\+\[~/^&]| ) {
push @pair, $_;
} elsif ( /^.+\..+\./ ) {
if ( valid_address( $_ ) ) {
push @pair, $_
} else {
push @pair, resolve_dnsname( $2 );
}
} else {
push @result1, resolve_dnsname( $_ );
push @pair, $_;
}
} else {
push @result1, $_;
}
push @result1 , supplied $pair[1] ? join( '!', @pair ) : $pair[0] ;
}
return @result1;

58
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2028,34 +2028,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
# We can now dispense with the postfix character
#
fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
#
# Handle actions
#
if ( $actiontype & ACTION ) {
#
# Create the action:level:tag:param tuple.
#
$normalized_target = normalize_action( $basictarget, $loglevel, $param );
fatal_error( "Action $basictarget invoked Recursively (" . join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
if ( my $ref = use_action( $normalized_target ) ) {
#
# First reference to this tuple
#
process_action( $ref );
#
# Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
#
# - Refresh $actiontype
# - Create the associated nat and/or table chain if appropriate.
#
ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
}
$action = $basictarget; # Remove params, if any, from $action.
} else {
unless ( $actiontype & ( ACTION | INLINE) ) {
#
# Catch empty parameter list
#
@ -2299,8 +2273,34 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
}
}
}
#
# Handle actions
#
if ( $actiontype & ACTION ) {
#
# Create the action:level:tag:param tuple.
#
$normalized_target = normalize_action( $basictarget, $loglevel, $param );
if ( $actiontype & INLINE ) {
fatal_error( "Action $basictarget invoked Recursively (" . join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};
if ( my $ref = use_action( $normalized_target ) ) {
#
# First reference to this tuple
#
process_action( $ref );
#
# Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
#
# - Refresh $actiontype
# - Create the associated nat and/or table chain if appropriate.
#
ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
}
$action = $basictarget; # Remove params, if any, from $action.
} elsif ( $actiontype & INLINE ) {
#
# process_inline() will call process_rule1() recursively for each rule in the macro body
#