forked from extern/shorewall_code
Replace canonical_chain by rules_chain
This commit is contained in:
parent
10affb1cde
commit
b662718eec
@ -85,7 +85,7 @@ our %EXPORT_TAGS = (
|
|||||||
decr_cmd_level
|
decr_cmd_level
|
||||||
chain_base
|
chain_base
|
||||||
forward_chain
|
forward_chain
|
||||||
canonical_chain
|
rules_chain
|
||||||
zone_forward_chain
|
zone_forward_chain
|
||||||
use_forward_chain
|
use_forward_chain
|
||||||
input_chain
|
input_chain
|
||||||
@ -673,7 +673,7 @@ sub chain_base($) {
|
|||||||
#
|
#
|
||||||
# Name of canonical chain
|
# Name of canonical chain
|
||||||
#
|
#
|
||||||
sub canonical_chain ($$) {
|
sub rules_chain ($$) {
|
||||||
join "$config{ZONE2ZONE}", @_;
|
join "$config{ZONE2ZONE}", @_;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -766,7 +766,7 @@ sub use_input_chain($) {
|
|||||||
#
|
#
|
||||||
# Use the '<zone>2fw' chain if it is referenced.
|
# Use the '<zone>2fw' chain if it is referenced.
|
||||||
#
|
#
|
||||||
$chainref = $filter_table->{canonical_chain( $zone, firewall_zone )};
|
$chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
|
||||||
|
|
||||||
! ( $chainref->{referenced} || $chainref->{is_policy} )
|
! ( $chainref->{referenced} || $chainref->{is_policy} )
|
||||||
}
|
}
|
||||||
@ -810,7 +810,7 @@ sub use_output_chain($) {
|
|||||||
#
|
#
|
||||||
# Use the 'fw2<zone>' chain if it is referenced.
|
# Use the 'fw2<zone>' chain if it is referenced.
|
||||||
#
|
#
|
||||||
$chainref = $filter_table->{canonical_chain( firewall_zone , $interfaceref->{zone} )};
|
$chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
|
||||||
|
|
||||||
! ( $chainref->{referenced} || $chainref->{is_policy} )
|
! ( $chainref->{referenced} || $chainref->{is_policy} )
|
||||||
}
|
}
|
||||||
@ -1182,7 +1182,7 @@ sub finish_section ( $ ) {
|
|||||||
|
|
||||||
for my $zone ( all_zones ) {
|
for my $zone ( all_zones ) {
|
||||||
for my $zone1 ( all_zones ) {
|
for my $zone1 ( all_zones ) {
|
||||||
my $chainref = $chain_table{'filter'}{canonical_chain( $zone, $zone1 )};
|
my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
|
||||||
finish_chain_section $chainref, $sections if $chainref->{referenced};
|
finish_chain_section $chainref, $sections if $chainref->{referenced};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1209,12 +1209,12 @@ sub set_mss( $$$ ) {
|
|||||||
|
|
||||||
for my $z ( all_zones ) {
|
for my $z ( all_zones ) {
|
||||||
if ( $direction eq '_in' ) {
|
if ( $direction eq '_in' ) {
|
||||||
set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
|
set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
|
||||||
} elsif ( $direction eq '_out' ) {
|
} elsif ( $direction eq '_out' ) {
|
||||||
set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
|
set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
|
||||||
} else {
|
} else {
|
||||||
set_mss1 canonical_chain( ${z}, ${zone} ) , $mss;
|
set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
|
||||||
set_mss1 canonical_chain( ${zone}, ${z} ) , $mss;
|
set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -68,7 +68,7 @@ sub new_policy_chain($$$$)
|
|||||||
{
|
{
|
||||||
my ($source, $dest, $policy, $optional) = @_;
|
my ($source, $dest, $policy, $optional) = @_;
|
||||||
|
|
||||||
my $chainref = new_chain( 'filter', canonical_chain( ${source}, ${dest} ) );
|
my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
|
||||||
|
|
||||||
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
|
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
|
||||||
|
|
||||||
@ -119,7 +119,7 @@ use constant { OPTIONAL => 1 };
|
|||||||
|
|
||||||
sub add_or_modify_policy_chain( $$ ) {
|
sub add_or_modify_policy_chain( $$ ) {
|
||||||
my ( $zone, $zone1 ) = @_;
|
my ( $zone, $zone1 ) = @_;
|
||||||
my $chain = canonical_chain( ${zone}, ${zone1} );
|
my $chain = rules_chain( ${zone}, ${zone1} );
|
||||||
my $chainref = $filter_table->{$chain};
|
my $chainref = $filter_table->{$chain};
|
||||||
|
|
||||||
if ( $chainref ) {
|
if ( $chainref ) {
|
||||||
@ -211,7 +211,7 @@ sub process_a_policy() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my $chain = canonical_chain( ${client}, ${server} );
|
my $chain = rules_chain( ${client}, ${server} );
|
||||||
my $chainref;
|
my $chainref;
|
||||||
|
|
||||||
if ( defined $filter_table->{$chain} ) {
|
if ( defined $filter_table->{$chain} ) {
|
||||||
@ -252,19 +252,19 @@ sub process_a_policy() {
|
|||||||
if ( $serverwild ) {
|
if ( $serverwild ) {
|
||||||
for my $zone ( @zonelist ) {
|
for my $zone ( @zonelist ) {
|
||||||
for my $zone1 ( @zonelist ) {
|
for my $zone1 ( @zonelist ) {
|
||||||
set_policy_chain $client, $server, canonical_chain( ${zone}, ${zone1} ), $chainref, $policy;
|
set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
|
||||||
print_policy $zone, $zone1, $policy, $chain;
|
print_policy $zone, $zone1, $policy, $chain;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
for my $zone ( all_zones ) {
|
for my $zone ( all_zones ) {
|
||||||
set_policy_chain $client, $server, canonical_chain( ${zone}, ${server} ), $chainref, $policy;
|
set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
|
||||||
print_policy $zone, $server, $policy, $chain;
|
print_policy $zone, $server, $policy, $chain;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} elsif ( $serverwild ) {
|
} elsif ( $serverwild ) {
|
||||||
for my $zone ( @zonelist ) {
|
for my $zone ( @zonelist ) {
|
||||||
set_policy_chain $client, $server, canonical_chain( ${client}, ${zone} ), $chainref, $policy;
|
set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
|
||||||
print_policy $client, $zone, $policy, $chain;
|
print_policy $client, $zone, $policy, $chain;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -334,7 +334,7 @@ sub validate_policy()
|
|||||||
|
|
||||||
for $zone ( all_zones ) {
|
for $zone ( all_zones ) {
|
||||||
for my $zone1 ( all_zones ) {
|
for my $zone1 ( all_zones ) {
|
||||||
fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{canonical_chain( ${zone}, ${zone1} )}{policy};
|
fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -418,7 +418,7 @@ sub apply_policy_rules() {
|
|||||||
|
|
||||||
for my $zone ( all_zones ) {
|
for my $zone ( all_zones ) {
|
||||||
for my $zone1 ( all_zones ) {
|
for my $zone1 ( all_zones ) {
|
||||||
my $chainref = $filter_table->{canonical_chain( ${zone}, ${zone1} )};
|
my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
|
||||||
|
|
||||||
if ( $chainref->{referenced} ) {
|
if ( $chainref->{referenced} ) {
|
||||||
run_user_exit $chainref;
|
run_user_exit $chainref;
|
||||||
@ -444,7 +444,7 @@ sub complete_standard_chain ( $$$$ ) {
|
|||||||
|
|
||||||
run_user_exit $stdchainref;
|
run_user_exit $stdchainref;
|
||||||
|
|
||||||
my $ruleschainref = $filter_table->{canonical_chain( ${zone}, ${zone2} ) } || $filter_table->{canonical_chain( 'all', 'all' ) };
|
my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
|
||||||
my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
|
my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
|
||||||
my $policychainref;
|
my $policychainref;
|
||||||
|
|
||||||
|
@ -1132,7 +1132,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$chain = canonical_chain( ${sourcezone}, ${destzone} );
|
$chain = rules_chain( ${sourcezone}, ${destzone} );
|
||||||
$chainref = ensure_chain 'filter', $chain;
|
$chainref = ensure_chain 'filter', $chain;
|
||||||
$policy = $chainref->{policy};
|
$policy = $chainref->{policy};
|
||||||
|
|
||||||
@ -1619,7 +1619,7 @@ sub add_interface_jumps {
|
|||||||
# Loopback
|
# Loopback
|
||||||
#
|
#
|
||||||
my $fw = firewall_zone;
|
my $fw = firewall_zone;
|
||||||
my $chainref = $filter_table->{canonical_chain( ${fw}, ${fw} )};
|
my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};
|
||||||
|
|
||||||
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
|
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
|
||||||
add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
|
add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
|
||||||
@ -1643,7 +1643,7 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
sub rules_target( $$ ) {
|
sub rules_target( $$ ) {
|
||||||
my ( $zone, $zone1 ) = @_;
|
my ( $zone, $zone1 ) = @_;
|
||||||
my $chain = canonical_chain( ${zone}, ${zone1} );
|
my $chain = rules_chain( ${zone}, ${zone1} );
|
||||||
my $chainref = $filter_table->{$chain};
|
my $chainref = $filter_table->{$chain};
|
||||||
|
|
||||||
return $chain if $chainref && $chainref->{referenced};
|
return $chain if $chainref && $chainref->{referenced};
|
||||||
@ -1776,7 +1776,7 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( $parenthasnat || $parenthasnotrack ) {
|
if ( $parenthasnat || $parenthasnotrack ) {
|
||||||
for my $zone1 ( all_zones ) {
|
for my $zone1 ( all_zones ) {
|
||||||
if ( $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
|
if ( $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
|
||||||
#
|
#
|
||||||
# This zone has a continue policy to another zone. We must
|
# This zone has a continue policy to another zone. We must
|
||||||
# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
|
# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
|
||||||
@ -1908,7 +1908,7 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
for my $zone1 ( @zones ) {
|
for my $zone1 ( @zones ) {
|
||||||
my $zone1ref = find_zone( $zone1 );
|
my $zone1ref = find_zone( $zone1 );
|
||||||
my $policy = $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy};
|
my $policy = $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy};
|
||||||
|
|
||||||
next if $policy eq 'NONE';
|
next if $policy eq 'NONE';
|
||||||
|
|
||||||
@ -1958,7 +1958,7 @@ sub generate_matrix() {
|
|||||||
for my $zone1 ( @dest_zones ) {
|
for my $zone1 ( @dest_zones ) {
|
||||||
my $zone1ref = find_zone( $zone1 );
|
my $zone1ref = find_zone( $zone1 );
|
||||||
|
|
||||||
next if $filter_table->{canonical_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
|
next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'NONE';
|
||||||
|
|
||||||
my $chain = rules_target $zone, $zone1;
|
my $chain = rules_target $zone, $zone1;
|
||||||
|
|
||||||
|
@ -83,8 +83,8 @@ sub setup_tunnels() {
|
|||||||
for my $zone ( split_list $gatewayzones, 'zone' ) {
|
for my $zone ( split_list $gatewayzones, 'zone' ) {
|
||||||
my $type = zone_type( $zone );
|
my $type = zone_type( $zone );
|
||||||
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
|
fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
|
||||||
$inchainref = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
|
$inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
||||||
$outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
|
$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
||||||
|
|
||||||
unless ( $capabilities{POLICY_MATCH} ) {
|
unless ( $capabilities{POLICY_MATCH} ) {
|
||||||
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||||
@ -239,8 +239,8 @@ sub setup_tunnels() {
|
|||||||
|
|
||||||
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
|
fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
|
||||||
|
|
||||||
my $inchainref = ensure_filter_chain canonical_chain( ${zone}, ${fw} ), 1;
|
my $inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
||||||
my $outchainref = ensure_filter_chain canonical_chain( ${fw}, ${zone} ), 1;
|
my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
||||||
|
|
||||||
$gateway = ALLIP if $gateway eq '-';
|
$gateway = ALLIP if $gateway eq '-';
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user