From b75b656b447f2af0ea7d651ef32619635e633f9d Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 14 Dec 2008 23:58:01 +0000 Subject: [PATCH] Dont combine chains when zone has multiple interfaces git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9059 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 38 +++++++++++++++++------------- Shorewall-perl/Shorewall/Zones.pm | 5 ++++ 2 files changed, 27 insertions(+), 16 deletions(-) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 3f11b9872..2ad9593e7 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -541,24 +541,16 @@ sub move_rules( $$ ) { if ( $chain1->{referenced} ) { my @rules = @{$chain1->{rules}}; - my @newrules; - RULE: - for my $rule ( @rules ) { - fatal_error "Internal Error in move_rules()" unless $rule =~ /^-A/; - for ( @{$chain2->{rules}} ) { - next RULE if $rule eq $_; - } - push @newrules, $rule; + for ( @rules ) { + fatal_error "Internal Error in move_rules()" unless /^-A/; } - if ( @newrules ) { - splice @{$chain2->{rules}}, 0, 0, @newrules; + splice @{$chain2->{rules}}, 0, 0, @rules; - $chain2->{referenced} = 1; - $chain1->{referenced} = 0; - $chain1->{rules} = []; - } + $chain2->{referenced} = 1; + $chain1->{referenced} = 0; + $chain1->{rules} = []; } } @@ -598,7 +590,14 @@ sub use_forward_chain($) { # # We must use the interfaces's chain if the interface is associated with multiple zone nets # - $interfaceref->{nets} > 1; + return 1 if $interfaceref->{nets} > 1; + + my $zone = $interfaceref->{zone}; + # + # Interface associated with a single zone -- Must use the interface chain if + # the zone has multiple interfaces + # + return 1 if keys %{ zone_interfaces( $zone ) } > 1; } # @@ -631,10 +630,17 @@ sub use_input_chain($) { # Don't need it if it isn't associated with any zone # return 0 unless $nets; + + my $zone = $interfaceref->{zone}; + # + # Interface associated with a single zone -- Must use the interface chain if + # the zone has multiple interfaces + # + return 1 if keys %{ zone_interfaces( $zone ) } > 1; # # Interface associated with a single zone -- use the zone's input chain if it has one # - my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}}; + my $chainref = $filter_table->{zone_input_chain $zone}; return 0 if $chainref; # diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index ff2a4d4ed..719072a6e 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -44,6 +44,7 @@ our @EXPORT = qw( NOTHING firewall_zone defined_zone zone_type + zone_interfaces all_zones complex_zones non_firewall_zones @@ -564,6 +565,10 @@ sub zone_type( $ ) { find_zone( $_[0] )->{type}; } +sub zone_interfaces( $ ) { + find_zone( $_[0] )->{interfaces}; +} + sub defined_zone( $ ) { $zones{$_[0]}; }