forked from extern/shorewall_code
Dont combine chains when zone has multiple interfaces
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9059 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0d6c4309da
commit
b75b656b44
@ -541,24 +541,16 @@ sub move_rules( $$ ) {
|
|||||||
|
|
||||||
if ( $chain1->{referenced} ) {
|
if ( $chain1->{referenced} ) {
|
||||||
my @rules = @{$chain1->{rules}};
|
my @rules = @{$chain1->{rules}};
|
||||||
my @newrules;
|
|
||||||
|
|
||||||
RULE:
|
for ( @rules ) {
|
||||||
for my $rule ( @rules ) {
|
fatal_error "Internal Error in move_rules()" unless /^-A/;
|
||||||
fatal_error "Internal Error in move_rules()" unless $rule =~ /^-A/;
|
|
||||||
for ( @{$chain2->{rules}} ) {
|
|
||||||
next RULE if $rule eq $_;
|
|
||||||
}
|
|
||||||
push @newrules, $rule;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( @newrules ) {
|
splice @{$chain2->{rules}}, 0, 0, @rules;
|
||||||
splice @{$chain2->{rules}}, 0, 0, @newrules;
|
|
||||||
|
|
||||||
$chain2->{referenced} = 1;
|
$chain2->{referenced} = 1;
|
||||||
$chain1->{referenced} = 0;
|
$chain1->{referenced} = 0;
|
||||||
$chain1->{rules} = [];
|
$chain1->{rules} = [];
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -598,7 +590,14 @@ sub use_forward_chain($) {
|
|||||||
#
|
#
|
||||||
# We must use the interfaces's chain if the interface is associated with multiple zone nets
|
# We must use the interfaces's chain if the interface is associated with multiple zone nets
|
||||||
#
|
#
|
||||||
$interfaceref->{nets} > 1;
|
return 1 if $interfaceref->{nets} > 1;
|
||||||
|
|
||||||
|
my $zone = $interfaceref->{zone};
|
||||||
|
#
|
||||||
|
# Interface associated with a single zone -- Must use the interface chain if
|
||||||
|
# the zone has multiple interfaces
|
||||||
|
#
|
||||||
|
return 1 if keys %{ zone_interfaces( $zone ) } > 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -631,10 +630,17 @@ sub use_input_chain($) {
|
|||||||
# Don't need it if it isn't associated with any zone
|
# Don't need it if it isn't associated with any zone
|
||||||
#
|
#
|
||||||
return 0 unless $nets;
|
return 0 unless $nets;
|
||||||
|
|
||||||
|
my $zone = $interfaceref->{zone};
|
||||||
|
#
|
||||||
|
# Interface associated with a single zone -- Must use the interface chain if
|
||||||
|
# the zone has multiple interfaces
|
||||||
|
#
|
||||||
|
return 1 if keys %{ zone_interfaces( $zone ) } > 1;
|
||||||
#
|
#
|
||||||
# Interface associated with a single zone -- use the zone's input chain if it has one
|
# Interface associated with a single zone -- use the zone's input chain if it has one
|
||||||
#
|
#
|
||||||
my $chainref = $filter_table->{zone_input_chain $interfaceref->{zone}};
|
my $chainref = $filter_table->{zone_input_chain $zone};
|
||||||
|
|
||||||
return 0 if $chainref;
|
return 0 if $chainref;
|
||||||
#
|
#
|
||||||
|
@ -44,6 +44,7 @@ our @EXPORT = qw( NOTHING
|
|||||||
firewall_zone
|
firewall_zone
|
||||||
defined_zone
|
defined_zone
|
||||||
zone_type
|
zone_type
|
||||||
|
zone_interfaces
|
||||||
all_zones
|
all_zones
|
||||||
complex_zones
|
complex_zones
|
||||||
non_firewall_zones
|
non_firewall_zones
|
||||||
@ -564,6 +565,10 @@ sub zone_type( $ ) {
|
|||||||
find_zone( $_[0] )->{type};
|
find_zone( $_[0] )->{type};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub zone_interfaces( $ ) {
|
||||||
|
find_zone( $_[0] )->{interfaces};
|
||||||
|
}
|
||||||
|
|
||||||
sub defined_zone( $ ) {
|
sub defined_zone( $ ) {
|
||||||
$zones{$_[0]};
|
$zones{$_[0]};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user