forked from extern/shorewall_code
Correct handling of 'complex' zones
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@772 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
20a23dc925
commit
bb55ad3128
@ -9,3 +9,5 @@ Changes since 1.4.7
|
||||
3) Fix error handling after "Unable to determine the routes..."
|
||||
|
||||
4) Corrected handling of LOGUNCLEAN.
|
||||
|
||||
5) Corrected handling of "complex" zones.
|
||||
|
@ -2315,6 +2315,26 @@ add_a_rule()
|
||||
{
|
||||
local natrule=
|
||||
|
||||
do_ports() {
|
||||
if [ -n "$port" ]; then
|
||||
dports="--dport"
|
||||
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
dports="--dports"
|
||||
fi
|
||||
dports="$dports $port"
|
||||
fi
|
||||
|
||||
if [ -n "$cport" ]; then
|
||||
sports="--sport"
|
||||
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
sports="--sports"
|
||||
fi
|
||||
sports="$sports $cport"
|
||||
fi
|
||||
}
|
||||
|
||||
# Set source variables. The 'cli' variable will hold the client match predicate(s).
|
||||
|
||||
cli=
|
||||
@ -2369,24 +2389,11 @@ add_a_rule()
|
||||
[ x$cport = x- ] && cport=
|
||||
|
||||
case $proto in
|
||||
tcp|udp|TCP|UDP|6|17)
|
||||
if [ -n "$port" ]; then
|
||||
dports="--dport"
|
||||
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
dports="--dports"
|
||||
fi
|
||||
dports="$dports $port"
|
||||
fi
|
||||
|
||||
if [ -n "$cport" ]; then
|
||||
sports="--sport"
|
||||
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
|
||||
multiport="$multioption"
|
||||
sports="--sports"
|
||||
fi
|
||||
sports="$sports $cport"
|
||||
fi
|
||||
tcp|TCP|6)
|
||||
do_ports
|
||||
;;
|
||||
udp|UDP|17)
|
||||
do_ports
|
||||
;;
|
||||
icmp|ICMP|1)
|
||||
[ -n "$port" ] && dports="--icmp-type $port"
|
||||
@ -4385,6 +4392,7 @@ activate_rules()
|
||||
|
||||
[ -n "$complex" ] && \
|
||||
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
|
||||
|
||||
done
|
||||
|
||||
for zone1 in $zones; do
|
||||
@ -4405,14 +4413,24 @@ activate_rules()
|
||||
routeback=
|
||||
fi
|
||||
|
||||
if [ -n "$complex" ]; then
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
subnet1=${host1#*:}
|
||||
|
||||
if list_search $host1 $source_hosts && ! list_search $host1 $routeback; then
|
||||
if [ `list_count $source_hosts` -gt 1 ]; then
|
||||
run_iptables -A $frwd_chain -s ! $subnet1 -o $interface1 -d $subnet1 -j $chain
|
||||
fi
|
||||
else
|
||||
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
|
||||
fi
|
||||
done
|
||||
else
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
|
||||
if [ -n "$complex" ]; then
|
||||
chain1=$frwd_chain
|
||||
else
|
||||
chain1=`forward_chain $interface`
|
||||
fi
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
@ -4423,6 +4441,7 @@ activate_rules()
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
|
@ -26,6 +26,13 @@ Problems Corrected since version 1.4.6:
|
||||
4) Handling of the LOGUNCLEAN option in shorewall.conf has been
|
||||
corrected.
|
||||
|
||||
5) In Shorewall 1.4.2, an optimization was added. This optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant
|
||||
rules and that the "optimization" turns out to be less than
|
||||
optimal. The implementation has now been corrected.
|
||||
|
||||
Migration Issues:
|
||||
|
||||
None.
|
||||
|
Loading…
Reference in New Issue
Block a user