Remove some optimizations that break without the KLUDGEFREE capability; remove an image of the config file entry from some error messages

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6363 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-05-15 20:04:34 +00:00
parent 736c41a507
commit c05903e2e2

View File

@ -893,12 +893,12 @@ sub do_proto( $$$ )
$ports = 'ipp2p' unless $ports; $ports = 'ipp2p' unless $ports;
$output .= "-p $proto -m ipp2p --$ports "; $output .= "-p $proto -m ipp2p --$ports ";
} else { } else {
fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $proto, rule \"$line\"" if $ports ne '' || $sports ne ''; fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $proto" if $ports ne '' || $sports ne '';
$proto = validate_proto $proto; $proto = validate_proto $proto;
$output .= "-p $proto "; $output .= "-p $proto ";
} }
} elsif ( $ports ne '' || $sports ne '' ) { } elsif ( $ports ne '' || $sports ne '' ) {
fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO, rule \"$line\"" fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO"
} }
$output; $output;
@ -1365,9 +1365,10 @@ sub expand_rule( $$$$$$$$$$ )
if ( $loglevel =~ /^none!?$/i ) { if ( $loglevel =~ /^none!?$/i ) {
return if $disposition eq 'LOG'; return if $disposition eq 'LOG';
$loglevel = $logtag = ''; $loglevel = $logtag = '';
} } else {
$loglevel = validate_level( $loglevel ); $loglevel = validate_level( $loglevel );
$logtag = '' unless defined $logtag;
}
} elsif ( $disposition eq 'LOG' ) { } elsif ( $disposition eq 'LOG' ) {
fatal_error "LOG requires a level"; fatal_error "LOG requires a level";
} }
@ -1390,10 +1391,10 @@ sub expand_rule( $$$$$$$$$$ )
} }
# #
# Verify Inteface, if any # Verify Interface, if any
# #
if ( $iiface ) { if ( $iiface ) {
fatal_error "Unknown Interface ($iiface): \"$line\"" unless known_interface $iiface; fatal_error "Unknown Interface ($iiface)" unless known_interface $iiface;
if ( $restriction & POSTROUTE_RESTRICT ) { if ( $restriction & POSTROUTE_RESTRICT ) {
# #
@ -1409,7 +1410,7 @@ sub expand_rule( $$$$$$$$$$ )
# #
$chainref->{loopcount}++; $chainref->{loopcount}++;
} else { } else {
fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line" fatal_error "Source Interface ($iiface) not allowed when the source zone is $firewall_zone"
if $restriction & OUTPUT_RESTRICT; if $restriction & OUTPUT_RESTRICT;
$rule .= "-i $iiface "; $rule .= "-i $iiface ";
} }
@ -1459,7 +1460,7 @@ sub expand_rule( $$$$$$$$$$ )
# Verify Destination Interface, if any # Verify Destination Interface, if any
# #
if ( $diface ) { if ( $diface ) {
fatal_error "Unknown Interface ($diface) in rule \"$line\"" unless known_interface $diface; fatal_error "Unknown Interface ($diface)" unless known_interface $diface;
if ( $restriction & PREROUTE_RESTRICT ) { if ( $restriction & PREROUTE_RESTRICT ) {
# #
@ -1469,7 +1470,7 @@ sub expand_rule( $$$$$$$$$$ )
$rule .= '-d $dest'; $rule .= '-d $dest';
$chainref->{loopcount}++; $chainref->{loopcount}++;
} else { } else {
fatal_error "Destination Interface ( $diface ) not allowed when the destination zone is $firewall_zone: $line" fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone"
if $restriction & INPUT_RESTRICT; if $restriction & INPUT_RESTRICT;
$rule .= "-o $diface "; $rule .= "-o $diface ";
} }
@ -1593,9 +1594,11 @@ sub expand_rule( $$$$$$$$$$ )
for my $onet ( mysplit $onets ) { for my $onet ( mysplit $onets ) {
$onet = match_orig_dest $onet; $onet = match_orig_dest $onet;
for my $inet ( mysplit $inets ) { for my $inet ( mysplit $inets ) {
$inet = match_source_net $inet;
for my $dnet ( mysplit $dnets ) { for my $dnet ( mysplit $dnets ) {
add_rule $chainref, join( '', $rule, $inet, match_dest_net( $dnet ), $onet, "-j $echain" ); #
# We defer evaluating the source net match to accomodate system without $capabilities{KLUDGEFREE}
#
add_rule $chainref, join( '', $rule, match_source_net( $inet), match_dest_net( $dnet ), $onet, "-j $echain" );
} }
} }
} }
@ -1640,7 +1643,9 @@ sub expand_rule( $$$$$$$$$$ )
for my $onet ( mysplit $onets ) { for my $onet ( mysplit $onets ) {
$onet = match_orig_dest $onet; $onet = match_orig_dest $onet;
for my $inet ( mysplit $inets ) { for my $inet ( mysplit $inets ) {
$inet = match_source_net $inet; #
# We defer evaluating the source net match to accomodate system without $capabilities{KLUDGEFREE}
#
for my $dnet ( mysplit $dnets ) { for my $dnet ( mysplit $dnets ) {
if ( $loglevel ne '' ) { if ( $loglevel ne '' ) {
log_rule_limit log_rule_limit
@ -1651,13 +1656,13 @@ sub expand_rule( $$$$$$$$$$ )
'' , '' ,
$logtag , $logtag ,
'add' , 'add' ,
join( '', $rule, $inet, match_dest_net( $dnet ), $onet ); join( '', $rule, match_source_net( $inet) , match_dest_net( $dnet ), $onet );
} }
unless ( $disposition eq 'LOG' ) { unless ( $disposition eq 'LOG' ) {
add_rule add_rule
$chainref, $chainref,
join( '', $rule, $inet, match_dest_net( $dnet ), $onet, $target ); join( '', $rule, match_source_net ($inet), match_dest_net( $dnet ), $onet, $target );
} }
} }
} }