forked from extern/shorewall_code
Set caller when possible in policy chains.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
bc882af6c5
commit
c4a2f3d386
@ -2160,8 +2160,9 @@ sub evaluate_expression( $$$ ) {
|
|||||||
# $1 $2 $3 - $4
|
# $1 $2 $3 - $4
|
||||||
while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
|
while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
|
||||||
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
my ( $first, $var, $rest ) = ( $1, $3, $4);
|
||||||
$var = numeric_value( $var ) if $var;
|
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||||
$val = $var ? $actparms{$var} : $chain;
|
$val = $var ? $actparms{$var} : $chain;
|
||||||
|
$parmsmodified ||= $var eq 'caller';
|
||||||
$expression = join_parts( $first, $val, $rest );
|
$expression = join_parts( $first, $val, $rest );
|
||||||
directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
|
directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
|
||||||
}
|
}
|
||||||
@ -2281,6 +2282,7 @@ sub process_compiler_directive( $$$$ ) {
|
|||||||
directive_error( "Missing SET expression" , $filename, $linenumber) unless supplied $expression;
|
directive_error( "Missing SET expression" , $filename, $linenumber) unless supplied $expression;
|
||||||
|
|
||||||
if ( ( $1 || '' ) eq '@' ) {
|
if ( ( $1 || '' ) eq '@' ) {
|
||||||
|
$var = $2;
|
||||||
$var = numeric_value( $var ) if $var =~ /^\d/;
|
$var = numeric_value( $var ) if $var =~ /^\d/;
|
||||||
$var = $2 || 'chain';
|
$var = $2 || 'chain';
|
||||||
directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
|
directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
|
||||||
|
@ -326,12 +326,12 @@ sub print_policy($$$$) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub use_policy_action( $ );
|
sub use_policy_action( $$ );
|
||||||
sub normalize_action( $$$ );
|
sub normalize_action( $$$ );
|
||||||
sub normalize_action_name( $ );
|
sub normalize_action_name( $ );
|
||||||
|
|
||||||
sub process_default_action( $$$$ ) {
|
sub process_default_action( $$$$$ ) {
|
||||||
my ( $originalpolicy, $policy, $default, $level ) = @_;
|
my ( $originalpolicy, $policy, $default, $level, $caller ) = @_;
|
||||||
|
|
||||||
if ( supplied $default ) {
|
if ( supplied $default ) {
|
||||||
my $default_option = ( $policy =~ /_DEFAULT$/ );
|
my $default_option = ( $policy =~ /_DEFAULT$/ );
|
||||||
@ -357,7 +357,7 @@ sub process_default_action( $$$$ ) {
|
|||||||
$default = supplied $param ? normalize_action( $def, $level, $param ) :
|
$default = supplied $param ? normalize_action( $def, $level, $param ) :
|
||||||
$level eq 'none' ? normalize_action_name $def :
|
$level eq 'none' ? normalize_action_name $def :
|
||||||
normalize_action( $def, $level, '' );
|
normalize_action( $def, $level, '' );
|
||||||
use_policy_action( $default );
|
use_policy_action( $default, $caller );
|
||||||
} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
|
} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
|
||||||
$default = $def;
|
$default = $def;
|
||||||
$default = "$def($param)" if supplied $param;
|
$default = "$def($param)" if supplied $param;
|
||||||
@ -420,7 +420,9 @@ sub process_a_policy() {
|
|||||||
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
|
fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
|
||||||
}
|
}
|
||||||
|
|
||||||
$default = process_default_action( $originalpolicy, $policy, $default, $level );
|
my $chain = rules_chain( ${client}, ${server} );
|
||||||
|
|
||||||
|
$default = process_default_action( $originalpolicy, $policy, $default, $level, $chain );
|
||||||
|
|
||||||
if ( defined $queue ) {
|
if ( defined $queue ) {
|
||||||
fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
|
fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
|
||||||
@ -442,7 +444,6 @@ sub process_a_policy() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
my $chain = rules_chain( ${client}, ${server} );
|
|
||||||
my $chainref;
|
my $chainref;
|
||||||
|
|
||||||
if ( defined $filter_table->{$chain} ) {
|
if ( defined $filter_table->{$chain} ) {
|
||||||
@ -555,7 +556,7 @@ sub process_policies()
|
|||||||
unless ( $action eq 'none' ) {
|
unless ( $action eq 'none' ) {
|
||||||
my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
|
my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
|
||||||
fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
|
fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
|
||||||
$action = process_default_action( $action, $option, $default, $level );
|
$action = process_default_action( $action, $option, $default, $level, 'POLICY' );
|
||||||
}
|
}
|
||||||
|
|
||||||
$default_actions{$map{$option}} = $action;
|
$default_actions{$map{$option}} = $action;
|
||||||
@ -1604,7 +1605,7 @@ sub process_action($$) {
|
|||||||
|
|
||||||
while ( read_a_line( NORMAL_READ ) ) {
|
while ( read_a_line( NORMAL_READ ) ) {
|
||||||
|
|
||||||
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
|
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper ;
|
||||||
|
|
||||||
if ( $file_format == 1 ) {
|
if ( $file_format == 1 ) {
|
||||||
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
|
($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
|
||||||
@ -1659,10 +1660,16 @@ sub process_action($$) {
|
|||||||
#
|
#
|
||||||
# Create a policy action if it doesn't already exist
|
# Create a policy action if it doesn't already exist
|
||||||
#
|
#
|
||||||
sub use_policy_action( $ ) {
|
sub use_policy_action( $$ ) {
|
||||||
my $ref = use_action( $_[0] );
|
my $ref = use_action( $_[0] );
|
||||||
|
|
||||||
process_action( $ref, 'POLICY' ) if $ref;
|
if ( $ref ) {
|
||||||
|
process_action( $ref, $_[1] );
|
||||||
|
} else {
|
||||||
|
$ref = $usedactions{$_[0]};
|
||||||
|
}
|
||||||
|
|
||||||
|
$ref;
|
||||||
}
|
}
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
|
Loading…
Reference in New Issue
Block a user