holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Clean up a remaining issue with SAME

Browse Source
This commit is contained in:
Tom Eastep 2010-09-11 15:24:01 -07:00
parent f004916055
commit c6c6503d83
3 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -68,6 +68,7 @@ our %EXPORT_TAGS = (
SET SET
NO_RESTRICT NO_RESTRICT
PREROUTE_RESTRICT PREROUTE_RESTRICT
PREROUTE_DISALLOW
INPUT_RESTRICT INPUT_RESTRICT
OUTPUT_RESTRICT OUTPUT_RESTRICT
POSTROUTE_RESTRICT POSTROUTE_RESTRICT
@ -263,7 +264,8 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and
INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed INPUT_RESTRICT => 4, # INPUT chain rule - -o not allowed
OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed OUTPUT_RESTRICT => 8, # OUTPUT chain rule - -i not allowed
POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed ALL_RESTRICT => 12, # fw->fw rule - neither -i nor -o allowed
PREROUTE_DISALLOW => 32, # Don't allow dest interface
}; };
our $iprangematch; our $iprangematch;
@ -3170,6 +3172,7 @@ sub expand_rule( $$$$$$$$$$;$ )
my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ); my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl );
my $chain = $chainref->{name}; my $chain = $chainref->{name};
my $table = $chainref->{table};
my $jump = $target ? '-j ' . $target : ''; my $jump = $target ? '-j ' . $target : '';
our @ends = (); our @ends = ();
@ -3259,7 +3262,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface ); fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
if ( $chainref->{table} eq 'nat' ) { if ( $table eq 'nat' ) {
warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++; warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
} else { } else {
warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++; warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
@ -3347,14 +3350,14 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Dest interface -- must use routing table # Dest interface -- must use routing table
# #
fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $chainref->{table} eq 'mangle'; fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & PREROUTE_DISALLOW;
fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface ); fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface );
push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' ); push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
$rule .= '-d $dest '; $rule .= '-d $dest ';
} else { } else {
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT; fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & OUTPUT_RESTRICT && $chainref->{table} eq 'mangle'; fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & PREROUTE_DISALLOW;
if ( $iiface ) { if ( $iiface ) {
my $bridge = port_to_bridge( $diface ); my $bridge = port_to_bridge( $diface );
@ -3494,7 +3497,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# We can't use an exclusion chain -- we mark those packets to be excluded and then condition the rules generated in the block below on the mark value # We can't use an exclusion chain -- we mark those packets to be excluded and then condition the rules generated in the block below on the mark value
# #
require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' unless $chainref->{table} eq 'mangle'; require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' unless $table eq 'mangle';
require_capability 'KLUDGEFREE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' if $rule =~ / -m mark /; require_capability 'KLUDGEFREE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' if $rule =~ / -m mark /;
# #
# Clear the exclusion bit # Clear the exclusion bit
@ -3518,7 +3521,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
my $echain = newexclusionchain; my $echain = newexclusionchain;
my $echainref = new_chain $chainref->{table}, $echain; my $echainref = new_chain $table, $echain;
# #
# Use the current rule and send all possible matches to the exclusion chain # Use the current rule and send all possible matches to the exclusion chain
# #
@ -3633,7 +3636,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# Mark Target as referenced, if it's a chain # Mark Target as referenced, if it's a chain
# #
if ( $fromref && $target ) { if ( $fromref && $target ) {
my $targetref = $chain_table{$chainref->{table}}{$target}; my $targetref = $chain_table{$table}{$target};
if ( $targetref ) { if ( $targetref ) {
$targetref->{referenced} = 1; $targetref->{referenced} = 1;
add_reference $fromref, $targetref; add_reference $fromref, $targetref;

2
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -1002,6 +1002,7 @@ sub handle_stickiness( $ ) {
} else { } else {
$rule1 = $_; $rule1 = $_;
$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/; $rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
$rule2 = '';
} }
assert ( $rule1 =~ s/^-A // ); assert ( $rule1 =~ s/^-A // );
@ -1031,7 +1032,6 @@ sub handle_stickiness( $ ) {
} }
$rule1 =~ s/-A //; $rule1 =~ s/-A //;
add_rule $chainref, $rule1; add_rule $chainref, $rule1;
if ( $rule2 ) { if ( $rule2 ) {

5
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -269,6 +269,8 @@ sub process_tc_rule( ) {
$list = ''; $list = '';
my $restriction = 0;
unless ( $classid ) { unless ( $classid ) {
MARK: MARK:
{ {
@ -292,6 +294,7 @@ sub process_tc_rule( ) {
$target = 'sticko'; $target = 'sticko';
} else { } else {
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre'; fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
$restriction = PREROUTE_DISALLOW;
} }
ensure_mangle_chain($target); ensure_mangle_chain($target);
@ -401,7 +404,7 @@ sub process_tc_rule( ) {
} }
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) , if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
$restrictions{$chain} , $restrictions{$chain} | $restriction,
do_proto( $proto, $ports, $sports) . do_proto( $proto, $ports, $sports) .
do_user( $user ) . do_user( $user ) .
do_test( $testval, $globals{TC_MASK} ) . do_test( $testval, $globals{TC_MASK} ) .