forked from extern/shorewall_code
Fix nested zones
This commit is contained in:
parent
bdb34caf5c
commit
c72a290e3f
@ -1578,6 +1578,9 @@ sub process_rules() {
|
|||||||
# Add jumps from the builtin chains to the interface-chains that are used by this configuration
|
# Add jumps from the builtin chains to the interface-chains that are used by this configuration
|
||||||
#
|
#
|
||||||
sub add_interface_jumps {
|
sub add_interface_jumps {
|
||||||
|
our %input_jump_added;
|
||||||
|
our %output_jump_added;
|
||||||
|
our %forward_jump_added;
|
||||||
#
|
#
|
||||||
# Add Nat jumps
|
# Add Nat jumps
|
||||||
#
|
#
|
||||||
@ -1598,10 +1601,10 @@ sub add_interface_jumps {
|
|||||||
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
|
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
|
||||||
#
|
#
|
||||||
for my $interface ( @_ ) {
|
for my $interface ( @_ ) {
|
||||||
add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface;
|
add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface;
|
||||||
add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) if use_input_chain $interface;
|
add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface;
|
||||||
|
|
||||||
if ( use_output_chain $interface ) {
|
unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) {
|
||||||
add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
|
add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -1668,6 +1671,9 @@ sub generate_matrix() {
|
|||||||
my $notrackref = $raw_table->{notrack_chain $fw};
|
my $notrackref = $raw_table->{notrack_chain $fw};
|
||||||
my @zones = non_firewall_zones;
|
my @zones = non_firewall_zones;
|
||||||
my $interface_jumps_added = 0;
|
my $interface_jumps_added = 0;
|
||||||
|
our %input_jump_added = ();
|
||||||
|
our %output_jump_added = ();
|
||||||
|
our %forward_jump_added = ();
|
||||||
|
|
||||||
#
|
#
|
||||||
# Special processing for complex configurations
|
# Special processing for complex configurations
|
||||||
@ -1689,6 +1695,7 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( use_forward_chain( $interface ) ) {
|
if ( use_forward_chain( $interface ) ) {
|
||||||
$sourcechainref = $filter_table->{forward_chain $interface};
|
$sourcechainref = $filter_table->{forward_chain $interface};
|
||||||
|
add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||||
} else {
|
} else {
|
||||||
$sourcechainref = $filter_table->{FORWARD};
|
$sourcechainref = $filter_table->{FORWARD};
|
||||||
$interfacematch = match_source_dev $interface;
|
$interfacematch = match_source_dev $interface;
|
||||||
@ -1800,6 +1807,7 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( use_output_chain $interface ) {
|
if ( use_output_chain $interface ) {
|
||||||
$outputref = $filter_table->{output_chain $interface};
|
$outputref = $filter_table->{output_chain $interface};
|
||||||
|
add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
|
||||||
} else {
|
} else {
|
||||||
$outputref = $filter_table->{OUTPUT};
|
$outputref = $filter_table->{OUTPUT};
|
||||||
$interfacematch = match_dest_dev $interface;
|
$interfacematch = match_dest_dev $interface;
|
||||||
@ -1848,6 +1856,7 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( use_input_chain $interface ) {
|
if ( use_input_chain $interface ) {
|
||||||
$inputchainref = $filter_table->{input_chain $interface};
|
$inputchainref = $filter_table->{input_chain $interface};
|
||||||
|
add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
|
||||||
} else {
|
} else {
|
||||||
$inputchainref = $filter_table->{INPUT};
|
$inputchainref = $filter_table->{INPUT};
|
||||||
$interfacematch = match_source_dev $interface;
|
$interfacematch = match_source_dev $interface;
|
||||||
@ -1861,7 +1870,9 @@ sub generate_matrix() {
|
|||||||
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
|
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
|
||||||
my $ref = source_exclusion( $exclusions, $frwd_ref );
|
my $ref = source_exclusion( $exclusions, $frwd_ref );
|
||||||
if ( use_forward_chain $interface ) {
|
if ( use_forward_chain $interface ) {
|
||||||
add_jump $filter_table->{forward_chain $interface} , $ref, 0, join( '', $source, $ipsec_in_match );
|
my $forwardref = $filter_table->{forward_chain $interface};
|
||||||
|
add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
|
||||||
|
add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||||
} else {
|
} else {
|
||||||
add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
|
add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
|
||||||
move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
|
move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
|
||||||
@ -1980,6 +1991,7 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
if ( use_forward_chain $interface ) {
|
if ( use_forward_chain $interface ) {
|
||||||
$chain3ref = $filter_table->{forward_chain $interface};
|
$chain3ref = $filter_table->{forward_chain $interface};
|
||||||
|
add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||||
} else {
|
} else {
|
||||||
$chain3ref = $filter_table->{FORWARD};
|
$chain3ref = $filter_table->{FORWARD};
|
||||||
$match_source_dev = match_source_dev $interface;
|
$match_source_dev = match_source_dev $interface;
|
||||||
|
@ -4,6 +4,8 @@ Changes in Shorewall 4.4.2.3
|
|||||||
|
|
||||||
2) Only detect IP configuration when needed.
|
2) Only detect IP configuration when needed.
|
||||||
|
|
||||||
|
3) Fix nested zones.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.2.2
|
Changes in Shorewall 4.4.2.2
|
||||||
|
|
||||||
1) Another fix for 'routeback' in routestopped.
|
1) Another fix for 'routeback' in routestopped.
|
||||||
|
@ -183,6 +183,9 @@ Shorewall 4.4.2 Patch Release 3.
|
|||||||
variables are only set when their values are needed to correctly
|
variables are only set when their values are needed to correctly
|
||||||
execute the specified command.
|
execute the specified command.
|
||||||
|
|
||||||
|
3) Nested zones did not work correctly in some cases where the parent
|
||||||
|
zone was defined with a wild-card interface name (one ending in '+').
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 . 2
|
P R O B L E M S C O R R E C T E D I N 4 . 4 . 2 . 2
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
|
Loading…
Reference in New Issue
Block a user