forked from extern/shorewall_code
Don't create <zone>_frwd when unnecessary
- Set the zone {complex} flag based on ipsec options rather than the presense of any options. - Generate forwarding blacklist rules in lieu of creating<zone>_frwd Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
b5fdb089bc
commit
e018ee6adc
@ -1861,14 +1861,28 @@ sub generate_matrix() {
|
||||
|
||||
progress_message2 'Generating Rule Matrix...';
|
||||
#
|
||||
# Special processing for complex and blacklisting configurations
|
||||
# Special processing for complex and/or blacklisting configurations
|
||||
#
|
||||
for my $zone ( @zones ) {
|
||||
my $zoneref = find_zone( $zone );
|
||||
|
||||
my $simple = @zones <= 2 && ! $zoneref->{options}{complex};
|
||||
#
|
||||
# Handle blacklisting first
|
||||
#
|
||||
if ( $zoneref->{options}{in}{blacklist} ) {
|
||||
my $blackref = $filter_table->{blacklst};
|
||||
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
||||
|
||||
if ( $simple ) {
|
||||
for my $zone1 ( @zones ) {
|
||||
my $ruleschain = rules_chain( $zone, $zone1 );
|
||||
my $ruleschainref = $filter_table->{$ruleschain};
|
||||
|
||||
if ( ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) && $ruleschainref->{policy} ne 'NONE' ) {
|
||||
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ( $zoneref->{options}{out}{blacklist} ) {
|
||||
@ -1885,7 +1899,7 @@ sub generate_matrix() {
|
||||
}
|
||||
}
|
||||
|
||||
next if @zones <= 2 && ! $zoneref->{options}{complex};
|
||||
next if $simple;
|
||||
|
||||
#
|
||||
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
|
||||
|
@ -296,7 +296,7 @@ sub initialize( $ ) {
|
||||
# => mss = <MSS setting>
|
||||
# => ipsec = <-m policy arguments to match options>
|
||||
#
|
||||
sub parse_zone_option_list($$)
|
||||
sub parse_zone_option_list($$\$)
|
||||
{
|
||||
my %validoptions = ( mss => NUMERIC,
|
||||
blacklist => NOTHING,
|
||||
@ -316,7 +316,7 @@ sub parse_zone_option_list($$)
|
||||
#
|
||||
my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
|
||||
|
||||
my ( $list, $zonetype ) = @_;
|
||||
my ( $list, $zonetype, $complexref ) = @_;
|
||||
my %h;
|
||||
my $options = '';
|
||||
my $fmt;
|
||||
@ -354,6 +354,7 @@ sub parse_zone_option_list($$)
|
||||
$options .= $invert;
|
||||
$options .= "--$e ";
|
||||
$options .= "$val "if defined $val;
|
||||
$$complexref = 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -439,13 +440,15 @@ sub process_zone( \$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
my $complex = 0;
|
||||
|
||||
my $zoneref = $zones{$zone} = { type => $type,
|
||||
parents => \@parents,
|
||||
bridge => '',
|
||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||
out => parse_zone_option_list( $out_options || '', $type ) ,
|
||||
complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
|
||||
options => { in_out => parse_zone_option_list( $options , $type, $complex ) ,
|
||||
in => parse_zone_option_list( $in_options , $type , $complex ) ,
|
||||
out => parse_zone_option_list( $out_options , $type , $complex ) ,
|
||||
complex => ( $type == IPSEC || $complex ) ,
|
||||
nested => @parents > 0 ,
|
||||
super => 0 ,
|
||||
} ,
|
||||
|
Loading…
Reference in New Issue
Block a user