forked from extern/shorewall_code
Don't create <zone>_frwd when unnecessary
- Set the zone {complex} flag based on ipsec options rather than the presense of any options. - Generate forwarding blacklist rules in lieu of creating<zone>_frwd Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
b5fdb089bc
commit
e018ee6adc
@ -1861,14 +1861,28 @@ sub generate_matrix() {
|
|||||||
|
|
||||||
progress_message2 'Generating Rule Matrix...';
|
progress_message2 'Generating Rule Matrix...';
|
||||||
#
|
#
|
||||||
# Special processing for complex and blacklisting configurations
|
# Special processing for complex and/or blacklisting configurations
|
||||||
#
|
#
|
||||||
for my $zone ( @zones ) {
|
for my $zone ( @zones ) {
|
||||||
my $zoneref = find_zone( $zone );
|
my $zoneref = find_zone( $zone );
|
||||||
|
my $simple = @zones <= 2 && ! $zoneref->{options}{complex};
|
||||||
|
#
|
||||||
|
# Handle blacklisting first
|
||||||
|
#
|
||||||
if ( $zoneref->{options}{in}{blacklist} ) {
|
if ( $zoneref->{options}{in}{blacklist} ) {
|
||||||
my $blackref = $filter_table->{blacklst};
|
my $blackref = $filter_table->{blacklst};
|
||||||
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
|
||||||
|
|
||||||
|
if ( $simple ) {
|
||||||
|
for my $zone1 ( @zones ) {
|
||||||
|
my $ruleschain = rules_chain( $zone, $zone1 );
|
||||||
|
my $ruleschainref = $filter_table->{$ruleschain};
|
||||||
|
|
||||||
|
if ( ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) && $ruleschainref->{policy} ne 'NONE' ) {
|
||||||
|
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $zoneref->{options}{out}{blacklist} ) {
|
if ( $zoneref->{options}{out}{blacklist} ) {
|
||||||
@ -1885,7 +1899,7 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
next if @zones <= 2 && ! $zoneref->{options}{complex};
|
next if $simple;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
|
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
|
||||||
|
@ -296,7 +296,7 @@ sub initialize( $ ) {
|
|||||||
# => mss = <MSS setting>
|
# => mss = <MSS setting>
|
||||||
# => ipsec = <-m policy arguments to match options>
|
# => ipsec = <-m policy arguments to match options>
|
||||||
#
|
#
|
||||||
sub parse_zone_option_list($$)
|
sub parse_zone_option_list($$\$)
|
||||||
{
|
{
|
||||||
my %validoptions = ( mss => NUMERIC,
|
my %validoptions = ( mss => NUMERIC,
|
||||||
blacklist => NOTHING,
|
blacklist => NOTHING,
|
||||||
@ -316,7 +316,7 @@ sub parse_zone_option_list($$)
|
|||||||
#
|
#
|
||||||
my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
|
my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
|
||||||
|
|
||||||
my ( $list, $zonetype ) = @_;
|
my ( $list, $zonetype, $complexref ) = @_;
|
||||||
my %h;
|
my %h;
|
||||||
my $options = '';
|
my $options = '';
|
||||||
my $fmt;
|
my $fmt;
|
||||||
@ -354,6 +354,7 @@ sub parse_zone_option_list($$)
|
|||||||
$options .= $invert;
|
$options .= $invert;
|
||||||
$options .= "--$e ";
|
$options .= "--$e ";
|
||||||
$options .= "$val "if defined $val;
|
$options .= "$val "if defined $val;
|
||||||
|
$$complexref = 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -439,13 +440,15 @@ sub process_zone( \$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
my $complex = 0;
|
||||||
|
|
||||||
my $zoneref = $zones{$zone} = { type => $type,
|
my $zoneref = $zones{$zone} = { type => $type,
|
||||||
parents => \@parents,
|
parents => \@parents,
|
||||||
bridge => '',
|
bridge => '',
|
||||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
options => { in_out => parse_zone_option_list( $options , $type, $complex ) ,
|
||||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
in => parse_zone_option_list( $in_options , $type , $complex ) ,
|
||||||
out => parse_zone_option_list( $out_options || '', $type ) ,
|
out => parse_zone_option_list( $out_options , $type , $complex ) ,
|
||||||
complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
|
complex => ( $type == IPSEC || $complex ) ,
|
||||||
nested => @parents > 0 ,
|
nested => @parents > 0 ,
|
||||||
super => 0 ,
|
super => 0 ,
|
||||||
} ,
|
} ,
|
||||||
|
Loading…
Reference in New Issue
Block a user