forked from extern/shorewall_code
Only use the 'accountout' chain when there are bridges
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6507 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
d9e14ffa1c
commit
f274d55cb8
@ -29,6 +29,7 @@ use Shorewall::Common;
|
||||
use Shorewall::Config;
|
||||
use Shorewall::IPAddrs;
|
||||
use Shorewall::Zones;
|
||||
use Shorewall::Interfaces;
|
||||
use Shorewall::Chains;
|
||||
|
||||
use strict;
|
||||
@ -58,8 +59,13 @@ sub process_accounting_rule( $$$$$$$$$ ) {
|
||||
"-j $jumpchain";
|
||||
}
|
||||
|
||||
unless ( $chain and $chain ne '-' ) {
|
||||
$chain = $source =~ /^$firewall_zone:?/ ? 'accountout' : 'accounting';
|
||||
my $restriction = NO_RESTRICT;
|
||||
|
||||
if ( @bridges && $source =~ /^$firewall_zone:?/ ) {
|
||||
$restriction = OUTPUT_RESTRICT;
|
||||
$chain = 'accountout' unless $chain and $chain ne '-';
|
||||
} else {
|
||||
$chain = 'accounting' unless $chain and $chain ne '-';
|
||||
}
|
||||
|
||||
my $chainref = ensure_filter_chain $chain , 0;
|
||||
@ -139,22 +145,35 @@ sub setup_accounting() {
|
||||
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark;
|
||||
}
|
||||
|
||||
if ( $filter_table->{accounting} ) {
|
||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||
insert_rule $filter_table->{$chain}, 1, '-j accounting';
|
||||
insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
||||
if ( @bridges ) {
|
||||
if ( $filter_table->{accounting} ) {
|
||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||
insert_rule $filter_table->{$chain}, 1, '-j accounting';
|
||||
insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
||||
}
|
||||
} elsif ( $config{FASTACCEPT} ) {
|
||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||
insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
||||
}
|
||||
}
|
||||
} elsif ( $config{FASTACCEPT} ) {
|
||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||
insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
||||
}
|
||||
}
|
||||
|
||||
if ( $filter_table->{accountout} ) {
|
||||
insert_rule $filter_table->{OUTPUT}, 1, '-j accountout';
|
||||
insert_rule $filter_table->{OUTPUT}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
||||
} elsif ( $config{FASTACCEPT} ) {
|
||||
insert_rule $filter_table->{OUTPUT}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
||||
if ( $filter_table->{accountout} ) {
|
||||
insert_rule $filter_table->{OUTPUT}, 1, '-j accountout';
|
||||
insert_rule $filter_table->{OUTPUT}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
||||
} elsif ( $config{FASTACCEPT} ) {
|
||||
insert_rule $filter_table->{OUTPUT}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
||||
}
|
||||
} else {
|
||||
if ( $filter_table->{accounting} ) {
|
||||
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
|
||||
insert_rule $filter_table->{$chain}, 1, '-j accounting';
|
||||
insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
||||
}
|
||||
} elsif ( $config{FASTACCEPT} ) {
|
||||
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
|
||||
insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -1511,9 +1511,10 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
#
|
||||
fatal_error "Bridge port ( $diface) not allowed" if port_to_bridge( $diface );
|
||||
add_command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do' );
|
||||
$rule .= '-d $dest';
|
||||
$rule .= '-d $dest ';
|
||||
$chainref->{loopcount}++;
|
||||
} else {
|
||||
fatal_error "Bridge Port ( $diface ) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
|
||||
fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone" if $restriction & INPUT_RESTRICT;
|
||||
|
||||
if ( $iiface ) {
|
||||
|
||||
@ -44,7 +44,8 @@ our @EXPORT = qw( add_group_to_zone
|
||||
find_interfaces_by_option
|
||||
get_interface_option
|
||||
|
||||
@interfaces );
|
||||
@interfaces
|
||||
@bridges );
|
||||
our @EXPORT_OK = ();
|
||||
our @VERSION = 1.00;
|
||||
|
||||
@ -64,6 +65,7 @@ our @VERSION = 1.00;
|
||||
#
|
||||
our @interfaces;
|
||||
our %interfaces;
|
||||
our @bridges;
|
||||
|
||||
sub add_group_to_zone($$$$$)
|
||||
{
|
||||
@ -308,6 +310,7 @@ sub validate_interfaces_file( $ )
|
||||
if ( $options{bridge} ) {
|
||||
require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
|
||||
fatal_error "Bridges may not have wildcard names" if $wildcard;
|
||||
push @bridges, $interface;
|
||||
}
|
||||
} elsif ( defined $port ) {
|
||||
$options{port} = 1;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user