From f274d55cb8aa744794ce44f5d2fadf5cb53f57db Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 10 Jun 2007 17:09:09 +0000 Subject: [PATCH] Only use the 'accountout' chain when there are bridges git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6507 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Accounting.pm | 51 ++++++++++++++++++-------- Shorewall-perl/Shorewall/Chains.pm | 3 +- Shorewall-perl/Shorewall/Interfaces.pm | 5 ++- 3 files changed, 41 insertions(+), 18 deletions(-) diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index 26c3a53e4..1ea81206f 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -29,6 +29,7 @@ use Shorewall::Common; use Shorewall::Config; use Shorewall::IPAddrs; use Shorewall::Zones; +use Shorewall::Interfaces; use Shorewall::Chains; use strict; @@ -58,8 +59,13 @@ sub process_accounting_rule( $$$$$$$$$ ) { "-j $jumpchain"; } - unless ( $chain and $chain ne '-' ) { - $chain = $source =~ /^$firewall_zone:?/ ? 'accountout' : 'accounting'; + my $restriction = NO_RESTRICT; + + if ( @bridges && $source =~ /^$firewall_zone:?/ ) { + $restriction = OUTPUT_RESTRICT; + $chain = 'accountout' unless $chain and $chain ne '-'; + } else { + $chain = 'accounting' unless $chain and $chain ne '-'; } my $chainref = ensure_filter_chain $chain , 0; @@ -139,22 +145,35 @@ sub setup_accounting() { process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark; } - if ( $filter_table->{accounting} ) { - for my $chain ( qw/INPUT FORWARD/ ) { - insert_rule $filter_table->{$chain}, 1, '-j accounting'; - insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT}; + if ( @bridges ) { + if ( $filter_table->{accounting} ) { + for my $chain ( qw/INPUT FORWARD/ ) { + insert_rule $filter_table->{$chain}, 1, '-j accounting'; + insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT}; + } + } elsif ( $config{FASTACCEPT} ) { + for my $chain ( qw/INPUT FORWARD/ ) { + insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT'; + } } - } elsif ( $config{FASTACCEPT} ) { - for my $chain ( qw/INPUT FORWARD/ ) { - insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT'; - } - } - if ( $filter_table->{accountout} ) { - insert_rule $filter_table->{OUTPUT}, 1, '-j accountout'; - insert_rule $filter_table->{OUTPUT}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT}; - } elsif ( $config{FASTACCEPT} ) { - insert_rule $filter_table->{OUTPUT}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT'; + if ( $filter_table->{accountout} ) { + insert_rule $filter_table->{OUTPUT}, 1, '-j accountout'; + insert_rule $filter_table->{OUTPUT}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT}; + } elsif ( $config{FASTACCEPT} ) { + insert_rule $filter_table->{OUTPUT}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT'; + } + } else { + if ( $filter_table->{accounting} ) { + for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { + insert_rule $filter_table->{$chain}, 1, '-j accounting'; + insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT}; + } + } elsif ( $config{FASTACCEPT} ) { + for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { + insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT'; + } + } } } diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 832e09a01..e3dbb1138 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1511,9 +1511,10 @@ sub expand_rule( $$$$$$$$$$ ) # fatal_error "Bridge port ( $diface) not allowed" if port_to_bridge( $diface ); add_command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do' ); - $rule .= '-d $dest'; + $rule .= '-d $dest '; $chainref->{loopcount}++; } else { + fatal_error "Bridge Port ( $diface ) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface ); fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone" if $restriction & INPUT_RESTRICT; if ( $iiface ) { diff --git a/Shorewall-perl/Shorewall/Interfaces.pm b/Shorewall-perl/Shorewall/Interfaces.pm index a7e578221..e1a41bca3 100644 --- a/Shorewall-perl/Shorewall/Interfaces.pm +++ b/Shorewall-perl/Shorewall/Interfaces.pm @@ -44,7 +44,8 @@ our @EXPORT = qw( add_group_to_zone find_interfaces_by_option get_interface_option - @interfaces ); + @interfaces + @bridges ); our @EXPORT_OK = (); our @VERSION = 1.00; @@ -64,6 +65,7 @@ our @VERSION = 1.00; # our @interfaces; our %interfaces; +our @bridges; sub add_group_to_zone($$$$$) { @@ -308,6 +310,7 @@ sub validate_interfaces_file( $ ) if ( $options{bridge} ) { require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's'); fatal_error "Bridges may not have wildcard names" if $wildcard; + push @bridges, $interface; } } elsif ( defined $port ) { $options{port} = 1;