forked from extern/shorewall_code
Only use the 'accountout' chain when there are bridges
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6507 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d9e14ffa1c
commit
f274d55cb8
@ -29,6 +29,7 @@ use Shorewall::Common;
|
|||||||
use Shorewall::Config;
|
use Shorewall::Config;
|
||||||
use Shorewall::IPAddrs;
|
use Shorewall::IPAddrs;
|
||||||
use Shorewall::Zones;
|
use Shorewall::Zones;
|
||||||
|
use Shorewall::Interfaces;
|
||||||
use Shorewall::Chains;
|
use Shorewall::Chains;
|
||||||
|
|
||||||
use strict;
|
use strict;
|
||||||
@ -58,8 +59,13 @@ sub process_accounting_rule( $$$$$$$$$ ) {
|
|||||||
"-j $jumpchain";
|
"-j $jumpchain";
|
||||||
}
|
}
|
||||||
|
|
||||||
unless ( $chain and $chain ne '-' ) {
|
my $restriction = NO_RESTRICT;
|
||||||
$chain = $source =~ /^$firewall_zone:?/ ? 'accountout' : 'accounting';
|
|
||||||
|
if ( @bridges && $source =~ /^$firewall_zone:?/ ) {
|
||||||
|
$restriction = OUTPUT_RESTRICT;
|
||||||
|
$chain = 'accountout' unless $chain and $chain ne '-';
|
||||||
|
} else {
|
||||||
|
$chain = 'accounting' unless $chain and $chain ne '-';
|
||||||
}
|
}
|
||||||
|
|
||||||
my $chainref = ensure_filter_chain $chain , 0;
|
my $chainref = ensure_filter_chain $chain , 0;
|
||||||
@ -139,22 +145,35 @@ sub setup_accounting() {
|
|||||||
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark;
|
process_accounting_rule $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $filter_table->{accounting} ) {
|
if ( @bridges ) {
|
||||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
if ( $filter_table->{accounting} ) {
|
||||||
insert_rule $filter_table->{$chain}, 1, '-j accounting';
|
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||||
insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
insert_rule $filter_table->{$chain}, 1, '-j accounting';
|
||||||
|
insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
||||||
|
}
|
||||||
|
} elsif ( $config{FASTACCEPT} ) {
|
||||||
|
for my $chain ( qw/INPUT FORWARD/ ) {
|
||||||
|
insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
} elsif ( $config{FASTACCEPT} ) {
|
|
||||||
for my $chain ( qw/INPUT FORWARD/ ) {
|
|
||||||
insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $filter_table->{accountout} ) {
|
if ( $filter_table->{accountout} ) {
|
||||||
insert_rule $filter_table->{OUTPUT}, 1, '-j accountout';
|
insert_rule $filter_table->{OUTPUT}, 1, '-j accountout';
|
||||||
insert_rule $filter_table->{OUTPUT}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
insert_rule $filter_table->{OUTPUT}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
||||||
} elsif ( $config{FASTACCEPT} ) {
|
} elsif ( $config{FASTACCEPT} ) {
|
||||||
insert_rule $filter_table->{OUTPUT}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
insert_rule $filter_table->{OUTPUT}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if ( $filter_table->{accounting} ) {
|
||||||
|
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
|
||||||
|
insert_rule $filter_table->{$chain}, 1, '-j accounting';
|
||||||
|
insert_rule $filter_table->{$chain}, 2, '-m state --state ESTABLISHED,RELATED -j ACCEPT' if $config{FASTACCEPT};
|
||||||
|
}
|
||||||
|
} elsif ( $config{FASTACCEPT} ) {
|
||||||
|
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
|
||||||
|
insert_rule $filter_table->{$chain}, 1, '-m state --state ESTABLISHED,RELATED -j ACCEPT';
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1511,9 +1511,10 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
#
|
#
|
||||||
fatal_error "Bridge port ( $diface) not allowed" if port_to_bridge( $diface );
|
fatal_error "Bridge port ( $diface) not allowed" if port_to_bridge( $diface );
|
||||||
add_command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do' );
|
add_command( $chainref , 'for dest in ' . get_interface_addresses( $diface) . '; do' );
|
||||||
$rule .= '-d $dest';
|
$rule .= '-d $dest ';
|
||||||
$chainref->{loopcount}++;
|
$chainref->{loopcount}++;
|
||||||
} else {
|
} else {
|
||||||
|
fatal_error "Bridge Port ( $diface ) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
|
||||||
fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone" if $restriction & INPUT_RESTRICT;
|
fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone" if $restriction & INPUT_RESTRICT;
|
||||||
|
|
||||||
if ( $iiface ) {
|
if ( $iiface ) {
|
||||||
|
@ -44,7 +44,8 @@ our @EXPORT = qw( add_group_to_zone
|
|||||||
find_interfaces_by_option
|
find_interfaces_by_option
|
||||||
get_interface_option
|
get_interface_option
|
||||||
|
|
||||||
@interfaces );
|
@interfaces
|
||||||
|
@bridges );
|
||||||
our @EXPORT_OK = ();
|
our @EXPORT_OK = ();
|
||||||
our @VERSION = 1.00;
|
our @VERSION = 1.00;
|
||||||
|
|
||||||
@ -64,6 +65,7 @@ our @VERSION = 1.00;
|
|||||||
#
|
#
|
||||||
our @interfaces;
|
our @interfaces;
|
||||||
our %interfaces;
|
our %interfaces;
|
||||||
|
our @bridges;
|
||||||
|
|
||||||
sub add_group_to_zone($$$$$)
|
sub add_group_to_zone($$$$$)
|
||||||
{
|
{
|
||||||
@ -308,6 +310,7 @@ sub validate_interfaces_file( $ )
|
|||||||
if ( $options{bridge} ) {
|
if ( $options{bridge} ) {
|
||||||
require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
|
require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
|
||||||
fatal_error "Bridges may not have wildcard names" if $wildcard;
|
fatal_error "Bridges may not have wildcard names" if $wildcard;
|
||||||
|
push @bridges, $interface;
|
||||||
}
|
}
|
||||||
} elsif ( defined $port ) {
|
} elsif ( defined $port ) {
|
||||||
$options{port} = 1;
|
$options{port} = 1;
|
||||||
|
Loading…
Reference in New Issue
Block a user