holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Clarify provisional policy handling.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-03-26 08:02:49 -07:00
parent ad08d2195e
commit f30cd7e287
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -212,7 +212,8 @@ our $VERSION = '4.4_8';
# } # }
# #
# 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be # 'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
# replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1. # replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1 as are intra-zone
# ACCEPT policies.
# #
# Only 'referenced' chains get written to the iptables-restore input. # Only 'referenced' chains get written to the iptables-restore input.
# #
@ -257,6 +258,7 @@ use constant { NO_RESTRICT => 0, # FORWARD chain rule - Both -i and
POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table POSTROUTE_RESTRICT => 16, # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed ALL_RESTRICT => 12 # fw->fw rule - neither -i nor -o allowed
}; };
our $iprangematch; our $iprangematch;
our $chainseq; our $chainseq;
our $idiotcount; our $idiotcount;

14
Shorewall/Perl/Shorewall/Policy.pm
View File

@ -34,7 +34,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains); our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
our @EXPORT_OK = qw( ); our @EXPORT_OK = qw( );
our $VERSION = '4.4_7'; our $VERSION = '4.4_9';
# @policy_chains is a list of references to policy chains in the filter table # @policy_chains is a list of references to policy chains in the filter table
@ -66,11 +66,11 @@ sub convert_to_policy_chain($$$$$)
# #
sub new_policy_chain($$$$) sub new_policy_chain($$$$)
{ {
my ($source, $dest, $policy, $optional) = @_; my ($source, $dest, $policy, $provisional) = @_;
my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) ); my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional ); convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional );
$chainref; $chainref;
} }
@ -115,7 +115,7 @@ sub set_policy_chain($$$$$)
# #
# Process the policy file # Process the policy file
# #
use constant { OPTIONAL => 1 }; use constant { PROVISIONAL => 1 };
sub add_or_modify_policy_chain( $$ ) { sub add_or_modify_policy_chain( $$ ) {
my ( $zone, $zone1 ) = @_; my ( $zone, $zone1 ) = @_;
@ -124,11 +124,11 @@ sub add_or_modify_policy_chain( $$ ) {
if ( $chainref ) { if ( $chainref ) {
unless( $chainref->{is_policy} ) { unless( $chainref->{is_policy} ) {
convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL ); convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL );
push @policy_chains, $chainref; push @policy_chains, $chainref;
} }
} else { } else {
push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL ); push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL );
} }
} }
@ -329,7 +329,7 @@ sub validate_policy()
} }
for $zone ( all_zones ) { for $zone ( all_zones ) {
push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL ); push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', PROVISIONAL );
if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) { if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {