holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Make the sfilter logic cleaner and add a comment

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-09-01 14:15:15 -07:00
parent 678f6b4091
commit f5c2e9b211
1 changed files with 26 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -501,7 +501,10 @@ sub add_common_rules() {
my $audit = $policy =~ s/^A_//; my $audit = $policy =~ s/^A_//;
my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : (); my @ipsec = have_ipsec ? ( policy => '--pol none --dir in' ) : ();
if ( $level || $audit || @ipsec ) { if ( $level || $audit ) {
#
# Create a chain to log and/or audit
#
$chainref = new_standard_chain 'sfilter'; $chainref = new_standard_chain 'sfilter';
log_rule $level , $chainref , $policy , '' if $level ne ''; log_rule $level , $chainref , $policy , '' if $level ne '';
@ -511,24 +514,32 @@ sub add_common_rules() {
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy; add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target = 'sfilter'; $target = 'sfilter';
if ( @ipsec ) {
$chainref = new_standard_chain 'sfilter1';
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target1 = 'sfilter1';
}
} elsif ( ( $target = $policy ) eq 'REJECT' ) { } elsif ( ( $target = $policy ) eq 'REJECT' ) {
$target = 'reject'; $target = 'reject';
} }
$target1 = $target unless $target1; if ( @ipsec ) {
#
# sfilter1 will be used in the FORWARD chain where we allow traffic entering the interface
# to leave the interface encrypted. We need a separate chain because '--dir out' cannot be
# used in the input chain
#
$chainref = new_standard_chain 'sfilter1';
add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
log_rule $level , $chainref , $policy , '' if $level ne '';
add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
$target1 = 'sfilter1';
} else {
#
# No IPSEC -- use the same target in both INPUT and FORWARD
#
$target1 = $target;
}
for $interface ( grep $_ ne '%vserver%', all_interfaces ) { for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ); ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );