More improvements to rules generated for exclusion lists

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2496 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-08-15 20:16:34 +00:00
parent 0f7def6c67
commit f6565e19a0

View File

@ -4862,17 +4862,20 @@ process_rule() # $1 = target
{ {
build_exclusion_chain newchain filter "$excludesource" "$excludedest" build_exclusion_chain newchain filter "$excludesource" "$excludedest"
if [ $(list_count $addr) -eq 1 -a -n "$CONNTRACK_MATCH" ]; then if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then
run_iptables -A $chain $(fix_bang $proto $sports $multiport $dports) -m conntrack --ctorigdst $addr -j $newchain for adr in $(separate_list $addr); do
run_iptables -A $chain $(fix_bang $proto $sports $multiport $dports) $user -m conntrack --ctorigdst $adr -j $newchain
done
addr= addr=
else else
run_iptables -A $chain $(fix_bang $proto $sports $multiport $dports) -j $newchain run_iptables -A $chain $(fix_bang $proto $sports $multiport $dports) $user -j $newchain
fi fi
proto= proto=
sports= sports=
multiport= multiport=
dports= dports=
user=
chain=$newchain chain=$newchain
} }
@ -4932,6 +4935,7 @@ process_rule() # $1 = target
addr=$address addr=$address
servport=$serverport servport=$serverport
multiport= multiport=
user="$userandgroup"
[ x$port = x- ] && port= [ x$port = x- ] && port=
[ x$cport = x- ] && cport= [ x$cport = x- ] && cport=
@ -4964,7 +4968,7 @@ process_rule() # $1 = target
case "$logtarget" in case "$logtarget" in
ACCEPT|DROP|REJECT|CONTINUE) ACCEPT|DROP|REJECT|CONTINUE)
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userandgroup" -a -z "$excludesource" -a -z "$excludedest" ] ; then if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" ] ; then
error_message "Warning -- Rule \"$rule\" is a POLICY" error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file" error_message " -- and should be moved to the policy file"
fi fi
@ -5014,43 +5018,43 @@ process_rule() # $1 = target
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \
$userandgroup $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \ run_iptables2 -A $chain $proto $ratelimit $multiport $cli $sports \
$(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $userandgroup -j $target $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports)
fi fi
if [ -n "$nonat" ]; then if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $(dest_ip_range $srv) $dports $ratelimit $userandgroup -j RETURN $cli $sports $(dest_ip_range $srv) $dports $ratelimit $user -j RETURN
fi fi
if [ "$logtarget" != NONAT ]; then if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $proto $multiport $cli $sports \ run_iptables2 -A $chain $proto $multiport $cli $sports \
$(dest_ip_range $srv) $dports $ratelimit $userandgroup -j $target $(dest_ip_range $srv) $dports $ratelimit $user -j $target
fi fi
fi fi
done done
done done
else else
if [ -n "$loglevel" -a -z "$natrule" ]; then if [ -n "$loglevel" -a -z "$natrule" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $sports $multiport $cli $dports) $(fix_bang $proto $sports $multiport $cli $dports)
fi fi
[ -n "$nonat" ] && \ [ -n "$nonat" ] && \
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN $cli $sports $dports $ratelimit $user -j RETURN
[ "$logtarget" != NONAT ] && \ [ "$logtarget" != NONAT ] && \
run_iptables2 -A $chain $proto $multiport $cli $sports \ run_iptables2 -A $chain $proto $multiport $cli $sports \
$dports $ratelimit $userandgroup -j $target $dports $ratelimit $user -j $target
fi fi
fi fi
fi fi
@ -5066,37 +5070,37 @@ process_rule() # $1 = target
if [ -n "$addr" ]; then if [ -n "$addr" ]; then
for adr in $(separate_list $addr); do for adr in $(separate_list $addr); do
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr)
fi fi
if [ "$logtarget" != LOG ]; then if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j RETURN $cli $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j RETURN
fi fi
if [ "$logtarget" != NONAT ]; then if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $userandgroup -m conntrack --ctorigdst $adr -j $target $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target
fi fi
fi fi
done done
else else
if [ -n "$loglevel" ]; then if [ -n "$loglevel" ]; then
log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $userandgroup \ log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \
$(fix_bang $proto $multiport $cli $dest_interface $sports $dports) $(fix_bang $proto $multiport $cli $dest_interface $sports $dports)
fi fi
if [ "$logtarget" != LOG ]; then if [ "$logtarget" != LOG ]; then
if [ -n "$nonat" ]; then if [ -n "$nonat" ]; then
addnatrule $(dnat_chain $source) $proto $multiport \ addnatrule $(dnat_chain $source) $proto $multiport \
$cli $sports $dports $ratelimit $userandgroup -j RETURN $cli $sports $dports $ratelimit $user -j RETURN
fi fi
if [ "$logtarget" != NONAT ]; then if [ "$logtarget" != NONAT ]; then
run_iptables2 -A $chain $proto $multiport $cli $dest_interface \ run_iptables2 -A $chain $proto $multiport $cli $dest_interface \
$sports $dports $ratelimit $userandgroup -j $target $sports $dports $ratelimit $user -j $target
fi fi
fi fi
fi fi