holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove dead/silly code from Shorewall::Chains::use_input/output_chain()

Browse Source 
- combine the two into a single function use_interface_chain().

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2018-12-14 13:54:36 -08:00
parent 35c7f304f7
commit f65b10c375
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 14 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -186,13 +186,12 @@ our %EXPORT_TAGS = (
input_chain
input_option_chain
zone_input_chain
use_input_chain
use_interface_chain
output_chain
output_option_chain
prerouting_chain
postrouting_chain
zone_output_chain
use_output_chain
masq_chain
syn_flood_chain
mac_chain
@ -2431,10 +2430,11 @@ sub zone_input_chain($) {
}
#
# Returns true if we're to use the interface's input chain
# Returns true if we're to use the interface's input or chain, depending on the second argument
# (use_input_chain or use_output_chain).
#
sub use_input_chain($$) {
my ( $interface, $chainref ) = @_;
sub use_interface_chain($$) {
my ( $interface, $which ) = @_;
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
#
@ -2462,17 +2462,11 @@ sub use_input_chain($$) {
# the zone has multiple interfaces
# and this interface has option rules
#
return 1 if $interfaceref->{options}{use_input_chain} && keys %{ zone_interfaces( $zone ) } > 1;
return 1 if $interfaceref->{options}{$which} && keys %{ zone_interfaces( $zone ) } > 1;
#
# Interface associated with a single zone -- use the zone's input chain if it has one
#
return 0 if $chainref;
#
# Use the <zone>->fw rules chain if it is referenced.
#
$chainref = $filter_table->{rules_chain( $zone, firewall_zone )};
! ( $chainref->{referenced} || $chainref->{is_policy} )
return 0;
}
#
@ -2509,41 +2503,6 @@ sub zone_output_chain($) {
$_[0] . '_output';
}
#
# Returns true if we're to use the interface's output chain
#
sub use_output_chain($$) {
my ( $interface, $chainref) = @_;
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
#
# We must use the interfaces's chain if the interface is associated with multiple Zones
#
return 1 if ( keys %{interface_zones $interface} ) > 1;
#
# Use interface's chain if there are multiple nets on the interface
#
return 1 if $nets > 1;
#
# Use interface's chain if it is a bridge with ports
#
return 1 if $interfaceref->{ports};
#
# Don't need it if it isn't associated with any zone
#
return 0 unless $nets;
#
# Interface associated with a single zone -- use the zone's output chain if it has one
#
return 0 if $chainref;
#
# Use the fw-><zone> rules chain if it is referenced.
#
$chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};
! ( $chainref->{referenced} || $chainref->{is_policy} )
}
#
# Masquerade Chain for an interface
#

14
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -1724,9 +1724,9 @@ sub add_interface_jumps {
add_ijump( $filter_table->{input_chain $bridge },
j => $inputref ,
imatch_source_dev( $interface, 1 )
) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref;
) unless $input_jump_added{$interface} || ! use_interface_chain( $interface, 'use_input_chain' );
unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
add_ijump( $filter_table->{output_chain $bridge} ,
j => $outputref ,
imatch_dest_dev( $interface, 1 ) )
@ -1735,10 +1735,10 @@ sub add_interface_jumps {
} else {
add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
add_ijump( $filter_table->{INPUT} , j => $inputref , imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref ) && ! $input_jump_added{$interface}++;
add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
add_ijump( $filter_table->{INPUT} , j => $inputref , imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;
if ( use_output_chain $interface, $outputref ) {
if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
}
}
@ -1927,7 +1927,7 @@ sub add_output_jumps( $$$$$$$$ ) {
my @ipsec_out_match = match_ipsec_out $zone , $hostref;
my @zone_interfaces = keys %{zone_interfaces( $zone )};
if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
#
# - There are vserver zones (so OUTPUT will have multiple source; or
# - We must use the interface output chain; or
@ -2061,7 +2061,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
my @source = imatch_source_net $net;
my @ipsec_in_match = match_ipsec_in $zone , $hostref;
if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
#
# - There are vserver zones (so INPUT will have multiple destinations; or
# - We must use the interface input chain; or