diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm index d27c6873a..fd17cd3f8 100644 --- a/Shorewall-perl/Shorewall/Accounting.pm +++ b/Shorewall-perl/Shorewall/Accounting.pm @@ -124,7 +124,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { $chain = 'accounting' unless $chain and $chain ne '-'; if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIPv4 ) { expand_rule( - ensure_filter_chain( 'accountout' , 0 ) , + ensure_filter_chain( IPv4, 'accountout' , 0 ) , OUTPUT_RESTRICT , $rule , $source , @@ -141,7 +141,7 @@ sub process_accounting_rule( $$$$$$$$$ ) { $dest = ALLIPv4 if $dest eq 'any' || $dest eq 'all'; } - my $chainref = ensure_filter_chain $chain , 0; + my $chainref = ensure_filter_chain IPv4, $chain , 0; check_for_builtin( $chainref ); diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 18c07f5cb..024037db3 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -612,13 +612,13 @@ sub finish_chain_section( $$ ); # # Create a filter chain if necessary. Optionally populate it with the appropriate ESTABLISHED,RELATED rule(s) and perform SYN rate limiting. # -sub ensure_filter_chain( $$ ) +sub ensure_filter_chain( $$$ ) { - my ($chain, $populate) = @_; + my ($ipv, $chain, $populate) = @_; my $chainref = $filter_table->{4}{$chain}; - $chainref = new_chain 'filter', IPv4, $chain unless $chainref; + $chainref = new_chain 'filter', $ipv, $chain unless $chainref; if ( $populate and ! $chainref->{referenced} ) { if ( $section eq 'NEW' or $section eq 'DONE' ) { @@ -697,13 +697,14 @@ sub initialize_chain_table() sub finish_chain_section ($$) { my ($chainref, $state ) = @_; my $chain = $chainref->{name}; + my $ipv = $chainref->{ipv}; add_rule $chainref, "-m state --state $state -j ACCEPT" unless $config{FASTACCEPT}; if ($sections{RELATED} ) { if ( $chainref->{is_policy} ) { if ( $chainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $chainref; + my $synchainref = ensure_chain 'filter', $ipv, syn_flood_chain $chainref; if ( $section eq 'DONE' ) { if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) { add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; @@ -713,9 +714,9 @@ sub finish_chain_section ($$) { } } } else { - my $policychainref = $filter_table->{4}{$chainref->{policychain}}; + my $policychainref = $filter_table->{$ipv}{$chainref->{policychain}}; if ( $policychainref->{synparams} ) { - my $synchainref = ensure_chain 'filter', IPv4, syn_flood_chain $policychainref; + my $synchainref = ensure_chain 'filter', $ipv, syn_flood_chain $policychainref; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; } } diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm index 14df2a656..98bd1b22d 100644 --- a/Shorewall-perl/Shorewall/Policy.pm +++ b/Shorewall-perl/Shorewall/Policy.pm @@ -407,7 +407,7 @@ sub apply_policy_rules() { if ( $policy ne 'NONE' ) { if ( ! $chainref->{referenced} && ( ! $optional && $policy ne 'CONTINUE' ) ) { - ensure_filter_chain $name, 1; + ensure_filter_chain IPv4, $name, 1; } if ( $name =~ /^all2|2all$/ ) { diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 717b2392d..b2fb6d3fa 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -1087,7 +1087,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) { # # Mark the chain as referenced and add appropriate rules from earlier sections. # - $chainref = ensure_filter_chain $chain, 1; + $chainref = ensure_filter_chain IPv4, $chain, 1; # # For compatibility with older Shorewall versions # @@ -1515,7 +1515,7 @@ sub generate_matrix() { my $in_ref = new_standard_chain "${zone}_input"; my $out_ref = new_standard_chain "${zone}_output"; - add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT'; + add_rule ensure_filter_chain( IPv4, "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT'; for my $host ( @$exclusions ) { my ( $interface, $net ) = split /:/, $host; @@ -1757,7 +1757,7 @@ sub generate_matrix() { unless ( $chain1 ) { $chain1 = newexclusionchain; $policy_exclusions{"${chain}_${zone1}"} = $chain1; - my $chain1ref = ensure_filter_chain $chain1, 0; + my $chain1ref = ensure_filter_chain IPv4, $chain1, 0; add_exclusions $chain1ref, $exclusions1; add_rule $chain1ref, "-j $chain"; } diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm index 4bdd40554..dbff3d2c9 100644 --- a/Shorewall-perl/Shorewall/Tunnels.pm +++ b/Shorewall-perl/Shorewall/Tunnels.pm @@ -83,8 +83,8 @@ sub setup_tunnels() { for my $zone ( split /,/, $gatewayzones ) { my $type = zone_type( $zone ); fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == ZT_FIREWALL || $type & ZT_BPORT; - $inchainref = ensure_filter_chain "${zone}2${fw}", 1; - $outchainref = ensure_filter_chain "${fw}2${zone}", 1; + $inchainref = ensure_filter_chain IPv4, "${zone}2${fw}", 1; + $outchainref = ensure_filter_chain IPv4, "${fw}2${zone}", 1; unless ( $capabilities{POLICY_MATCH} ) { add_rule $inchainref, "-p 50 $source -j ACCEPT"; @@ -230,8 +230,8 @@ sub setup_tunnels() { fatal_error "Invalid zone ($zone) for tunnel ZONE" if $zonetype == ZT_FIREWALL || $zonetype & ZT_BPORT; - my $inchainref = ensure_filter_chain "${zone}2${fw}", 1; - my $outchainref = ensure_filter_chain "${fw}2${zone}", 1; + my $inchainref = ensure_filter_chain IPv4, "${zone}2${fw}", 1; + my $outchainref = ensure_filter_chain IPv4, "${fw}2${zone}", 1; my $source = match_source_net $gateway; my $dest = match_dest_net $gateway;