extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 16:13:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow moving rules with commands

Browse Source
This commit is contained in:
Tom Eastep 2009-09-03 14:11:44 -07:00
parent 4412a05a70
commit 015d4f58ce
2 changed files with 21 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -73,7 +73,6 @@ our %EXPORT_TAGS = (
add_commands add_commands
move_rules move_rules
move_rules1
insert_rule1 insert_rule1
purge_jump purge_jump
add_tunnel_rule add_tunnel_rule
@ -433,11 +432,7 @@ sub push_rule( $$ ) {
$rule =~ s/"/\\"/g; #Must preserve quotes in the rule $rule =~ s/"/\\"/g; #Must preserve quotes in the rule
add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3); add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
} else { } else {
# push @{$chainref->{rules}}, join( ' ', '-A' , $chainref->{name}, $rule );
# We omit the chain name for now -- this makes it easier to move rules from one
# chain to another
#
push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
} }
} }
@ -609,7 +604,7 @@ sub insert_rule1($$$)
$rule .= "-m comment --comment \"$comment\"" if $comment; $rule .= "-m comment --comment \"$comment\"" if $comment;
splice( @{$chainref->{rules}}, $number, 0, join( ' ', '-A', $rule ) ); splice( @{$chainref->{rules}}, $number, 0, join( ' ', '-A', $chainref->{name}, $rule ) );
$iprangematch = 0; $iprangematch = 0;
@ -639,15 +634,18 @@ sub add_tunnel_rule( $$ ) {
# forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
# a zone-oriented chain, hence this function. # a zone-oriented chain, hence this function.
# #
# The source chain must not have any run-time code included in its rules.
#
sub move_rules( $$ ) { sub move_rules( $$ ) {
my ($chain1, $chain2 ) = @_; my ($chain1, $chain2 ) = @_;
if ( $chain1->{referenced} ) { if ( $chain1->{referenced} ) {
my @rules = @{$chain1->{rules}}; my @rules = @{$chain1->{rules}};
my $name = $chain1->{name};
#
# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
#
$name =~ s/\+/\\+/;
assert( /^-A/ ) for @rules; ( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @rules;
splice @{$chain2->{rules}}, 0, 0, @rules; splice @{$chain2->{rules}}, 0, 0, @rules;
@ -657,29 +655,6 @@ sub move_rules( $$ ) {
} }
} }
#
# Like above except it returns 0 if it can't move the rules
#
sub move_rules1( $$ ) {
my ($chain1, $chain2 ) = @_;
if ( $chain1->{referenced} ) {
my @rules = @{$chain1->{rules}};
for ( @rules ) {
return 0 unless /^-A/;
}
splice @{$chain2->{rules}}, 0, 0, @rules;
$chain2->{referenced} = 1;
$chain1->{referenced} = 0;
$chain1->{rules} = [];
}
1;
}
# #
# Transform the passed interface name into a legal shell variable name. # Transform the passed interface name into a legal shell variable name.
# #
@ -2868,15 +2843,15 @@ sub enter_cmd_mode() {
# #
# Emits the passed rule (input to iptables-restore) or command # Emits the passed rule (input to iptables-restore) or command
# #
sub emitr( $$ ) { sub emitr( $ ) {
my ( $name, $rule ) = @_; my $rule = $_[0];
if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) { if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) {
# #
# A rule # A rule
# #
enter_cat_mode unless $mode == CAT_MODE; enter_cat_mode unless $mode == CAT_MODE;
emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) ); emit_unindented $rule;
} else { } else {
# #
# A command # A command
@ -2889,12 +2864,10 @@ sub emitr( $$ ) {
# #
# Simple version that only handles rules # Simple version that only handles rules
# #
sub emitr1( $$ ) { sub emitr1( $ ) {
my ( $name, $rule ) = @_; my $rule = $_[0];
assert( substr( $rule, 0, 2 ) eq '-A' ); emit_unindented $rule;
emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
} }
# #
@ -2970,7 +2943,7 @@ sub create_netfilter_load( $ ) {
# Then emit the rules # Then emit the rules
# #
for my $chainref ( @chains ) { for my $chainref ( @chains ) {
emitr $chainref->{name}, $_ for ( grep defined $_, @{$chainref->{rules}} ); emitr $_ for ( grep defined $_, @{$chainref->{rules}} );
} }
# #
# Commit the changes to the table # Commit the changes to the table
@ -3079,7 +3052,7 @@ sub create_chainlist_reload($) {
# #
# Emit the chain rules # Emit the chain rules
# #
emitr $chain, $_ for ( grep defined $_, @rules ); emitr $_ for ( grep defined $_, @rules );
} }
# #
# Commit the changes to the table # Commit the changes to the table
@ -3184,7 +3157,7 @@ sub create_stop_load( $ ) {
# Then emit the rules # Then emit the rules
# #
for my $chainref ( @chains ) { for my $chainref ( @chains ) {
emitr1 $chainref->{name}, $_ for @{$chainref->{rules}}; emitr1 $_ for @{$chainref->{rules}};
} }
# #
# Commit the changes to the table # Commit the changes to the table

8
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -864,12 +864,12 @@ sub handle_stickiness( $ ) {
$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/; $rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
} }
$rule1 =~ s/-A //; $rule1 =~ s/-A tcpre //;
add_rule $chainref, $rule1; add_rule $chainref, $rule1;
if ( $rule2 ) { if ( $rule2 ) {
$rule2 =~ s/-A //; $rule2 =~ s/-A tcpre //;
add_rule $chainref, $rule2; add_rule $chainref, $rule2;
} }
@ -896,12 +896,12 @@ sub handle_stickiness( $ ) {
$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/; $rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
} }
$rule1 =~ s/-A //; $rule1 =~ s/-A tcout //;
add_rule $chainref, $rule1; add_rule $chainref, $rule1;
if ( $rule2 ) { if ( $rule2 ) {
$rule2 =~ s/-A //; $rule2 =~ s/-A tcout //;
add_rule $chainref, $rule2; add_rule $chainref, $rule2;
} }