From 03913019d86052222de21c3abb7b1f132ba214db Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 16 Jul 2011 15:34:57 -0700 Subject: [PATCH] Mark DHCP rules for the convenience of move_rules(). Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 20 ++++++++++++++------ Shorewall/Perl/Shorewall/Misc.pm | 3 ++- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 70b62bae6..e6637dcfb 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -402,6 +402,8 @@ use constant { UNIQUE => 1, CONTROL => 16 }; my %special = ( rule => CONTROL, + + dhcp => UNIQUE, mode => CONTROL, cmdlevel => CONTROL, @@ -793,6 +795,9 @@ sub add_commands ( $$;@ ) { $chainref->{referenced} = 1; } +# +# Transform the passed rule and add it to the end of the passed chain's rule list +# sub push_rule( $$ ) { my $chainref = $_[0]; my $ruleref = transform_rule( $_[1] ); @@ -803,6 +808,8 @@ sub push_rule( $$ ) { push @{$chainref->{rules}}, $ruleref; $chainref->{referenced} = 1; trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug; + + $ruleref; } sub add_transformed_rule( $$ ) { @@ -892,6 +899,8 @@ sub handle_icmptype_list( $$$$ ) { # # Chain reference , Rule [, Expand-long-port-lists ] # +# Returns a reference to the generated internal-form rule +# sub add_rule($$;$) { my ($chainref, $rule, $expandports) = @_; @@ -993,6 +1002,8 @@ sub insert_rule1($$$) $iprangematch = 0; $chainref->{referenced} = 1; + + $ruleref; } sub insert_rule($$$) { @@ -1131,14 +1142,12 @@ sub move_rules( $$ ) { # In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain. # This hack avoids that. # - $_->{rule} = format_rule( $chain2, $_ ) for @$rules; - if ( $blacklist ) { my $rule = shift @{$rules}; - shift @{$rules} while @{$rules} > 1 && $rules->[0]{rule} eq $rules->[1]{rule}; + shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp}; unshift @{$rules}, $rule; } else { - shift @{$rules} while @{$rules} > 1 && $rules->[0]{rule} eq $rules->[1]{rule}; + shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp}; } # @@ -1152,8 +1161,7 @@ sub move_rules( $$ ) { trace( $chain2, 'I', ++$rule, $filtered1[$filtered++] ) while $filtered < $filtered1; } - splice @{$rules}, 0, 0, @filtered1; - + splice @{$rules}, 0, 0, @filtered1; } # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index ec0c5d973..2452b313c 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -708,7 +708,8 @@ sub add_common_rules() { set_interface_option $interface, 'use_forward_chain', 1; for $chain ( input_chain $interface, output_chain $interface ) { - add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; + my $ruleref = add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; + set_rule_option( $ruleref, 'dhcp', 1 ); } add_rule( $filter_table->{forward_chain $interface} ,