Mark DHCP rules for the convenience of move_rules().

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-07-16 15:34:57 -07:00
parent 27621fa0f9
commit 03913019d8
2 changed files with 16 additions and 7 deletions

View File

@ -403,6 +403,8 @@ use constant { UNIQUE => 1,
my %special = ( rule => CONTROL,
dhcp => UNIQUE,
mode => CONTROL,
cmdlevel => CONTROL,
simple => CONTROL,
@ -793,6 +795,9 @@ sub add_commands ( $$;@ ) {
$chainref->{referenced} = 1;
}
#
# Transform the passed rule and add it to the end of the passed chain's rule list
#
sub push_rule( $$ ) {
my $chainref = $_[0];
my $ruleref = transform_rule( $_[1] );
@ -803,6 +808,8 @@ sub push_rule( $$ ) {
push @{$chainref->{rules}}, $ruleref;
$chainref->{referenced} = 1;
trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug;
$ruleref;
}
sub add_transformed_rule( $$ ) {
@ -892,6 +899,8 @@ sub handle_icmptype_list( $$$$ ) {
#
# Chain reference , Rule [, Expand-long-port-lists ]
#
# Returns a reference to the generated internal-form rule
#
sub add_rule($$;$) {
my ($chainref, $rule, $expandports) = @_;
@ -993,6 +1002,8 @@ sub insert_rule1($$$)
$iprangematch = 0;
$chainref->{referenced} = 1;
$ruleref;
}
sub insert_rule($$$) {
@ -1131,14 +1142,12 @@ sub move_rules( $$ ) {
# In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
# This hack avoids that.
#
$_->{rule} = format_rule( $chain2, $_ ) for @$rules;
if ( $blacklist ) {
my $rule = shift @{$rules};
shift @{$rules} while @{$rules} > 1 && $rules->[0]{rule} eq $rules->[1]{rule};
shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp};
unshift @{$rules}, $rule;
} else {
shift @{$rules} while @{$rules} > 1 && $rules->[0]{rule} eq $rules->[1]{rule};
shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp};
}
#
@ -1153,7 +1162,6 @@ sub move_rules( $$ ) {
}
splice @{$rules}, 0, 0, @filtered1;
}
#

View File

@ -708,7 +708,8 @@ sub add_common_rules() {
set_interface_option $interface, 'use_forward_chain', 1;
for $chain ( input_chain $interface, output_chain $interface ) {
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
my $ruleref = add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
set_rule_option( $ruleref, 'dhcp', 1 );
}
add_rule( $filter_table->{forward_chain $interface} ,