Add chain information to the builtin_target table.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -108,6 +108,10 @@ our @EXPORT = ( qw(
 		    INLINERULE
 		    OPTIONS
                     IPTABLES
+                    FILTER_TABLE
+                    NAT_TABLE
+                    MANGLE_TABLE
+                    RAW_TABLE
 
 		    %chain_table
 		    %targets
@@ -419,6 +423,11 @@ use constant { STANDARD     =>      0x1,       #defined by Netfilter
 	       INLINERULE   =>  0x40000,       #INLINE
 	       OPTIONS      =>  0x80000,       #Target Accepts Options
 	       IPTABLES     => 0x100000,       #IPTABLES or IP6TABLES
+
+	       FILTER_TABLE =>  0x1000000,
+	       MANGLE_TABLE =>  0x2000000,
+	       RAW_TABLE    =>  0x4000000,
+	       NAT_TABLE    =>  0x8000000,
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -525,59 +534,59 @@ our $family;
 #
 # These are the current builtin targets
 #
-our %builtin_target = ( ACCEPT      => 1,
-			ACCOUNT     => 1,
-			AUDIT       => 1,
-			CHAOS       => 1,
-			CHECKSUM    => 1,
-			CLASSIFY    => 1,
-		        CLUSTERIP   => 1,
-			CONNMARK    => 1,
-			CONNSECMARK => 1,
-			COUNT       => 1,
-			CT          => 1,
-			DELUDE      => 1,
-			DHCPMAC     => 1,
-			DNAT        => 1,
-			DNETMAP     => 1,
-			DROP        => 1,
-			DSCP        => 1,
-			ECHO        => 1,
-			ECN         => 1,
-			HL          => 1,
-			IDLETIMER   => 1,
-			IPMARK      => 1,
-			LOG         => 1,
-			LOGMARK     => 1,
-			MARK        => 1,
-			MASQUERADE  => 1,
-			MIRROR      => 1,
-			NETMAP      => 1,
-			NFLOG       => 1,
-			NFQUEUE     => 1,
-			NOTRACK     => 1,
-			QUEUE       => 1,
-			RATEEST     => 1,
-			RAWDNAT     => 1,
-			RAWSNAT     => 1,
-			REDIRECT    => 1,
-			REJECT      => 1,
-			RETURN      => 1,
-			SAME        => 1,
-			SECMARK     => 1,
-			SET         => 1,
-			SNAT        => 1,
-			STEAL       => 1,
-			SYSRQ       => 1,
-			TARPIT      => 1,
-			TCPMSS      => 1,
-			TCPOPTSTRIP => 1,
-			TEE         => 1,
-			TOS         => 1,
-			TPROXY      => 1,
-			TRACE       => 1,
-			TTL         => 1,
-			ULOG        => 1,
+our %builtin_target = ( ACCEPT      => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			ACCOUNT     => STANDARD + MANGLE_TABLE,
+			AUDIT       => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			CHAOS       => STANDARD + FILTER_TABLE,
+			CHECKSUM    => STANDARD                            + MANGLE_TABLE,
+			CLASSIFY    => STANDARD                            + MANGLE_TABLE,
+		        CLUSTERIP   => STANDARD                            + MANGLE_TABLE + RAW_TABLE,
+			CONNMARK    => STANDARD                            + MANGLE_TABLE,
+			CONNSECMARK => STANDARD                            + MANGLE_TABLE,
+			COUNT       => STANDARD + FILTER_TABLE,
+			CT          => STANDARD                                           + RAW_TABLE,
+			DELUDE      => STANDARD + FILTER_TABLE,
+			DHCPMAC     => STANDARD                            + MANGLE_TABLE,
+			DNAT        => STANDARD                + NAT_TABLE,
+			DNETMAP     => STANDARD                + NAT_TABLE,
+			DROP        => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			DSCP        => STANDARD                            + MANGLE_TABLE,
+			ECHO        => STANDARD + FILTER_TABLE,
+			ECN         => STANDARD                            + MANGLE_TABLE,
+			HL          => STANDARD                            + MANGLE_TABLE,
+			IDLETIMER   => STANDARD,
+			IPMARK      => STANDARD                            + MANGLE_TABLE,
+			LOG         => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			LOGMARK     => STANDARD                            + MANGLE_TABLE,
+			MARK        => STANDARD + FILTER_TABLE             + MANGLE_TABLE,
+			MASQUERADE  => STANDARD                + NAT_TABLE,
+			MIRROR      => STANDARD + FILTER_TABLE,
+			NETMAP      => STANDARD                + NAT_TABLE,,
+			NFLOG       => STANDARD                            + MANGLE_TABLE + RAW_TABLE,
+			NFQUEUE     => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			NOTRACK     => STANDARD                                           + RAW_TABLE,
+			QUEUE       => STANDARD + FILTER_TABLE,
+			RATEEST     => STANDARD                            + MANGLE_TABLE,
+			RAWDNAT     => STANDARD                                           + RAW_TABLE,
+			RAWSNAT     => STANDARD                                           + RAW_TABLE,
+			REDIRECT    => STANDARD                + NAT_TABLE,
+			REJECT      => STANDARD + FILTER_TABLE,
+			RETURN      => STANDARD                            + MANGLE_TABLE + RAW_TABLE,
+			SAME        => STANDARD,
+			SECMARK     => STANDARD                            + MANGLE_TABLE,
+			SET         => STANDARD                            + MANGLE_TABLE + RAW_TABLE,
+			SNAT        => STANDARD                + NAT_TABLE,
+			STEAL       => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			SYSRQ       => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			TARPIT      => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			TCPMSS      => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			TCPOPTSTRIP => STANDARD                            + MANGLE_TABLE,
+			TEE         => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
+			TOS         => STANDARD                            + MANGLE_TABLE,
+			TPROXY      => STANDARD                            + MANGLE_TABLE,
+			TRACE       => STANDARD                                           + RAW_TABLE,
+			TTL         => STANDARD                            + MANGLE_TABLE,
+			ULOG        => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
 		        );
 
 our %ipset_exists;
@@ -8462,8 +8471,8 @@ sub get_target_param1( $ ) {
     }
 }
 
-sub handle_inline( $$$$ ) {
-    my ( $action, $basictarget, $param, $loglevel ) = @_;
+sub handle_inline( $$$$$$ ) {
+    my ( $table, $tablename, $action, $basictarget, $param, $loglevel ) = @_;
     my $inline_matches = get_inline_matches(1);
     my $raw_matches = '';
 
@@ -8471,7 +8480,9 @@ sub handle_inline( $$$$ ) {
 	$raw_matches .= $1 if supplied $1;
 	$action = $2;
 	my ( $target ) = split ' ', $action;
-	fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK';
+	my $target_type = $builtin_target{$target};
+	fatal_error "Unknown jump target ($action)" unless $target_type;
+	fatal_error "The $target TARGET is not allowed in the $tablename table" unless $target_type & $table;
 	fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne '';
     } else {
 	$raw_matches .= $inline_matches;

Shorewall/Perl/Shorewall/Rules.pm

@@ -1735,6 +1735,10 @@ sub process_actions() {
 	    my $noinline = 0;
 	    my $nolog    = ( $type == INLINE ) || 0;
 	    my $builtin  = 0;
+	    my $raw      = 0;
+	    my $mangle   = 0;
+	    my $filter   = 0;
+	    my $nat      = 0;
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1753,6 +1757,14 @@ sub process_actions() {
 			$nolog = 1;
 		    } elsif ( $_ eq 'builtin' ) {
 			$builtin = 1;
+		    } elsif ( $_ eq 'mangle' ) {
+			$mangle = 1;
+		    } elsif ( $_ eq 'raw' ) {
+			$raw = 1;
+		    } elsif ( $_ eq 'filter' ) {
+			$filter = 1;
+		    } elsif ( $_ eq 'nat' ) {
+			$nat = 1;
 		    } else {
 			fatal_error "Invalid option ($_)";
 		    }
@@ -1777,9 +1789,18 @@ sub process_actions() {
 	    }
 
 	    if ( $builtin ) {
-		$targets{$action}         = USERBUILTIN + OPTIONS;
-		$builtin_target{$action}  = 1;
+		my $actiontype            = USERBUILTIN | OPTIONS;
+		$actiontype              |= MANGLE_TABLE if $mangle;
+		$actiontype              |= RAW_TABLE    if $raw;
+		$actiontype              |= NAT_TABLE    if $nat;
+		#
+		# For backward compatibility, we assume that user-defined builtins are valid in the filter table
+		#
+		$actiontype              |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat);
+		$builtin_target{$action}  = $actiontype;
+		$targets{$action}         = $actiontype;
 	    } else {
+		fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
 		new_action $action, $type, $noinline, $nolog;
 
 		my $actionfile = find_file( "action.$action" );
@@ -2168,7 +2189,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
     $param = '' unless defined $param;
 
     if ( $basictarget eq 'INLINE' ) {
-	( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( $action, $basictarget, $param, $loglevel );
+	( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel );
     } elsif ( $config{INLINE_MATCHES} ) {
 	$raw_matches = get_inline_matches(0);
     }
@@ -2326,7 +2347,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
 		      my ( $tgt, $options ) = split / /, $param;
-		      fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
+		      my $target_type = $builtin_target{$tgt};
+		      fatal_error "Unknown target ($tgt)" unless $target_type;
+		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';
@@ -2337,7 +2360,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
 		  if ( $param ) {
 		      fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
 		      my ( $tgt, $options ) = split / /, $param;
-		      fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
+		      my $target_type = $builtin_target{$tgt};
+		      fatal_error "Unknown target ($tgt)" unless $target_type;
+		      fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
 		      $action = $param;
 		  } else {
 		      $action = '';

Shorewall/Perl/Shorewall/Tc.pm

@@ -471,7 +471,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
 		my ( $tgt,  $options ) = split( ' ', $params );
-		fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
+		my $target_type = $builtin_target{$tgt};
+		fatal_error "Unknown target ($tgt)" unless $target_type;
+		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
+		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless 
 		$target = $params;
 	    },
 	},
@@ -484,7 +487,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    function       => sub () {
 		fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
 		my ( $tgt,  $options ) = split( ' ', $params );
-		fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
+		my $target_type = $builtin_target{$tgt};
+		fatal_error "Unknown target ($tgt)" unless $target_type;
+		fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
 		$target = $params;
 	    },
 	},
@@ -681,7 +686,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
     fatal_error "Invalid ACTION ($cmd)" unless $commandref;
 
     if ( $cmd eq 'INLINE' ) {
-	( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( $action, $cmd, $params, '' );
+	( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' );
     } elsif ( $config{INLINE_MATCHES} ) {
 	$raw_matches = get_inline_matches(0);
     }