From 11e61ec6e5d68bc0eab09aa0c430e21e6ab81310 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 31 Dec 2013 08:22:58 -0800 Subject: [PATCH] Add chain information to the builtin_target table. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 123 ++++++++++++++++------------- Shorewall/Perl/Shorewall/Rules.pm | 35 ++++++-- Shorewall/Perl/Shorewall/Tc.pm | 11 ++- 3 files changed, 105 insertions(+), 64 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 17c2a1890..3ad0400de 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -108,6 +108,10 @@ our @EXPORT = ( qw( INLINERULE OPTIONS IPTABLES + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE %chain_table %targets @@ -419,6 +423,11 @@ use constant { STANDARD => 0x1, #defined by Netfilter INLINERULE => 0x40000, #INLINE OPTIONS => 0x80000, #Target Accepts Options IPTABLES => 0x100000, #IPTABLES or IP6TABLES + + FILTER_TABLE => 0x1000000, + MANGLE_TABLE => 0x2000000, + RAW_TABLE => 0x4000000, + NAT_TABLE => 0x8000000, }; # # Valid Targets -- value is a combination of one or more of the above @@ -525,59 +534,59 @@ our $family; # # These are the current builtin targets # -our %builtin_target = ( ACCEPT => 1, - ACCOUNT => 1, - AUDIT => 1, - CHAOS => 1, - CHECKSUM => 1, - CLASSIFY => 1, - CLUSTERIP => 1, - CONNMARK => 1, - CONNSECMARK => 1, - COUNT => 1, - CT => 1, - DELUDE => 1, - DHCPMAC => 1, - DNAT => 1, - DNETMAP => 1, - DROP => 1, - DSCP => 1, - ECHO => 1, - ECN => 1, - HL => 1, - IDLETIMER => 1, - IPMARK => 1, - LOG => 1, - LOGMARK => 1, - MARK => 1, - MASQUERADE => 1, - MIRROR => 1, - NETMAP => 1, - NFLOG => 1, - NFQUEUE => 1, - NOTRACK => 1, - QUEUE => 1, - RATEEST => 1, - RAWDNAT => 1, - RAWSNAT => 1, - REDIRECT => 1, - REJECT => 1, - RETURN => 1, - SAME => 1, - SECMARK => 1, - SET => 1, - SNAT => 1, - STEAL => 1, - SYSRQ => 1, - TARPIT => 1, - TCPMSS => 1, - TCPOPTSTRIP => 1, - TEE => 1, - TOS => 1, - TPROXY => 1, - TRACE => 1, - TTL => 1, - ULOG => 1, +our %builtin_target = ( ACCEPT => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + ACCOUNT => STANDARD + MANGLE_TABLE, + AUDIT => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + CHAOS => STANDARD + FILTER_TABLE, + CHECKSUM => STANDARD + MANGLE_TABLE, + CLASSIFY => STANDARD + MANGLE_TABLE, + CLUSTERIP => STANDARD + MANGLE_TABLE + RAW_TABLE, + CONNMARK => STANDARD + MANGLE_TABLE, + CONNSECMARK => STANDARD + MANGLE_TABLE, + COUNT => STANDARD + FILTER_TABLE, + CT => STANDARD + RAW_TABLE, + DELUDE => STANDARD + FILTER_TABLE, + DHCPMAC => STANDARD + MANGLE_TABLE, + DNAT => STANDARD + NAT_TABLE, + DNETMAP => STANDARD + NAT_TABLE, + DROP => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + DSCP => STANDARD + MANGLE_TABLE, + ECHO => STANDARD + FILTER_TABLE, + ECN => STANDARD + MANGLE_TABLE, + HL => STANDARD + MANGLE_TABLE, + IDLETIMER => STANDARD, + IPMARK => STANDARD + MANGLE_TABLE, + LOG => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + LOGMARK => STANDARD + MANGLE_TABLE, + MARK => STANDARD + FILTER_TABLE + MANGLE_TABLE, + MASQUERADE => STANDARD + NAT_TABLE, + MIRROR => STANDARD + FILTER_TABLE, + NETMAP => STANDARD + NAT_TABLE,, + NFLOG => STANDARD + MANGLE_TABLE + RAW_TABLE, + NFQUEUE => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + NOTRACK => STANDARD + RAW_TABLE, + QUEUE => STANDARD + FILTER_TABLE, + RATEEST => STANDARD + MANGLE_TABLE, + RAWDNAT => STANDARD + RAW_TABLE, + RAWSNAT => STANDARD + RAW_TABLE, + REDIRECT => STANDARD + NAT_TABLE, + REJECT => STANDARD + FILTER_TABLE, + RETURN => STANDARD + MANGLE_TABLE + RAW_TABLE, + SAME => STANDARD, + SECMARK => STANDARD + MANGLE_TABLE, + SET => STANDARD + MANGLE_TABLE + RAW_TABLE, + SNAT => STANDARD + NAT_TABLE, + STEAL => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + SYSRQ => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + TARPIT => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + TCPMSS => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + TCPOPTSTRIP => STANDARD + MANGLE_TABLE, + TEE => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, + TOS => STANDARD + MANGLE_TABLE, + TPROXY => STANDARD + MANGLE_TABLE, + TRACE => STANDARD + RAW_TABLE, + TTL => STANDARD + MANGLE_TABLE, + ULOG => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE, ); our %ipset_exists; @@ -8462,8 +8471,8 @@ sub get_target_param1( $ ) { } } -sub handle_inline( $$$$ ) { - my ( $action, $basictarget, $param, $loglevel ) = @_; +sub handle_inline( $$$$$$ ) { + my ( $table, $tablename, $action, $basictarget, $param, $loglevel ) = @_; my $inline_matches = get_inline_matches(1); my $raw_matches = ''; @@ -8471,7 +8480,9 @@ sub handle_inline( $$$$ ) { $raw_matches .= $1 if supplied $1; $action = $2; my ( $target ) = split ' ', $action; - fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK'; + my $target_type = $builtin_target{$target}; + fatal_error "Unknown jump target ($action)" unless $target_type; + fatal_error "The $target TARGET is not allowed in the $tablename table" unless $target_type & $table; fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne ''; } else { $raw_matches .= $inline_matches; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index f609483ee..fd3270957 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1735,6 +1735,10 @@ sub process_actions() { my $noinline = 0; my $nolog = ( $type == INLINE ) || 0; my $builtin = 0; + my $raw = 0; + my $mangle = 0; + my $filter = 0; + my $nat = 0; if ( $action =~ /:/ ) { warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf'; @@ -1753,6 +1757,14 @@ sub process_actions() { $nolog = 1; } elsif ( $_ eq 'builtin' ) { $builtin = 1; + } elsif ( $_ eq 'mangle' ) { + $mangle = 1; + } elsif ( $_ eq 'raw' ) { + $raw = 1; + } elsif ( $_ eq 'filter' ) { + $filter = 1; + } elsif ( $_ eq 'nat' ) { + $nat = 1; } else { fatal_error "Invalid option ($_)"; } @@ -1777,9 +1789,18 @@ sub process_actions() { } if ( $builtin ) { - $targets{$action} = USERBUILTIN + OPTIONS; - $builtin_target{$action} = 1; + my $actiontype = USERBUILTIN | OPTIONS; + $actiontype |= MANGLE_TABLE if $mangle; + $actiontype |= RAW_TABLE if $raw; + $actiontype |= NAT_TABLE if $nat; + # + # For backward compatibility, we assume that user-defined builtins are valid in the filter table + # + $actiontype |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat); + $builtin_target{$action} = $actiontype; + $targets{$action} = $actiontype; } else { + fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter; new_action $action, $type, $noinline, $nolog; my $actionfile = find_file( "action.$action" ); @@ -2168,7 +2189,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { $param = '' unless defined $param; if ( $basictarget eq 'INLINE' ) { - ( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( $action, $basictarget, $param, $loglevel ); + ( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel ); } elsif ( $config{INLINE_MATCHES} ) { $raw_matches = get_inline_matches(0); } @@ -2326,7 +2347,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { if ( $param ) { fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4; my ( $tgt, $options ) = split / /, $param; - fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt}; + my $target_type = $builtin_target{$tgt}; + fatal_error "Unknown target ($tgt)" unless $target_type; + fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE; $action = $param; } else { $action = ''; @@ -2337,7 +2360,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { if ( $param ) { fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6; my ( $tgt, $options ) = split / /, $param; - fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt}; + my $target_type = $builtin_target{$tgt}; + fatal_error "Unknown target ($tgt)" unless $target_type; + fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE; $action = $param; } else { $action = ''; diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index f9842b111..a16adc6a6 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -471,7 +471,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { function => sub () { fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4; my ( $tgt, $options ) = split( ' ', $params ); - fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt}; + my $target_type = $builtin_target{$tgt}; + fatal_error "Unknown target ($tgt)" unless $target_type; + fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE; + fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target = $params; }, }, @@ -484,7 +487,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { function => sub () { fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6; my ( $tgt, $options ) = split( ' ', $params ); - fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt}; + my $target_type = $builtin_target{$tgt}; + fatal_error "Unknown target ($tgt)" unless $target_type; + fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE; $target = $params; }, }, @@ -681,7 +686,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { fatal_error "Invalid ACTION ($cmd)" unless $commandref; if ( $cmd eq 'INLINE' ) { - ( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( $action, $cmd, $params, '' ); + ( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' ); } elsif ( $config{INLINE_MATCHES} ) { $raw_matches = get_inline_matches(0); }