mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-11 20:26:39 +02:00
Add chain information to the builtin_target table.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
5985a6e9b3
commit
11e61ec6e5
@ -108,6 +108,10 @@ our @EXPORT = ( qw(
|
|||||||
INLINERULE
|
INLINERULE
|
||||||
OPTIONS
|
OPTIONS
|
||||||
IPTABLES
|
IPTABLES
|
||||||
|
FILTER_TABLE
|
||||||
|
NAT_TABLE
|
||||||
|
MANGLE_TABLE
|
||||||
|
RAW_TABLE
|
||||||
|
|
||||||
%chain_table
|
%chain_table
|
||||||
%targets
|
%targets
|
||||||
@ -419,6 +423,11 @@ use constant { STANDARD => 0x1, #defined by Netfilter
|
|||||||
INLINERULE => 0x40000, #INLINE
|
INLINERULE => 0x40000, #INLINE
|
||||||
OPTIONS => 0x80000, #Target Accepts Options
|
OPTIONS => 0x80000, #Target Accepts Options
|
||||||
IPTABLES => 0x100000, #IPTABLES or IP6TABLES
|
IPTABLES => 0x100000, #IPTABLES or IP6TABLES
|
||||||
|
|
||||||
|
FILTER_TABLE => 0x1000000,
|
||||||
|
MANGLE_TABLE => 0x2000000,
|
||||||
|
RAW_TABLE => 0x4000000,
|
||||||
|
NAT_TABLE => 0x8000000,
|
||||||
};
|
};
|
||||||
#
|
#
|
||||||
# Valid Targets -- value is a combination of one or more of the above
|
# Valid Targets -- value is a combination of one or more of the above
|
||||||
@ -525,59 +534,59 @@ our $family;
|
|||||||
#
|
#
|
||||||
# These are the current builtin targets
|
# These are the current builtin targets
|
||||||
#
|
#
|
||||||
our %builtin_target = ( ACCEPT => 1,
|
our %builtin_target = ( ACCEPT => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
ACCOUNT => 1,
|
ACCOUNT => STANDARD + MANGLE_TABLE,
|
||||||
AUDIT => 1,
|
AUDIT => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
CHAOS => 1,
|
CHAOS => STANDARD + FILTER_TABLE,
|
||||||
CHECKSUM => 1,
|
CHECKSUM => STANDARD + MANGLE_TABLE,
|
||||||
CLASSIFY => 1,
|
CLASSIFY => STANDARD + MANGLE_TABLE,
|
||||||
CLUSTERIP => 1,
|
CLUSTERIP => STANDARD + MANGLE_TABLE + RAW_TABLE,
|
||||||
CONNMARK => 1,
|
CONNMARK => STANDARD + MANGLE_TABLE,
|
||||||
CONNSECMARK => 1,
|
CONNSECMARK => STANDARD + MANGLE_TABLE,
|
||||||
COUNT => 1,
|
COUNT => STANDARD + FILTER_TABLE,
|
||||||
CT => 1,
|
CT => STANDARD + RAW_TABLE,
|
||||||
DELUDE => 1,
|
DELUDE => STANDARD + FILTER_TABLE,
|
||||||
DHCPMAC => 1,
|
DHCPMAC => STANDARD + MANGLE_TABLE,
|
||||||
DNAT => 1,
|
DNAT => STANDARD + NAT_TABLE,
|
||||||
DNETMAP => 1,
|
DNETMAP => STANDARD + NAT_TABLE,
|
||||||
DROP => 1,
|
DROP => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
DSCP => 1,
|
DSCP => STANDARD + MANGLE_TABLE,
|
||||||
ECHO => 1,
|
ECHO => STANDARD + FILTER_TABLE,
|
||||||
ECN => 1,
|
ECN => STANDARD + MANGLE_TABLE,
|
||||||
HL => 1,
|
HL => STANDARD + MANGLE_TABLE,
|
||||||
IDLETIMER => 1,
|
IDLETIMER => STANDARD,
|
||||||
IPMARK => 1,
|
IPMARK => STANDARD + MANGLE_TABLE,
|
||||||
LOG => 1,
|
LOG => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
LOGMARK => 1,
|
LOGMARK => STANDARD + MANGLE_TABLE,
|
||||||
MARK => 1,
|
MARK => STANDARD + FILTER_TABLE + MANGLE_TABLE,
|
||||||
MASQUERADE => 1,
|
MASQUERADE => STANDARD + NAT_TABLE,
|
||||||
MIRROR => 1,
|
MIRROR => STANDARD + FILTER_TABLE,
|
||||||
NETMAP => 1,
|
NETMAP => STANDARD + NAT_TABLE,,
|
||||||
NFLOG => 1,
|
NFLOG => STANDARD + MANGLE_TABLE + RAW_TABLE,
|
||||||
NFQUEUE => 1,
|
NFQUEUE => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
NOTRACK => 1,
|
NOTRACK => STANDARD + RAW_TABLE,
|
||||||
QUEUE => 1,
|
QUEUE => STANDARD + FILTER_TABLE,
|
||||||
RATEEST => 1,
|
RATEEST => STANDARD + MANGLE_TABLE,
|
||||||
RAWDNAT => 1,
|
RAWDNAT => STANDARD + RAW_TABLE,
|
||||||
RAWSNAT => 1,
|
RAWSNAT => STANDARD + RAW_TABLE,
|
||||||
REDIRECT => 1,
|
REDIRECT => STANDARD + NAT_TABLE,
|
||||||
REJECT => 1,
|
REJECT => STANDARD + FILTER_TABLE,
|
||||||
RETURN => 1,
|
RETURN => STANDARD + MANGLE_TABLE + RAW_TABLE,
|
||||||
SAME => 1,
|
SAME => STANDARD,
|
||||||
SECMARK => 1,
|
SECMARK => STANDARD + MANGLE_TABLE,
|
||||||
SET => 1,
|
SET => STANDARD + MANGLE_TABLE + RAW_TABLE,
|
||||||
SNAT => 1,
|
SNAT => STANDARD + NAT_TABLE,
|
||||||
STEAL => 1,
|
STEAL => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
SYSRQ => 1,
|
SYSRQ => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
TARPIT => 1,
|
TARPIT => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
TCPMSS => 1,
|
TCPMSS => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
TCPOPTSTRIP => 1,
|
TCPOPTSTRIP => STANDARD + MANGLE_TABLE,
|
||||||
TEE => 1,
|
TEE => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
TOS => 1,
|
TOS => STANDARD + MANGLE_TABLE,
|
||||||
TPROXY => 1,
|
TPROXY => STANDARD + MANGLE_TABLE,
|
||||||
TRACE => 1,
|
TRACE => STANDARD + RAW_TABLE,
|
||||||
TTL => 1,
|
TTL => STANDARD + MANGLE_TABLE,
|
||||||
ULOG => 1,
|
ULOG => STANDARD + FILTER_TABLE + NAT_TABLE + MANGLE_TABLE + RAW_TABLE,
|
||||||
);
|
);
|
||||||
|
|
||||||
our %ipset_exists;
|
our %ipset_exists;
|
||||||
@ -8462,8 +8471,8 @@ sub get_target_param1( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sub handle_inline( $$$$ ) {
|
sub handle_inline( $$$$$$ ) {
|
||||||
my ( $action, $basictarget, $param, $loglevel ) = @_;
|
my ( $table, $tablename, $action, $basictarget, $param, $loglevel ) = @_;
|
||||||
my $inline_matches = get_inline_matches(1);
|
my $inline_matches = get_inline_matches(1);
|
||||||
my $raw_matches = '';
|
my $raw_matches = '';
|
||||||
|
|
||||||
@ -8471,7 +8480,9 @@ sub handle_inline( $$$$ ) {
|
|||||||
$raw_matches .= $1 if supplied $1;
|
$raw_matches .= $1 if supplied $1;
|
||||||
$action = $2;
|
$action = $2;
|
||||||
my ( $target ) = split ' ', $action;
|
my ( $target ) = split ' ', $action;
|
||||||
fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK';
|
my $target_type = $builtin_target{$target};
|
||||||
|
fatal_error "Unknown jump target ($action)" unless $target_type;
|
||||||
|
fatal_error "The $target TARGET is not allowed in the $tablename table" unless $target_type & $table;
|
||||||
fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne '';
|
fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne '';
|
||||||
} else {
|
} else {
|
||||||
$raw_matches .= $inline_matches;
|
$raw_matches .= $inline_matches;
|
||||||
|
|||||||
@ -1735,6 +1735,10 @@ sub process_actions() {
|
|||||||
my $noinline = 0;
|
my $noinline = 0;
|
||||||
my $nolog = ( $type == INLINE ) || 0;
|
my $nolog = ( $type == INLINE ) || 0;
|
||||||
my $builtin = 0;
|
my $builtin = 0;
|
||||||
|
my $raw = 0;
|
||||||
|
my $mangle = 0;
|
||||||
|
my $filter = 0;
|
||||||
|
my $nat = 0;
|
||||||
|
|
||||||
if ( $action =~ /:/ ) {
|
if ( $action =~ /:/ ) {
|
||||||
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
|
||||||
@ -1753,6 +1757,14 @@ sub process_actions() {
|
|||||||
$nolog = 1;
|
$nolog = 1;
|
||||||
} elsif ( $_ eq 'builtin' ) {
|
} elsif ( $_ eq 'builtin' ) {
|
||||||
$builtin = 1;
|
$builtin = 1;
|
||||||
|
} elsif ( $_ eq 'mangle' ) {
|
||||||
|
$mangle = 1;
|
||||||
|
} elsif ( $_ eq 'raw' ) {
|
||||||
|
$raw = 1;
|
||||||
|
} elsif ( $_ eq 'filter' ) {
|
||||||
|
$filter = 1;
|
||||||
|
} elsif ( $_ eq 'nat' ) {
|
||||||
|
$nat = 1;
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid option ($_)";
|
fatal_error "Invalid option ($_)";
|
||||||
}
|
}
|
||||||
@ -1777,9 +1789,18 @@ sub process_actions() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $builtin ) {
|
if ( $builtin ) {
|
||||||
$targets{$action} = USERBUILTIN + OPTIONS;
|
my $actiontype = USERBUILTIN | OPTIONS;
|
||||||
$builtin_target{$action} = 1;
|
$actiontype |= MANGLE_TABLE if $mangle;
|
||||||
|
$actiontype |= RAW_TABLE if $raw;
|
||||||
|
$actiontype |= NAT_TABLE if $nat;
|
||||||
|
#
|
||||||
|
# For backward compatibility, we assume that user-defined builtins are valid in the filter table
|
||||||
|
#
|
||||||
|
$actiontype |= FILTER_TABLE if $filter || ! ($mangle || $raw || $nat);
|
||||||
|
$builtin_target{$action} = $actiontype;
|
||||||
|
$targets{$action} = $actiontype;
|
||||||
} else {
|
} else {
|
||||||
|
fatal_error "Table names are only allowed for builtin actions" if $mangle || $raw || $nat || $filter;
|
||||||
new_action $action, $type, $noinline, $nolog;
|
new_action $action, $type, $noinline, $nolog;
|
||||||
|
|
||||||
my $actionfile = find_file( "action.$action" );
|
my $actionfile = find_file( "action.$action" );
|
||||||
@ -2168,7 +2189,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$param = '' unless defined $param;
|
$param = '' unless defined $param;
|
||||||
|
|
||||||
if ( $basictarget eq 'INLINE' ) {
|
if ( $basictarget eq 'INLINE' ) {
|
||||||
( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( $action, $basictarget, $param, $loglevel );
|
( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( FILTER_TABLE, 'filter', $action, $basictarget, $param, $loglevel );
|
||||||
} elsif ( $config{INLINE_MATCHES} ) {
|
} elsif ( $config{INLINE_MATCHES} ) {
|
||||||
$raw_matches = get_inline_matches(0);
|
$raw_matches = get_inline_matches(0);
|
||||||
}
|
}
|
||||||
@ -2326,7 +2347,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
if ( $param ) {
|
if ( $param ) {
|
||||||
fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
|
fatal_error "Unknown ACTION (IPTABLES)" unless $family == F_IPV4;
|
||||||
my ( $tgt, $options ) = split / /, $param;
|
my ( $tgt, $options ) = split / /, $param;
|
||||||
fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
|
my $target_type = $builtin_target{$tgt};
|
||||||
|
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||||
|
fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
|
||||||
$action = $param;
|
$action = $param;
|
||||||
} else {
|
} else {
|
||||||
$action = '';
|
$action = '';
|
||||||
@ -2337,7 +2360,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
if ( $param ) {
|
if ( $param ) {
|
||||||
fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
|
fatal_error "Unknown ACTION (IP6TABLES)" unless $family == F_IPV6;
|
||||||
my ( $tgt, $options ) = split / /, $param;
|
my ( $tgt, $options ) = split / /, $param;
|
||||||
fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
|
my $target_type = $builtin_target{$tgt};
|
||||||
|
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||||
|
fatal_error "The $tgt TARGET is now allowed in the filter table" unless $target_type & FILTER_TABLE;
|
||||||
$action = $param;
|
$action = $param;
|
||||||
} else {
|
} else {
|
||||||
$action = '';
|
$action = '';
|
||||||
|
|||||||
@ -471,7 +471,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
function => sub () {
|
function => sub () {
|
||||||
fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
|
fatal_error "Invalid ACTION (IPTABLES)" unless $family == F_IPV4;
|
||||||
my ( $tgt, $options ) = split( ' ', $params );
|
my ( $tgt, $options ) = split( ' ', $params );
|
||||||
fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
|
my $target_type = $builtin_target{$tgt};
|
||||||
|
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||||
|
fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
|
||||||
|
fatal_error "The $tgt TARGET is not allowed in the mangle table" unless
|
||||||
$target = $params;
|
$target = $params;
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -484,7 +487,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
function => sub () {
|
function => sub () {
|
||||||
fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
|
fatal_error "Invalid ACTION (IP6TABLES)" unless $family == F_IPV6;
|
||||||
my ( $tgt, $options ) = split( ' ', $params );
|
my ( $tgt, $options ) = split( ' ', $params );
|
||||||
fatal_error "Unknown target ($tgt)" unless $targets{$tgt} || $builtin_target{$tgt};
|
my $target_type = $builtin_target{$tgt};
|
||||||
|
fatal_error "Unknown target ($tgt)" unless $target_type;
|
||||||
|
fatal_error "The $tgt TARGET is not allowed in the mangle table" unless $target_type & MANGLE_TABLE;
|
||||||
$target = $params;
|
$target = $params;
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -681,7 +686,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
|
|||||||
fatal_error "Invalid ACTION ($cmd)" unless $commandref;
|
fatal_error "Invalid ACTION ($cmd)" unless $commandref;
|
||||||
|
|
||||||
if ( $cmd eq 'INLINE' ) {
|
if ( $cmd eq 'INLINE' ) {
|
||||||
( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( $action, $cmd, $params, '' );
|
( $target, $cmd, $params, $junk, $raw_matches ) = handle_inline( MANGLE_TABLE, 'mangle', $action, $cmd, $params, '' );
|
||||||
} elsif ( $config{INLINE_MATCHES} ) {
|
} elsif ( $config{INLINE_MATCHES} ) {
|
||||||
$raw_matches = get_inline_matches(0);
|
$raw_matches = get_inline_matches(0);
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user