diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index c0a84d648..c5b56cd51 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -400,47 +400,47 @@ sub setup_accounting() { if ( have_bridges || $asection ) { if ( $tableref->{accountin} ) { - add_jump( $tableref->{INPUT}, 'accountin', 0, '', 0, 0 ); + insert_ijump( $tableref->{INPUT}, j => 'accountin', 0 ); } if ( $tableref->{accounting} ) { dont_optimize( 'accounting' ); for my $chain ( qw/INPUT FORWARD/ ) { - add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 ); + insert_ijump( $tableref->{$chain}, j => 'accounting', 0 ); } } if ( $tableref->{accountfwd} ) { - add_jump( $tableref->{FORWARD}, 'accountfwd', 0, '', 0, 0 ); + insert_ijump( $tableref->{FORWARD}, j => 'accountfwd', 0 ); } if ( $tableref->{accountout} ) { - add_jump( $tableref->{OUTPUT}, 'accountout', 0, '', 0, 0 ); + insert_ijump( $tableref->{OUTPUT}, j => 'accountout', 0 ); } if ( $tableref->{accountpre} ) { - add_jump( $tableref->{PREROUTING}, 'accountpre', 0, '', 0, 0 ); + insert_ijump( $tableref->{PREROUTING}, j => 'accountpre' , 0 ); } if ( $tableref->{accountpost} ) { - add_jump( $tableref->{POSTROUTING}, 'accountpost', 0, '', 0, 0 ); + insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 ); } } elsif ( $tableref->{accounting} ) { dont_optimize( 'accounting' ); for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { - add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 ); + insert_ijump( $tableref->{$chain}, j => 'accounting', 0 ); } } if ( $tableref->{accipsecin} ) { for my $chain ( qw/INPUT FORWARD/ ) { - add_jump( $tableref->{$chain}, 'accipsecin', 0, '', 0, 0 ); + insert_ijump( $tableref->{$chain}, j => 'accipsecin', 0 ); } } if ( $tableref->{accipsecout} ) { for my $chain ( qw/FORWARD OUTPUT/ ) { - add_jump( $tableref->{$chain}, 'accipsecout', 0, '', 0, 0 ); + insert_ijump( $tableref->{$chain}, j => 'accipsecout', 0 ); } } diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index b3c9797c7..1d75159c3 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1809,7 +1809,7 @@ sub insert_ijump( $$$$;@ ) { } # -# Delete jumps previously added via add_jump. If the target chain is empty, reset its +# Delete jumps previously added via add_ijump. If the target chain is empty, reset its # referenced flag # sub delete_jumps ( $$ ) { @@ -2052,12 +2052,12 @@ sub ensure_audit_chain( $;$$ ) { $tgt ||= $action; - add_rule $ref, '-j AUDIT --type ' . lc $action; + add_irule $ref, j => 'AUDIT --type ' . lc $action; if ( $tgt eq 'REJECT' ) { - add_jump $ref , 'reject', 1; + add_ijump $ref , g => 'reject'; } else { - add_jump $ref , $tgt, 0; + add_ijump $ref , j => $tgt; } } @@ -2221,7 +2221,7 @@ sub optimize_chain( $ ) { pop @$rules, $count++ while @$rules && $rules->[-1]->{target} eq 'ACCEPT'; if ( @${rules} ) { - add_rule $chainref, '-j ACCEPT'; + add_irule $chainref, j => 'ACCEPT'; my $type = $chainref->{builtin} ? 'builtin' : 'policy'; progress_message " $count ACCEPT rules deleted from $type chain $chainref->{name}" if $count; } elsif ( $chainref->{builtin} ) { @@ -2733,8 +2733,8 @@ sub source_exclusion( $$ ) { my $chainref = new_chain( $table , newexclusionchain( $table ) ); - add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions; - add_jump( $chainref, $target, 1 ); + add_irule( $chainref, j => 'RETURN', imatch_source_net( $_ ) ) for @$exclusions; + add_ijump( $chainref, g => $target ); reftype $target ? $chainref : $chainref->{name}; } @@ -2748,8 +2748,8 @@ sub dest_exclusion( $$ ) { my $chainref = new_chain( $table , newexclusionchain( $table ) ); - add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions; - add_jump( $chainref, $target, 1 ); + add_irule( $chainref, j => 'RETURN', imatch_dest_net( $_ ) ) for @$exclusions; + add_ijump( $chainref, g => $target ); reftype $target ? $chainref : $chainref->{name}; } @@ -3956,13 +3956,13 @@ sub log_rule( $$$$ ) { # # If the destination chain exists, then at the end of the source chain add a jump to the destination. # -sub addnatjump( $$$ ) { - my ( $source , $dest, $matches ) = @_; +sub addnatjump( $$;@ ) { + my ( $source , $dest, @matches ) = @_; my $destref = $nat_table->{$dest} || {}; if ( $destref->{referenced} ) { - add_jump $nat_table->{$source} , $dest , 0, $matches; + add_ijump $nat_table->{$source} , j => $dest , @matches; } else { clearrule; } @@ -4766,7 +4766,7 @@ sub expand_rule( $$$$$$$$$$;$ ) # # Clear the exclusion bit # - add_rule $chainref , '-j MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff ); + add_rule $chainref , j => 'MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff ); # # Mark packet if it matches any of the exclusions # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 60a8b8079..a027755ea 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1151,17 +1151,17 @@ sub add_interface_jumps { # Add Nat jumps # for my $interface ( @_ ) { - addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface ); + addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface ); } - addnatjump 'PREROUTING' , 'nat_in' , ''; - addnatjump 'POSTROUTING' , 'nat_out' , ''; - addnatjump 'PREROUTING', 'dnat', ''; + addnatjump 'PREROUTING' , 'nat_in'; + addnatjump 'POSTROUTING' , 'nat_out'; + addnatjump 'PREROUTING', 'dnat'; for my $interface ( grep $_ ne '%vserver%', @_ ) { - addnatjump 'PREROUTING' , input_chain( $interface ) , match_source_dev( $interface ); - addnatjump 'POSTROUTING' , output_chain( $interface ) , match_dest_dev( $interface ); - addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface ); + addnatjump 'PREROUTING' , input_chain( $interface ) , imatch_source_dev( $interface ); + addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface ); + addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface ); } # # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT @@ -1501,7 +1501,7 @@ sub generate_matrix() { # # The jump from the PREROUTING chain to dnat may not have been added above # - addnatjump 'PREROUTING', 'dnat', '' unless $preroutingref->{references}{PREROUTING}; + addnatjump 'PREROUTING', 'dnat' unless $preroutingref->{references}{PREROUTING}; } check_optimization( $dnatref ) if @source; @@ -1839,7 +1839,7 @@ sub setup_mss( ) { # # Send all forwarded SYN packets to the 'settcpmss' chain # - add_jump $filter_table->{FORWARD} , $chainref, 0, '-p tcp --tcp-flags SYN,RST SYN '; + add_ijump $filter_table->{FORWARD} , j => $chainref, p => 'tcp --tcp-flags SYN,RST SYN'; my @in_match = (); my @out_match = (); diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 2a4dd9c76..aede7c25c 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -413,22 +413,22 @@ sub setup_netmap() { for my $interface ( split_list $interfacelist, 'interface' ) { - my $rulein = ''; - my $ruleout = ''; + my @rulein; + my @ruleout; my $iface = $interface; fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface ); unless ( $interfaceref->{root} ) { - $rulein = match_source_dev( $interface ); - $ruleout = match_dest_dev( $interface ); + @rulein = imatch_source_dev( $interface ); + @ruleout = imatch_dest_dev( $interface ); $interface = $interfaceref->{name}; } if ( $type eq 'DNAT' ) { - add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2"; + add_irule ensure_chain( 'nat' , input_chain $interface ) , j => "NETMAP --to $net2", @rulein , imatch_source_net( $net3 ), d => $net1; } elsif ( $type eq 'SNAT' ) { - add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 ) . "-s $net1 -j NETMAP --to $net2"; + add_irule ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) , s => $net1; } else { fatal_error "Invalid type ($type)"; } diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 199cf2cf2..9d8af17df 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -111,8 +111,6 @@ my %tosoptions = ( 'tos-minimize-delay' => '0x10/0x10' , 'tos-normal-service' => '0x00/0x1e' ); my %classids; -my @deferred_rules; - # # Perl version of Arn Bernin's 'tc4shorewall'. # @@ -182,7 +180,6 @@ my $family; sub initialize( $ ) { $family = shift; %classids = (); - @deferred_rules = (); @tcdevices = (); %tcdevices = (); @tcclasses = (); @@ -1402,8 +1399,16 @@ sub setup_simple_traffic_shaping() { clear_comment; if ( $ipp2p ) { - insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} ); - add_rule $mangle_table->{tcpost} , '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask ' . in_hex( $globals{TC_MASK} ); + insert_irule( $mangle_table->{tcpost} , + j => 'CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} ) , + 0 , + mark => '--mark 0/' . in_hex( $globals{TC_MASK} ) + ); + + add_irule( $mangle_table->{tcpost} , + j => 'CONNMARK --save-mark --ctmask ' . in_hex( $globals{TC_MASK} ), + mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) + ); } } } @@ -1687,31 +1692,31 @@ sub setup_tc() { ensure_mangle_chain 'tcin'; } - my $mark_part = ''; + my @mark_part; if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) { - $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' '; + @mark_part = ( mark => '--mark 0/' . in_hex( $globals{PROVIDER_MASK} ) ); unless ( $config{TRACK_PROVIDERS} ) { # # This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users # for my $interface ( @routemarked_interfaces ) { - add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, match_source_dev( $interface ); + add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', imatch_source_dev( $interface ); } } } - add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part; - add_jump $mangle_table->{OUTPUT} , 'tcout', 0, $mark_part; + add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part; + add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part; if ( have_capability( 'MANGLE_FORWARD' ) ) { my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : ''; - add_rule( $mangle_table->{FORWARD}, "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK}; - add_jump $mangle_table->{FORWARD} , 'tcfor', 0; - add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0; - add_jump $mangle_table->{INPUT} , 'tcin' , 0; + add_irule $mangle_table->{FORWARD}, j => "MARK --set-mark 0${mask}" if $config{FORWARD_CLEAR_MARK}; + add_ijump $mangle_table->{FORWARD} , j => 'tcfor'; + add_ijump $mangle_table->{POSTROUTING} , j => 'tcpost'; + add_ijump $mangle_table->{INPUT} , j => 'tcin'; } } @@ -1792,8 +1797,6 @@ sub setup_tc() { clear_comment; } - add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules; - handle_stickiness( $sticky ); } }