extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Use same paradigm in Chains.pm as used in the other modules

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8943 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-12-08 01:03:50 +00:00
parent e8586bbdb9
commit 21df8634c0
3 changed files with 58 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

115
Shorewall-perl/Shorewall/Chains.pm
View File

@ -43,10 +43,7 @@ our @EXPORT = qw(
ensure_manual_chain ensure_manual_chain
log_rule_limit log_rule_limit
%chain_table $chain_table
%xlatetable
%ipv4tables
%ipv6tables
$nat_table $nat_table
$mangle_table $mangle_table
$filter_table $filter_table
@ -194,20 +191,12 @@ our $VERSION = 4.1.5;
# #
# 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. # 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
# #
our %chain_table; our %chain_table4;
our %chain_table6;
our $chain_table;
our $nat_table; our $nat_table;
our $mangle_table; our $mangle_table;
our $filter_table; our $filter_table;
our %xlatetable = ( raw => 'raw' ,
nat => 'nat' ,
mangle => 'mangle' ,
filter => 'filter' ,
raw6 => 'raw' ,
mangle6 => 'mangle' ,
filter6 => 'filter' );
our @ipv4tables = qw( raw mangle nat filter );
our @ipv6tables = qw( raw6 mangle6 filter6 );
# #
# It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file # It is a layer violation to keep information about the rules file sections in this module but in Shorewall, the rules file
# and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent # and the filter table are very closely tied. By keeping the information here, we avoid making several other modules dependent
@ -269,16 +258,18 @@ our %targets6;
our $targets; our $targets;
sub use_ipv4_chains() { sub use_ipv4_chains() {
$nat_table = $chain_table{nat}; $chain_table = \%chain_table4;
$mangle_table = $chain_table{mangle}; $nat_table = $chain_table->{nat};
$filter_table = $chain_table{filter}; $mangle_table = $chain_table->{mangle};
$filter_table = $chain_table->{filter};
$targets = \%targets4; $targets = \%targets4;
} }
sub use_ipv6_chains() { sub use_ipv6_chains() {
$chain_table = \%chain_table6;
$nat_table = undef; $nat_table = undef;
$mangle_table = $chain_table{mangle6}; $mangle_table = $chain_table->{mangle};
$filter_table = $chain_table{filter6}; $filter_table = $chain_table->{filter};
$targets = \%targets6; $targets = \%targets6;
} }
@ -292,20 +283,13 @@ sub use_ipv6_chains() {
# #
sub initialize() { sub initialize() {
%chain_table = ( raw => {} , %chain_table4 = ( raw => {} ,
mangle => {} , mangle => {} ,
nat => {} , nat => {} ,
filter => {} , filter => {} );
raw6 => {} , %chain_table6 = ( raw => {} ,
filter6 => {} ); mangle => {} ,
filter => {} );
$chain_table{raw}{__NAME__} = 'raw';
$chain_table{mangle}{__NAME__} = 'mangle';
$chain_table{nat}{__NAME__} = 'nat';
$chain_table{filter}{__NAME__} = 'filter';
$chain_table{raw6}{__NAME__} = 'raw6';
$chain_table{mangle6}{__NAME__} = 'mangle6';
$chain_table{filter6}{__NAME__} = 'filter6';
use_ipv4_chains; use_ipv4_chains;
# #
@ -344,9 +328,6 @@ sub initialize() {
%interfacemacs = (); %interfacemacs = ();
%interfacebcasts = (); %interfacebcasts = ();
%interfacegateways = (); %interfacegateways = ();
@ipv4tables = ( qw/ filter / );
# #
# As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table # As new targets (Actions, Macros and Manual Chains) are discovered, they are added to the table
# #
@ -843,14 +824,14 @@ sub new_chain($$)
{ {
my ($table, $chain) = @_; my ($table, $chain) = @_;
fatal_error "Internal error in new_chain()" if $chain_table{$table}{$chain}; fatal_error "Internal error in new_chain()" if $chain_table->{$table}{$chain};
$chain_table{$table}{$chain} = { name => $chain, $chain_table->{$table}{$chain} = { name => $chain,
rules => [], rules => [],
table => $table, table => $table,
loglevel => '', loglevel => '',
log => 1, log => 1,
cmdlevel => 0 }; cmdlevel => 0 };
} }
# #
@ -862,7 +843,7 @@ sub ensure_chain($$)
fatal_error 'Internal Error in ensure_chain' unless $table && $chain; fatal_error 'Internal Error in ensure_chain' unless $table && $chain;
my $ref = $chain_table{$table}{$chain}; my $ref = $chain_table->{$table}{$chain};
return $ref if $ref; return $ref if $ref;
@ -880,7 +861,7 @@ sub ensure_filter_chain( $$ )
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{$chain};
$chainref = new_chain $filter_table->{__NAME__} , $chain unless $chainref; $chainref = new_chain 'filter' , $chain unless $chainref;
if ( $populate and ! $chainref->{referenced} ) { if ( $populate and ! $chainref->{referenced} ) {
if ( $section eq 'NEW' or $section eq 'DONE' ) { if ( $section eq 'NEW' or $section eq 'DONE' ) {
@ -907,7 +888,7 @@ sub ensure_accounting_chain( $ )
if ( $chainref ) { if ( $chainref ) {
fatal_error "Non-accounting chain ($chain) used in accounting rule" if ! $chainref->{accounting}; fatal_error "Non-accounting chain ($chain) used in accounting rule" if ! $chainref->{accounting};
} else { } else {
$chainref = new_chain $filter_table->{__NAME__} , $chain unless $chainref; $chainref = new_chain 'filter' , $chain unless $chainref;
$chainref->{accounting} = 1; $chainref->{accounting} = 1;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
} }
@ -918,7 +899,7 @@ sub ensure_accounting_chain( $ )
sub ensure_mangle_chain($) { sub ensure_mangle_chain($) {
my $chain = $_[0]; my $chain = $_[0];
my $chainref = ensure_chain $mangle_table->{__NAME__}, $chain; my $chainref = ensure_chain 'mangle', $chain;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
@ -949,7 +930,7 @@ sub new_builtin_chain($$$)
} }
sub new_standard_chain($) { sub new_standard_chain($) {
my $chainref = new_chain $filter_table->{__NAME__} ,$_[0]; my $chainref = new_chain 'filter' ,$_[0];
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref; $chainref;
} }
@ -984,12 +965,10 @@ sub initialize_chain_table()
{ {
for my $chain qw(OUTPUT PREROUTING) { for my $chain qw(OUTPUT PREROUTING) {
new_builtin_chain 'raw' , $chain, 'ACCEPT'; new_builtin_chain 'raw' , $chain, 'ACCEPT';
new_builtin_chain 'raw6', $chain, 'ACCEPT';
} }
for my $chain qw(INPUT OUTPUT FORWARD) { for my $chain qw(INPUT OUTPUT FORWARD) {
new_builtin_chain 'filter', $chain, 'DROP'; new_builtin_chain 'filter', $chain, 'DROP';
new_builtin_chain 'filter6', $chain, 'DROP';
} }
for my $chain qw(PREROUTING POSTROUTING OUTPUT) { for my $chain qw(PREROUTING POSTROUTING OUTPUT) {
@ -998,7 +977,6 @@ sub initialize_chain_table()
for my $chain qw(PREROUTING INPUT OUTPUT ) { for my $chain qw(PREROUTING INPUT OUTPUT ) {
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
new_builtin_chain 'mangle6', $chain, 'ACCEPT';
} }
if ( $capabilities{MANGLE_FORWARD} ) { if ( $capabilities{MANGLE_FORWARD} ) {
@ -1007,9 +985,22 @@ sub initialize_chain_table()
} }
} }
for my $chain qw( FORWARD POSTROUTING ) { use_ipv6_chains;
new_builtin_chain 'mangle6', $chain, 'ACCEPT';
for my $chain qw(OUTPUT PREROUTING) {
new_builtin_chain 'raw' , $chain, 'ACCEPT';
} }
for my $chain qw(INPUT OUTPUT FORWARD) {
new_builtin_chain 'filter', $chain, 'DROP';
}
for my $chain qw(PREROUTING INPUT OUTPUT FORWARD POSTROUTING ) {
new_builtin_chain 'mangle', $chain, 'ACCEPT';
}
use_ipv4_chains;
} }
# #
@ -1978,7 +1969,7 @@ sub expand_rule( $$$$$$$$$$$ )
# Mark Target as referenced, if it's a chain # Mark Target as referenced, if it's a chain
# #
if ( $disposition ) { if ( $disposition ) {
my $targetref = $chain_table{$chainref->{table}}{$disposition}; my $targetref = $chain_table->{$chainref->{table}}{$disposition};
$targetref->{referenced} = 1 if $targetref; $targetref->{referenced} = 1 if $targetref;
} }
@ -2466,7 +2457,7 @@ sub create_netfilter_load() {
# iptables-restore seems to be quite picky about the order of the builtin chains # iptables-restore seems to be quite picky about the order of the builtin chains
# #
for my $chain ( @builtins ) { for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table->{$table}{$chain};
if ( $chainref ) { if ( $chainref ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
emit_unindented ":$chain $chainref->{policy} [0:0]"; emit_unindented ":$chain $chainref->{policy} [0:0]";
@ -2476,8 +2467,8 @@ sub create_netfilter_load() {
# #
# First create the chains in the current table # First create the chains in the current table
# #
for my $chain ( grep reftype $chain_table{$table}{$_} && $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { for my $chain ( grep $chain_table->{$table}{$_}->{referenced} , ( sort keys %{$chain_table->{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table->{$table}{$chain};
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
emit_unindented ":$chainref->{name} - [0:0]"; emit_unindented ":$chainref->{name} - [0:0]";
@ -2564,11 +2555,11 @@ sub create_chainlist_reload($) {
$chains{$table} = [] unless $chains{$table}; $chains{$table} = [] unless $chains{$table};
if ( $chain ) { if ( $chain ) {
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain}; fatal_error "No $table chain found with name $chain" unless $chain_table->{$table}{$chain};
fatal_error "Built-in chains may not be refreshed" if $chain_table{table}{$chain}{builtin}; fatal_error "Built-in chains may not be refreshed" if $chain_table->{table}{$chain}{builtin};
push @{$chains{$table}}, $chain; push @{$chains{$table}}, $chain;
} else { } else {
while ( my ( $chain, $chainref ) = each %{$chain_table{$table}} ) { while ( my ( $chain, $chainref ) = each %{$chain_table->{$table}} ) {
next unless reftype $chainref; next unless reftype $chainref;
push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin}; push @{$chains{$table}}, $chain if $chainref->{referenced} && ! $chainref->{builtin};
} }
@ -2584,7 +2575,7 @@ sub create_chainlist_reload($) {
emit_unindented "*$table"; emit_unindented "*$table";
my $tableref=$chain_table{$table}; my $tableref=$chain_table->{$table};
@chains = sort @{$chains{$table}}; @chains = sort @{$chains{$table}};

2
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -76,6 +76,7 @@ sub reinitialize() {
sub use_ipv4() { sub use_ipv4() {
use_ipv4_addrs; use_ipv4_addrs;
use_ipv4_chains;
use_ipv4_interfaces; use_ipv4_interfaces;
use_ipv4_policies; use_ipv4_policies;
$family = F_INET; $family = F_INET;
@ -83,6 +84,7 @@ sub use_ipv4() {
sub use_ipv6() { sub use_ipv6() {
use_ipv6_addrs; use_ipv6_addrs;
use_ipv6_chains;
use_ipv6_interfaces; use_ipv6_interfaces;
use_ipv6_policies; use_ipv6_policies;
$family = F_INET; $family = F_INET;

6
Shorewall-perl/Shorewall/Rules.pm
View File

@ -720,7 +720,7 @@ sub setup_mac_lists( $ ) {
fatal_error "Unknown Interface ($interface)" unless known_interface( $interface ); fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface}; fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
$mac = '' unless $mac && ( $mac ne '-' ); $mac = '' unless $mac && ( $mac ne '-' );
$addresses = '' unless defined $addresses && ( $addresses ne '-' ); $addresses = '' unless defined $addresses && ( $addresses ne '-' );
@ -766,7 +766,7 @@ sub setup_mac_lists( $ ) {
} }
} else { } else {
for my $interface ( @maclist_interfaces ) { for my $interface ( @maclist_interfaces ) {
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
my $chain = $chainref->{name}; my $chain = $chainref->{name};
if ( $level ne '' || $disposition ne 'ACCEPT' ) { if ( $level ne '' || $disposition ne 'ACCEPT' ) {
@ -1994,7 +1994,7 @@ sub generate_matrix() {
for my $chain ( @{$builtins{$table}} ) { for my $chain ( @{$builtins{$table}} ) {
log_rule_limit log_rule_limit
$config{LOGALLNEW} , $config{LOGALLNEW} ,
$chain_table{$table}{$chain} , $chain_table->{$table}{$chain} ,
$table , $table ,
$chain , $chain ,
'' , '' ,