Add level to chain table

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-09-11 20:12:13 +00:00
parent c5210b923b
commit 5c5f2b3a06
8 changed files with 147 additions and 124 deletions

View File

@ -197,19 +197,19 @@ sub setup_accounting() {
clear_comment;
if ( have_bridges ) {
if ( $filter_table->{accounting} ) {
if ( $filter_table->{4}->{accounting} ) {
for my $chain ( qw/INPUT FORWARD/ ) {
insert_rule $filter_table->{$chain}, 1, '-j accounting';
insert_rule $filter_table->{4}{$chain}, 1, '-j accounting';
}
}
if ( $filter_table->{accountout} ) {
insert_rule $filter_table->{OUTPUT}, 1, '-j accountout';
if ( $filter_table->{4}->{accountout} ) {
insert_rule $filter_table->{4}{OUTPUT}, 1, '-j accountout';
}
} else {
if ( $filter_table->{accounting} ) {
if ( $filter_table->{4}->{accounting} ) {
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
insert_rule $filter_table->{$chain}, 1, '-j accounting';
insert_rule $filter_table->{4}{$chain}, 1, '-j accounting';
}
}
}

View File

@ -266,7 +266,7 @@ sub createlogactionchain( $$ ) {
$chain = substr $chain, 0, 28 if ( length $chain ) > 28;
while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) {
while ( $chain_table{filter}{4}{'%' . $chain . $actionref->{actchain}} ) {
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
}

View File

@ -132,26 +132,27 @@ our $VERSION = '4.04';
#
# Chain Table
#
# %chain_table { <table> => { <chain1> => { name => <chain name>
# table => <table name>
# is_policy => 0|1
# is_optional => 0|1
# referenced => 0|1
# log => <logging rule number for use when LOGRULENUMBERS>
# policy => <policy>
# policychain => <name of policy chain> -- self-reference if this is a policy chain
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
# loglevel => <level>
# synparams => <burst/limit>
# synchain => <name of synparam chain>
# default => <default action>
# cmdlevel => <number of open loops or blocks in runtime commands>
# rules => [ <rule1>
# <rule2>
# ...
# ]
# } ,
# <chain2> => ...
# %chain_table { <table> => { <ipv> => { <chain1> => { name => <chain name>
# table => <table name>
# is_policy => 0|1
# is_optional => 0|1
# referenced => 0|1
# log => <logging rule number for use when LOGRULENUMBERS>
# policy => <policy>
# policychain => <name of policy chain> -- self-reference if this is a policy chain
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
# loglevel => <level>
# synparams => <burst/limit>
# synchain => <name of synparam chain>
# default => <default action>
# cmdlevel => <number of open loops or blocks in runtime commands>
# rules => [ <rule1>
# <rule2>
# ...
# ]
# } ,
# <chain2> => ...
# }
# }
# }
#
@ -229,10 +230,10 @@ our $mode;
#
sub initialize() {
%chain_table = ( raw => {} ,
mangle => {},
nat => {},
filter => {} );
%chain_table = ( raw => { 4 => {} , 6=> {} },
mangle => { 4 => {} , 6=> {} },
nat => { 4 => {} },
filter => { 4 => {} , 6=> {} } );
$nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle};
@ -574,14 +575,15 @@ sub new_chain($$)
{
my ($table, $chain) = @_;
warning_message "Internal error in new_chain()" if $chain_table{$table}{$chain};
warning_message "Internal error in new_chain()" if $chain_table{$table}{4}{$chain};
$chain_table{$table}{$chain} = { name => $chain,
rules => [],
table => $table,
loglevel => '',
log => 1,
cmdlevel => 0 };
$chain_table{$table}{4}{$chain} = { name => $chain,
rules => [],
table => $table,
ipv => 4,
loglevel => '',
log => 1,
cmdlevel => 0 };
}
#
@ -601,7 +603,7 @@ sub ensure_chain($$)
{
my ($table, $chain) = @_;
my $ref = $chain_table{$table}{$chain};
my $ref = $chain_table{$table}{4}{$chain};
return $ref if $ref;
@ -617,7 +619,7 @@ sub ensure_filter_chain( $$ )
{
my ($chain, $populate) = @_;
my $chainref = $filter_table->{$chain};
my $chainref = $filter_table->{4}{$chain};
$chainref = new_chain 'filter' , $chain unless $chainref;
@ -714,7 +716,7 @@ sub finish_chain_section ($$) {
}
}
} else {
my $policychainref = $filter_table->{$chainref->{policychain}};
my $policychainref = $filter_table->{4}{$chainref->{policychain}};
if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
@ -735,7 +737,7 @@ sub finish_section ( $ ) {
for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
my $chainref = $chain_table{'filter'}{4}{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) {
finish_chain_section $chainref, $sections;
}
@ -1806,10 +1808,10 @@ sub expand_rule( $$$$$$$$$$ )
sub addnatjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_;
my $destref = $nat_table->{$dest} || {};
my $destref = $nat_table->{4}{$dest} || {};
if ( $destref->{referenced} ) {
add_rule $nat_table->{$source} , $predicates . "-j $dest";
add_rule $nat_table->{4}{$source} , $predicates . "-j $dest";
} else {
clearrule;
}
@ -1821,10 +1823,10 @@ sub addnatjump( $$$ ) {
sub insertnatjump( $$$$ ) {
my ( $source, $dest, $countref, $predicates ) = @_;
my $destref = $nat_table->{$dest} || {};
my $destref = $nat_table->{4}{$dest} || {};
if ( $destref->{referenced} ) {
insert_rule $nat_table->{$source} , ($$countref)++, $predicates . "-j $dest";
insert_rule $nat_table->{4}{$source} , ($$countref)++, $predicates . "-j $dest";
} else {
clearrule;
}
@ -1964,7 +1966,7 @@ sub create_netfilter_load() {
# iptables-restore seems to be quite picky about the order of the builtin chains
#
for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain};
my $chainref = $chain_table{$table}{4}{$chain};
if ( $chainref ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
emit_unindented ":$chain $chainref->{policy} [0:0]";
@ -1974,8 +1976,8 @@ sub create_netfilter_load() {
#
# First create the chains in the current table
#
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
my $chainref = $chain_table{$table}{$chain};
for my $chain ( grep $chain_table{$table}{4}{$_}->{referenced} , ( sort keys %{$chain_table{$table}{4}} ) ) {
my $chainref = $chain_table{$table}{4}{$chain};
unless ( $chainref->{builtin} ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
emit_unindented ":$chainref->{name} - [0:0]";
@ -2024,7 +2026,7 @@ sub create_chainlist_reload($) {
my @chains = split ',', $chains;
unless ( @chains ) {
@chains = qw( blacklst ) if $filter_table->{blacklst};
@chains = qw( blacklst ) if $filter_table->{4}{blacklst};
}
$mode = NULL_MODE;
@ -2058,7 +2060,7 @@ sub create_chainlist_reload($) {
( $table , $chain ) = split ':', $chain if $chain =~ /:/;
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain};
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{4}{$chain};
$chains{$table} = [] unless $chains{$table};
@ -2070,7 +2072,7 @@ sub create_chainlist_reload($) {
emit_unindented "*$table";
my $tableref=$chain_table{$table};
my $tableref=$chain_table{$table}{4};
@chains = sort @{$chains{$table}};

View File

@ -92,7 +92,7 @@ sub set_policy_chain($$$$$)
{
my ($source, $dest, $chain1, $chainref, $policy ) = @_;
my $chainref1 = $filter_table->{$chain1};
my $chainref1 = $filter_table->{4}{$chain1};
$chainref1 = new_chain 'filter', $chain1 unless $chainref1;
@ -130,7 +130,7 @@ use constant { OPTIONAL => 1 };
sub add_or_modify_policy_chain( $$ ) {
my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}";
my $chainref = $filter_table->{$chain};
my $chainref = $filter_table->{4}{$chain};
if ( $chainref ) {
unless( $chainref->{is_policy} ) {
@ -279,8 +279,8 @@ sub validate_policy()
my $chain = "${client}2${server}";
my $chainref;
if ( defined $filter_table->{$chain} ) {
$chainref = $filter_table->{$chain};
if ( defined $filter_table->{4}{$chain} ) {
$chainref = $filter_table->{4}{$chain};
if ( $chainref->{is_policy} ) {
if ( $chainref->{is_optional} ) {
@ -362,7 +362,7 @@ sub report_syn_flood_protection() {
sub default_policy( $$$ ) {
my $chainref = $_[0];
my $policyref = $filter_table->{$chainref->{policychain}};
my $policyref = $filter_table->{4}{$chainref->{policychain}};
my $synparams = $policyref->{synparams};
my $default = $policyref->{default};
my $policy = $policyref->{policy};
@ -420,7 +420,7 @@ sub apply_policy_rules() {
for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) {
my $chainref = $filter_table->{"${zone}2${zone1}"};
my $chainref = $filter_table->{4}{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) {
run_user_exit $chainref;
@ -446,11 +446,11 @@ sub complete_standard_chain ( $$$ ) {
run_user_exit $stdchainref;
my $ruleschainref = $filter_table->{"${zone}2${zone2}"};
my $ruleschainref = $filter_table->{4}{"${zone}2${zone2}"};
my ( $policy, $loglevel, $default ) = ( 'DROP', 6, $config{DROP_DEFAULT} );
my $policychainref;
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
$policychainref = $filter_table->{4}{$ruleschainref->{policychain}} if $ruleschainref;
( $policy, $loglevel, $default ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
@ -463,7 +463,7 @@ sub complete_standard_chain ( $$$ ) {
sub setup_syn_flood_chains() {
for my $chainref ( @policy_chains ) {
my $limit = $chainref->{synparams};
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
if ( $limit && ! $filter_table->{4}{syn_flood_chain $chainref} ) {
my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
add_rule $synchainref , "${limit}-j RETURN";

View File

@ -89,13 +89,13 @@ sub setup_route_marking() {
require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' );
require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' );
add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
add_rule $mangle_table->{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
add_rule $mangle_table->{4}{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
add_rule $mangle_table->{4}{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
my $chainref = new_chain 'mangle', 'routemark';
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
add_rule $chainref, " -i $interface -j MARK $mark_op $mark";
}

View File

@ -150,8 +150,8 @@ sub process_tos() {
}
unless ( $first_entry ) {
add_rule $mangle_table->{$stdchain}, "-j $chain" if $pretosref->{referenced};
add_rule $mangle_table->{OUTPUT}, "-j outtos" if $outtosref->{referenced};
add_rule $mangle_table->{4}{$stdchain}, "-j $chain" if $pretosref->{referenced};
add_rule $mangle_table->{4}{OUTPUT}, "-j outtos" if $outtosref->{referenced};
}
}
}
@ -196,12 +196,12 @@ sub setup_ecn()
for my $interface ( @interfaces ) {
my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
add_rule $mangle_table->{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
add_rule $mangle_table->{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
add_rule $mangle_table->{4}{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
add_rule $mangle_table->{4}{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
}
for my $host ( @hosts ) {
add_rule $mangle_table->{ecn_chain $host->[0]}, join ('', '-p tcp ', match_dest_net( $host->[1] ) , ' -j ECN --ecn-tcp-remove' );
add_rule $mangle_table->{4}{ecn_chain $host->[0]}, join ('', '-p tcp ', match_dest_net( $host->[1] ) , ' -j ECN --ecn-tcp-remove' );
}
}
}
@ -266,7 +266,7 @@ sub setup_rfc1918_filteration( $ ) {
my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
add_rule $filter_table->{4}{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
}
}
}
@ -339,7 +339,7 @@ sub setup_blacklist() {
my $source = match_source_net $network;
for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
add_rule $filter_table->{4}{$chain} , "${source}${state}${policy}-j blacklst";
}
progress_message " Blacklisting enabled on ${interface}:${network}";
@ -503,7 +503,7 @@ sub add_common_rules() {
if ( $config{FASTACCEPT} ) {
for $chain qw( INPUT FORWARD OUTPUT ) {
$chainref = $filter_table->{$chain};
$chainref = $filter_table->{4}{$chain};
add_rule( $chainref , "-m state --state ESTABLISHED,RELATED -j ACCEPT" );
}
}
@ -568,7 +568,7 @@ sub add_common_rules() {
my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
add_rule $filter_table->{4}{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
}
}
}
@ -590,10 +590,10 @@ sub add_common_rules() {
for $interface ( @$list ) {
for $chain ( input_chain $interface, output_chain $interface ) {
add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
add_rule $filter_table->{4}{$chain} , '-p udp --dport 67:68 -j ACCEPT';
}
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
add_rule $filter_table->{4}{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
}
}
@ -643,7 +643,7 @@ sub add_common_rules() {
my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" );
add_rule $filter_table->{4}{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" );
}
}
}
@ -656,9 +656,9 @@ sub add_common_rules() {
mark_referenced( new_chain 'nat' , $chain = dynamic_in($interface) );
add_rule $filter_table->{input_chain $interface}, "-j $chain";
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface;
add_rule $filter_table->{4}{input_chain $interface}, "-j $chain";
add_rule $filter_table->{4}{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
add_rule $filter_table->{4}{output_chain $interface}, '-j ' . dynamic_out $interface;
}
}
@ -670,7 +670,7 @@ sub add_common_rules() {
mark_referenced( new_chain( 'nat', 'UPnP' ) );
for $interface ( @$list ) {
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
add_rule $nat_table->{4}{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
}
}
@ -756,7 +756,7 @@ sub setup_mac_lists( $ ) {
fatal_error "No hosts on $interface have the maclist option specified";
}
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
my $chainref = $chain_table{$table}{4}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
$mac = '' unless $mac && ( $mac ne '-' );
$addresses = '' unless $addresses && ( $addresses ne '-' );
@ -794,15 +794,15 @@ sub setup_mac_lists( $ ) {
my $target = mac_chain $interface;
if ( $table eq 'filter' ) {
for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
add_rule $filter_table->{4}{$chain} , "${source}-m state --state NEW ${policy}-j $target";
}
} else {
add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
add_rule $mangle_table->{4}{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
}
}
} else {
for my $interface ( @maclist_interfaces ) {
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
my $chainref = $chain_table{$table}{4}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
my $chain = $chainref->{name};
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
@ -1077,7 +1077,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
# Handle Optimization
#
if ( $optimize > 0 ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
my $loglevel = $filter_table->{4}{$chainref->{policychain}}{loglevel};
if ( $loglevel ne '' ) {
return 1 if $target eq "${policy}:$loglevel}";
} else {
@ -1416,13 +1416,13 @@ sub generate_matrix() {
sub rules_target( $$ ) {
my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}";
my $chainref = $filter_table->{$chain};
my $chainref = $filter_table->{4}{$chain};
return $chain if $chainref && $chainref->{referenced};
return 'ACCEPT' if $zone eq $zone1;
if ( $chainref->{policy} ne 'CONTINUE' ) {
my $policyref = $filter_table->{$chainref->{policychain}};
my $policyref = $filter_table->{4}{$chainref->{policychain}};
return $policyref->{name} if $policyref;
fatal_error "No policy defined for zone $zone to zone $zone1";
}
@ -1541,7 +1541,7 @@ sub generate_matrix() {
my $ipsec_match = match_ipsec_in $zone , $hostref;
for my $net ( @{$hostref->{hosts}} ) {
add_rule(
$filter_table->{forward_chain $interface} ,
$filter_table->{4}{forward_chain $interface} ,
join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" )
);
}
@ -1566,7 +1566,7 @@ sub generate_matrix() {
my %needbroadcast;
if ( $complex ) {
$frwd_ref = $filter_table->{"${zone}_frwd"};
$frwd_ref = $filter_table->{4}{"${zone}_frwd"};
my $dnat_ref = ensure_chain 'nat' , dnat_chain( $zone );
if ( @$exclusions ) {
insert_exclusions $dnat_ref, $exclusions if $dnat_ref->{referenced};
@ -1592,10 +1592,10 @@ sub generate_matrix() {
if ( $chain1 ) {
if ( @$exclusions ) {
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" );
add_rule $filter_table->{"${zone}_output"} , "-j $chain1";
add_rule $filter_table->{4}{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" );
add_rule $filter_table->{4}{"${zone}_output"} , "-j $chain1";
} else {
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
add_rule $filter_table->{4}{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
}
}
@ -1605,14 +1605,14 @@ sub generate_matrix() {
if ( $chain2 ) {
if ( @$exclusions ) {
add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j ${zone}_input" );
add_rule $filter_table->{"${zone}_input"} , "-j $chain2";
add_rule $filter_table->{4}{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j ${zone}_input" );
add_rule $filter_table->{4}{"${zone}_input"} , "-j $chain2";
} else {
add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $chain2" );
add_rule $filter_table->{4}{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $chain2" );
}
}
add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
add_rule $filter_table->{4}{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
if $complex && $hostref->{ipsec} ne 'ipsec';
$needbroadcast{$interface}{$source} = 1 if get_interface_option $interface, 'detectnets';
@ -1624,11 +1624,11 @@ sub generate_matrix() {
if ( $chain1 ) {
for my $interface ( keys %needbroadcast ) {
if ( $capabilities{ADDRTYPE} ) {
add_rule $filter_table->{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
add_rule $filter_table->{4}{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
} else {
my $interfaceref = find_interface( $interface );
my $chain = output_chain $interface;
my $chainref = $filter_table->{$chain};
my $chainref = $filter_table->{4}{$chain};
if ( $interfaceref->{broadcasts} ) {
for my $address ( @{$interfaceref->{broadcasts}} , '255.255.255.255' ) {
@ -1644,7 +1644,7 @@ sub generate_matrix() {
}
}
add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
add_rule $filter_table->{4}{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
}
}
#
@ -1659,7 +1659,7 @@ sub generate_matrix() {
ZONE1:
for my $zone1 ( non_firewall_zones ) {
my $zone1ref = find_zone( $zone1 );
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
my $policy = $filter_table->{4}{"${zone}2${zone1}"}->{policy};
next if $policy eq 'NONE';
@ -1709,7 +1709,7 @@ sub generate_matrix() {
ZONE1:
for my $zone1 ( @dest_zones ) {
my $zone1ref = find_zone( $zone1 );
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
my $policy = $filter_table->{4}{"${zone}2${zone1}"}->{policy};
next if $policy eq 'NONE';
@ -1728,8 +1728,8 @@ sub generate_matrix() {
while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) {
if ( get_interface_option( $interface, 'bridge' ) ) {
for my $source ( keys %$sourceref ) {
add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-d 255.255.255.255 -j $chain3";
add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-d 224.0.0.0/4 -j $chain3";
add_rule $filter_table->{4}{forward_chain $interface} , "-o $interface ${source}-d 255.255.255.255 -j $chain3";
add_rule $filter_table->{4}{forward_chain $interface} , "-o $interface ${source}-d 224.0.0.0/4 -j $chain3";
}
}
}
@ -1740,7 +1740,7 @@ sub generate_matrix() {
next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
}
my $chainref = $filter_table->{$chain};
my $chainref = $filter_table->{4}{$chain};
my $exclusions1 = $zone1ref->{exclusions};
my $dest_hosts_ref = $zone1ref->{hosts};
@ -1787,7 +1787,7 @@ sub generate_matrix() {
for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( keys %$typeref ) {
my $arrayref = $typeref->{$interface};
my $chain3ref = $filter_table->{forward_chain $interface};
my $chain3ref = $filter_table->{4}{forward_chain $interface};
for my $hostref ( @$arrayref ) {
for my $net ( @{$hostref->{hosts}} ) {
for my $type1ref ( values %$dest_hosts_ref ) {
@ -1826,7 +1826,7 @@ sub generate_matrix() {
for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( keys %$typeref ) {
my $arrayref = $typeref->{$interface};
my $chain2ref = $filter_table->{forward_chain $interface};
my $chain2ref = $filter_table->{4}{forward_chain $interface};
for my $hostref ( @$arrayref ) {
for my $net ( @{$hostref->{hosts}} ) {
add_rule $chain2ref, match_source_net($net) . "-j $last_chain";
@ -1842,32 +1842,32 @@ sub generate_matrix() {
# Now add the jumps to the interface chains from FORWARD, INPUT, OUTPUT and POSTROUTING
#
for my $interface ( @interfaces ) {
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface;
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain $interface;
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
add_rule $filter_table->{4}{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface;
add_rule $filter_table->{4}{INPUT} , match_source_dev( $interface ) . "-j " . input_chain $interface;
add_rule $filter_table->{4}{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
}
my $fw = firewall_zone;
my $chainref = $filter_table->{"${fw}2${fw}"};
my $chainref = $filter_table->{4}{"${fw}2${fw}"};
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
add_rule $filter_table->{4}{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
add_rule $filter_table->{4}{INPUT} , '-i lo -j ACCEPT';
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone;
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all';
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all';
complete_standard_chain $filter_table->{4}{INPUT} , 'all' , firewall_zone;
complete_standard_chain $filter_table->{4}{OUTPUT} , firewall_zone , 'all';
complete_standard_chain $filter_table->{4}{FORWARD} , 'all' , 'all';
if ( $config{LOGALLNEW} ) {
for my $table qw/mangle nat filter/ {
for my $chain ( @{$builtins{$table}} ) {
log_rule_limit
$config{LOGALLNEW} ,
$chain_table{$table}{$chain} ,
$chain_table{$table}{4}{$chain} ,
$table ,
$chain ,
'' ,
@ -1883,7 +1883,7 @@ sub setup_mss( ) {
my $clampmss = $config{CLAMPMSS};
my $option;
my $match = '';
my $chainref = $filter_table->{FORWARD};
my $chainref = $filter_table->{4}{FORWARD};
if ( $clampmss ) {
if ( "\L$clampmss" eq 'yes' ) {
@ -1906,7 +1906,7 @@ sub setup_mss( ) {
#
# Send all forwarded SYN packets to the 'settcpmss' chain
#
add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN -j settcpmss";
add_rule $filter_table->{4}{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN -j settcpmss";
my $in_match = '';
my $out_match = '';

View File

@ -570,21 +570,21 @@ sub setup_tc() {
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
for my $interface ( @routemarked_interfaces ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -j tcpre";
}
}
add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
add_rule $mangle_table->{OUTPUT} , "$mark_part -j tcout";
add_rule $mangle_table->{4}{PREROUTING} , "$mark_part -j tcpre";
add_rule $mangle_table->{4}{OUTPUT} , "$mark_part -j tcout";
if ( $capabilities{MANGLE_FORWARD} ) {
add_rule $mangle_table->{FORWARD} , '-j tcfor';
add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
add_rule $mangle_table->{4}{FORWARD} , '-j tcfor';
add_rule $mangle_table->{4}{POSTROUTING} , '-j tcpost';
}
if ( $config{HIGH_ROUTE_MARKS} ) {
for my $chain qw(INPUT FORWARD POSTROUTING) {
insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark 0xFF';
insert_rule $mangle_table->{4}{$chain}, 1, '-j MARK --and-mark 0xFF';
}
}
}

View File

@ -55,7 +55,11 @@ our @EXPORT = qw( NOTHING
firewall_zone
defined_zone
zone_type
zone_ipv
all_zones
all_ipv4_zones
all_ipv6_zones
all_ipvN_zones
complex_zones
non_firewall_zones
single_interface
@ -567,10 +571,27 @@ sub defined_zone( $ ) {
$zones{$_[0]};
}
sub zone_ipv( $ ) {
find_zone( $_[0] )->{type} & ZT_FIREWALL;
}
sub all_zones() {
@zones;
}
sub all_ipv4_zones() {
grep ( $zones{$_}{type} & ZT_IPV4 , @zones );
}
sub all_ipv6_zones() {
grep ( $zones{$_}{type} & ZT_IPV4 , @zones );
}
sub all_ipvN_zones($) {
my $ipv = $_[0];
grep ( ( $zones{$_}{type} & ZT_FIREWALL ) == $ipv , @zones );
}
sub non_firewall_zones() {
grep ( $zones{$_}{type} != ZT_FIREWALL , @zones );
}