Add level to chain table

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7320 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-09-11 20:12:13 +00:00
parent c5210b923b
commit 5c5f2b3a06
8 changed files with 147 additions and 124 deletions

View File

@ -197,19 +197,19 @@ sub setup_accounting() {
clear_comment; clear_comment;
if ( have_bridges ) { if ( have_bridges ) {
if ( $filter_table->{accounting} ) { if ( $filter_table->{4}->{accounting} ) {
for my $chain ( qw/INPUT FORWARD/ ) { for my $chain ( qw/INPUT FORWARD/ ) {
insert_rule $filter_table->{$chain}, 1, '-j accounting'; insert_rule $filter_table->{4}{$chain}, 1, '-j accounting';
} }
} }
if ( $filter_table->{accountout} ) { if ( $filter_table->{4}->{accountout} ) {
insert_rule $filter_table->{OUTPUT}, 1, '-j accountout'; insert_rule $filter_table->{4}{OUTPUT}, 1, '-j accountout';
} }
} else { } else {
if ( $filter_table->{accounting} ) { if ( $filter_table->{4}->{accounting} ) {
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
insert_rule $filter_table->{$chain}, 1, '-j accounting'; insert_rule $filter_table->{4}{$chain}, 1, '-j accounting';
} }
} }
} }

View File

@ -266,7 +266,7 @@ sub createlogactionchain( $$ ) {
$chain = substr $chain, 0, 28 if ( length $chain ) > 28; $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) { while ( $chain_table{filter}{4}{'%' . $chain . $actionref->{actchain}} ) {
$chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28; $chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28;
} }

View File

@ -132,26 +132,27 @@ our $VERSION = '4.04';
# #
# Chain Table # Chain Table
# #
# %chain_table { <table> => { <chain1> => { name => <chain name> # %chain_table { <table> => { <ipv> => { <chain1> => { name => <chain name>
# table => <table name> # table => <table name>
# is_policy => 0|1 # is_policy => 0|1
# is_optional => 0|1 # is_optional => 0|1
# referenced => 0|1 # referenced => 0|1
# log => <logging rule number for use when LOGRULENUMBERS> # log => <logging rule number for use when LOGRULENUMBERS>
# policy => <policy> # policy => <policy>
# policychain => <name of policy chain> -- self-reference if this is a policy chain # policychain => <name of policy chain> -- self-reference if this is a policy chain
# policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies # policypair => [ <policy source>, <policy dest> ] -- Used for reporting duplicated policies
# loglevel => <level> # loglevel => <level>
# synparams => <burst/limit> # synparams => <burst/limit>
# synchain => <name of synparam chain> # synchain => <name of synparam chain>
# default => <default action> # default => <default action>
# cmdlevel => <number of open loops or blocks in runtime commands> # cmdlevel => <number of open loops or blocks in runtime commands>
# rules => [ <rule1> # rules => [ <rule1>
# <rule2> # <rule2>
# ... # ...
# ] # ]
# } , # } ,
# <chain2> => ... # <chain2> => ...
# }
# } # }
# } # }
# #
@ -229,10 +230,10 @@ our $mode;
# #
sub initialize() { sub initialize() {
%chain_table = ( raw => {} , %chain_table = ( raw => { 4 => {} , 6=> {} },
mangle => {}, mangle => { 4 => {} , 6=> {} },
nat => {}, nat => { 4 => {} },
filter => {} ); filter => { 4 => {} , 6=> {} } );
$nat_table = $chain_table{nat}; $nat_table = $chain_table{nat};
$mangle_table = $chain_table{mangle}; $mangle_table = $chain_table{mangle};
@ -574,14 +575,15 @@ sub new_chain($$)
{ {
my ($table, $chain) = @_; my ($table, $chain) = @_;
warning_message "Internal error in new_chain()" if $chain_table{$table}{$chain}; warning_message "Internal error in new_chain()" if $chain_table{$table}{4}{$chain};
$chain_table{$table}{$chain} = { name => $chain, $chain_table{$table}{4}{$chain} = { name => $chain,
rules => [], rules => [],
table => $table, table => $table,
loglevel => '', ipv => 4,
log => 1, loglevel => '',
cmdlevel => 0 }; log => 1,
cmdlevel => 0 };
} }
# #
@ -601,7 +603,7 @@ sub ensure_chain($$)
{ {
my ($table, $chain) = @_; my ($table, $chain) = @_;
my $ref = $chain_table{$table}{$chain}; my $ref = $chain_table{$table}{4}{$chain};
return $ref if $ref; return $ref if $ref;
@ -617,7 +619,7 @@ sub ensure_filter_chain( $$ )
{ {
my ($chain, $populate) = @_; my ($chain, $populate) = @_;
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{4}{$chain};
$chainref = new_chain 'filter' , $chain unless $chainref; $chainref = new_chain 'filter' , $chain unless $chainref;
@ -714,7 +716,7 @@ sub finish_chain_section ($$) {
} }
} }
} else { } else {
my $policychainref = $filter_table->{$chainref->{policychain}}; my $policychainref = $filter_table->{4}{$chainref->{policychain}};
if ( $policychainref->{synparams} ) { if ( $policychainref->{synparams} ) {
my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref; my $synchainref = ensure_chain 'filter', syn_flood_chain $policychainref;
add_rule $chainref, "-p tcp --syn -j $synchainref->{name}"; add_rule $chainref, "-p tcp --syn -j $synchainref->{name}";
@ -735,7 +737,7 @@ sub finish_section ( $ ) {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; my $chainref = $chain_table{'filter'}{4}{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) { if ( $chainref->{referenced} ) {
finish_chain_section $chainref, $sections; finish_chain_section $chainref, $sections;
} }
@ -1806,10 +1808,10 @@ sub expand_rule( $$$$$$$$$$ )
sub addnatjump( $$$ ) { sub addnatjump( $$$ ) {
my ( $source , $dest, $predicates ) = @_; my ( $source , $dest, $predicates ) = @_;
my $destref = $nat_table->{$dest} || {}; my $destref = $nat_table->{4}{$dest} || {};
if ( $destref->{referenced} ) { if ( $destref->{referenced} ) {
add_rule $nat_table->{$source} , $predicates . "-j $dest"; add_rule $nat_table->{4}{$source} , $predicates . "-j $dest";
} else { } else {
clearrule; clearrule;
} }
@ -1821,10 +1823,10 @@ sub addnatjump( $$$ ) {
sub insertnatjump( $$$$ ) { sub insertnatjump( $$$$ ) {
my ( $source, $dest, $countref, $predicates ) = @_; my ( $source, $dest, $countref, $predicates ) = @_;
my $destref = $nat_table->{$dest} || {}; my $destref = $nat_table->{4}{$dest} || {};
if ( $destref->{referenced} ) { if ( $destref->{referenced} ) {
insert_rule $nat_table->{$source} , ($$countref)++, $predicates . "-j $dest"; insert_rule $nat_table->{4}{$source} , ($$countref)++, $predicates . "-j $dest";
} else { } else {
clearrule; clearrule;
} }
@ -1964,7 +1966,7 @@ sub create_netfilter_load() {
# iptables-restore seems to be quite picky about the order of the builtin chains # iptables-restore seems to be quite picky about the order of the builtin chains
# #
for my $chain ( @builtins ) { for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table{$table}{4}{$chain};
if ( $chainref ) { if ( $chainref ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
emit_unindented ":$chain $chainref->{policy} [0:0]"; emit_unindented ":$chain $chainref->{policy} [0:0]";
@ -1974,8 +1976,8 @@ sub create_netfilter_load() {
# #
# First create the chains in the current table # First create the chains in the current table
# #
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { for my $chain ( grep $chain_table{$table}{4}{$_}->{referenced} , ( sort keys %{$chain_table{$table}{4}} ) ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table{$table}{4}{$chain};
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel};
emit_unindented ":$chainref->{name} - [0:0]"; emit_unindented ":$chainref->{name} - [0:0]";
@ -2024,7 +2026,7 @@ sub create_chainlist_reload($) {
my @chains = split ',', $chains; my @chains = split ',', $chains;
unless ( @chains ) { unless ( @chains ) {
@chains = qw( blacklst ) if $filter_table->{blacklst}; @chains = qw( blacklst ) if $filter_table->{4}{blacklst};
} }
$mode = NULL_MODE; $mode = NULL_MODE;
@ -2058,7 +2060,7 @@ sub create_chainlist_reload($) {
( $table , $chain ) = split ':', $chain if $chain =~ /:/; ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/; fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain}; fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{4}{$chain};
$chains{$table} = [] unless $chains{$table}; $chains{$table} = [] unless $chains{$table};
@ -2070,7 +2072,7 @@ sub create_chainlist_reload($) {
emit_unindented "*$table"; emit_unindented "*$table";
my $tableref=$chain_table{$table}; my $tableref=$chain_table{$table}{4};
@chains = sort @{$chains{$table}}; @chains = sort @{$chains{$table}};

View File

@ -92,7 +92,7 @@ sub set_policy_chain($$$$$)
{ {
my ($source, $dest, $chain1, $chainref, $policy ) = @_; my ($source, $dest, $chain1, $chainref, $policy ) = @_;
my $chainref1 = $filter_table->{$chain1}; my $chainref1 = $filter_table->{4}{$chain1};
$chainref1 = new_chain 'filter', $chain1 unless $chainref1; $chainref1 = new_chain 'filter', $chain1 unless $chainref1;
@ -130,7 +130,7 @@ use constant { OPTIONAL => 1 };
sub add_or_modify_policy_chain( $$ ) { sub add_or_modify_policy_chain( $$ ) {
my ( $zone, $zone1 ) = @_; my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}"; my $chain = "${zone}2${zone1}";
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{4}{$chain};
if ( $chainref ) { if ( $chainref ) {
unless( $chainref->{is_policy} ) { unless( $chainref->{is_policy} ) {
@ -279,8 +279,8 @@ sub validate_policy()
my $chain = "${client}2${server}"; my $chain = "${client}2${server}";
my $chainref; my $chainref;
if ( defined $filter_table->{$chain} ) { if ( defined $filter_table->{4}{$chain} ) {
$chainref = $filter_table->{$chain}; $chainref = $filter_table->{4}{$chain};
if ( $chainref->{is_policy} ) { if ( $chainref->{is_policy} ) {
if ( $chainref->{is_optional} ) { if ( $chainref->{is_optional} ) {
@ -362,7 +362,7 @@ sub report_syn_flood_protection() {
sub default_policy( $$$ ) { sub default_policy( $$$ ) {
my $chainref = $_[0]; my $chainref = $_[0];
my $policyref = $filter_table->{$chainref->{policychain}}; my $policyref = $filter_table->{4}{$chainref->{policychain}};
my $synparams = $policyref->{synparams}; my $synparams = $policyref->{synparams};
my $default = $policyref->{default}; my $default = $policyref->{default};
my $policy = $policyref->{policy}; my $policy = $policyref->{policy};
@ -420,7 +420,7 @@ sub apply_policy_rules() {
for my $zone ( all_zones ) { for my $zone ( all_zones ) {
for my $zone1 ( all_zones ) { for my $zone1 ( all_zones ) {
my $chainref = $filter_table->{"${zone}2${zone1}"}; my $chainref = $filter_table->{4}{"${zone}2${zone1}"};
if ( $chainref->{referenced} ) { if ( $chainref->{referenced} ) {
run_user_exit $chainref; run_user_exit $chainref;
@ -446,11 +446,11 @@ sub complete_standard_chain ( $$$ ) {
run_user_exit $stdchainref; run_user_exit $stdchainref;
my $ruleschainref = $filter_table->{"${zone}2${zone2}"}; my $ruleschainref = $filter_table->{4}{"${zone}2${zone2}"};
my ( $policy, $loglevel, $default ) = ( 'DROP', 6, $config{DROP_DEFAULT} ); my ( $policy, $loglevel, $default ) = ( 'DROP', 6, $config{DROP_DEFAULT} );
my $policychainref; my $policychainref;
$policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref; $policychainref = $filter_table->{4}{$ruleschainref->{policychain}} if $ruleschainref;
( $policy, $loglevel, $default ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref; ( $policy, $loglevel, $default ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
@ -463,7 +463,7 @@ sub complete_standard_chain ( $$$ ) {
sub setup_syn_flood_chains() { sub setup_syn_flood_chains() {
for my $chainref ( @policy_chains ) { for my $chainref ( @policy_chains ) {
my $limit = $chainref->{synparams}; my $limit = $chainref->{synparams};
if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) { if ( $limit && ! $filter_table->{4}{syn_flood_chain $chainref} ) {
my $level = $chainref->{loglevel}; my $level = $chainref->{loglevel};
my $synchainref = new_chain 'filter' , syn_flood_chain $chainref; my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
add_rule $synchainref , "${limit}-j RETURN"; add_rule $synchainref , "${limit}-j RETURN";

View File

@ -89,13 +89,13 @@ sub setup_route_marking() {
require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' ); require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' );
require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' ); require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' );
add_rule $mangle_table->{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; add_rule $mangle_table->{4}{PREROUTING} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
add_rule $mangle_table->{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask"; add_rule $mangle_table->{4}{OUTPUT} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask";
my $chainref = new_chain 'mangle', 'routemark'; my $chainref = new_chain 'mangle', 'routemark';
while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) { while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark"; add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
add_rule $chainref, " -i $interface -j MARK $mark_op $mark"; add_rule $chainref, " -i $interface -j MARK $mark_op $mark";
} }

View File

@ -150,8 +150,8 @@ sub process_tos() {
} }
unless ( $first_entry ) { unless ( $first_entry ) {
add_rule $mangle_table->{$stdchain}, "-j $chain" if $pretosref->{referenced}; add_rule $mangle_table->{4}{$stdchain}, "-j $chain" if $pretosref->{referenced};
add_rule $mangle_table->{OUTPUT}, "-j outtos" if $outtosref->{referenced}; add_rule $mangle_table->{4}{OUTPUT}, "-j outtos" if $outtosref->{referenced};
} }
} }
} }
@ -196,12 +196,12 @@ sub setup_ecn()
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
my $chainref = ensure_chain 'mangle', ecn_chain( $interface ); my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
add_rule $mangle_table->{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}"; add_rule $mangle_table->{4}{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}";
add_rule $mangle_table->{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}"; add_rule $mangle_table->{4}{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}";
} }
for my $host ( @hosts ) { for my $host ( @hosts ) {
add_rule $mangle_table->{ecn_chain $host->[0]}, join ('', '-p tcp ', match_dest_net( $host->[1] ) , ' -j ECN --ecn-tcp-remove' ); add_rule $mangle_table->{4}{ecn_chain $host->[0]}, join ('', '-p tcp ', match_dest_net( $host->[1] ) , ' -j ECN --ecn-tcp-remove' );
} }
} }
} }
@ -266,7 +266,7 @@ sub setup_rfc1918_filteration( $ ) {
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for my $chain ( @{first_chains $interface}) { for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" ); add_rule $filter_table->{4}{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
} }
} }
} }
@ -339,7 +339,7 @@ sub setup_blacklist() {
my $source = match_source_net $network; my $source = match_source_net $network;
for my $chain ( @{first_chains $interface}) { for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; add_rule $filter_table->{4}{$chain} , "${source}${state}${policy}-j blacklst";
} }
progress_message " Blacklisting enabled on ${interface}:${network}"; progress_message " Blacklisting enabled on ${interface}:${network}";
@ -503,7 +503,7 @@ sub add_common_rules() {
if ( $config{FASTACCEPT} ) { if ( $config{FASTACCEPT} ) {
for $chain qw( INPUT FORWARD OUTPUT ) { for $chain qw( INPUT FORWARD OUTPUT ) {
$chainref = $filter_table->{$chain}; $chainref = $filter_table->{4}{$chain};
add_rule( $chainref , "-m state --state ESTABLISHED,RELATED -j ACCEPT" ); add_rule( $chainref , "-m state --state ESTABLISHED,RELATED -j ACCEPT" );
} }
} }
@ -568,7 +568,7 @@ sub add_common_rules() {
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for $chain ( @{first_chains $interface}) { for $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" ); add_rule $filter_table->{4}{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
} }
} }
} }
@ -590,10 +590,10 @@ sub add_common_rules() {
for $interface ( @$list ) { for $interface ( @$list ) {
for $chain ( input_chain $interface, output_chain $interface ) { for $chain ( input_chain $interface, output_chain $interface ) {
add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT'; add_rule $filter_table->{4}{$chain} , '-p udp --dport 67:68 -j ACCEPT';
} }
add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' ); add_rule $filter_table->{4}{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
} }
} }
@ -643,7 +643,7 @@ sub add_common_rules() {
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
for $chain ( @{first_chains $interface}) { for $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" ); add_rule $filter_table->{4}{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2]), "${policy}-j tcpflags" );
} }
} }
} }
@ -656,9 +656,9 @@ sub add_common_rules() {
mark_referenced( new_chain 'nat' , $chain = dynamic_in($interface) ); mark_referenced( new_chain 'nat' , $chain = dynamic_in($interface) );
add_rule $filter_table->{input_chain $interface}, "-j $chain"; add_rule $filter_table->{4}{input_chain $interface}, "-j $chain";
add_rule $filter_table->{forward_chain $interface}, '-j ' . dynamic_fwd $interface; add_rule $filter_table->{4}{forward_chain $interface}, '-j ' . dynamic_fwd $interface;
add_rule $filter_table->{output_chain $interface}, '-j ' . dynamic_out $interface; add_rule $filter_table->{4}{output_chain $interface}, '-j ' . dynamic_out $interface;
} }
} }
@ -670,7 +670,7 @@ sub add_common_rules() {
mark_referenced( new_chain( 'nat', 'UPnP' ) ); mark_referenced( new_chain( 'nat', 'UPnP' ) );
for $interface ( @$list ) { for $interface ( @$list ) {
add_rule $nat_table->{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP'; add_rule $nat_table->{4}{PREROUTING} , match_source_dev ( $interface ) . '-j UPnP';
} }
} }
@ -756,7 +756,7 @@ sub setup_mac_lists( $ ) {
fatal_error "No hosts on $interface have the maclist option specified"; fatal_error "No hosts on $interface have the maclist option specified";
} }
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; my $chainref = $chain_table{$table}{4}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
$mac = '' unless $mac && ( $mac ne '-' ); $mac = '' unless $mac && ( $mac ne '-' );
$addresses = '' unless $addresses && ( $addresses ne '-' ); $addresses = '' unless $addresses && ( $addresses ne '-' );
@ -794,15 +794,15 @@ sub setup_mac_lists( $ ) {
my $target = mac_chain $interface; my $target = mac_chain $interface;
if ( $table eq 'filter' ) { if ( $table eq 'filter' ) {
for my $chain ( @{first_chains $interface}) { for my $chain ( @{first_chains $interface}) {
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target"; add_rule $filter_table->{4}{$chain} , "${source}-m state --state NEW ${policy}-j $target";
} }
} else { } else {
add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target"; add_rule $mangle_table->{4}{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
} }
} }
} else { } else {
for my $interface ( @maclist_interfaces ) { for my $interface ( @maclist_interfaces ) {
my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; my $chainref = $chain_table{$table}{4}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
my $chain = $chainref->{name}; my $chain = $chainref->{name};
if ( $level ne '' || $disposition ne 'ACCEPT' ) { if ( $level ne '' || $disposition ne 'ACCEPT' ) {
@ -1077,7 +1077,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
# Handle Optimization # Handle Optimization
# #
if ( $optimize > 0 ) { if ( $optimize > 0 ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel}; my $loglevel = $filter_table->{4}{$chainref->{policychain}}{loglevel};
if ( $loglevel ne '' ) { if ( $loglevel ne '' ) {
return 1 if $target eq "${policy}:$loglevel}"; return 1 if $target eq "${policy}:$loglevel}";
} else { } else {
@ -1416,13 +1416,13 @@ sub generate_matrix() {
sub rules_target( $$ ) { sub rules_target( $$ ) {
my ( $zone, $zone1 ) = @_; my ( $zone, $zone1 ) = @_;
my $chain = "${zone}2${zone1}"; my $chain = "${zone}2${zone1}";
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{4}{$chain};
return $chain if $chainref && $chainref->{referenced}; return $chain if $chainref && $chainref->{referenced};
return 'ACCEPT' if $zone eq $zone1; return 'ACCEPT' if $zone eq $zone1;
if ( $chainref->{policy} ne 'CONTINUE' ) { if ( $chainref->{policy} ne 'CONTINUE' ) {
my $policyref = $filter_table->{$chainref->{policychain}}; my $policyref = $filter_table->{4}{$chainref->{policychain}};
return $policyref->{name} if $policyref; return $policyref->{name} if $policyref;
fatal_error "No policy defined for zone $zone to zone $zone1"; fatal_error "No policy defined for zone $zone to zone $zone1";
} }
@ -1541,7 +1541,7 @@ sub generate_matrix() {
my $ipsec_match = match_ipsec_in $zone , $hostref; my $ipsec_match = match_ipsec_in $zone , $hostref;
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_rule( add_rule(
$filter_table->{forward_chain $interface} , $filter_table->{4}{forward_chain $interface} ,
join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" ) join( '', match_source_net( $net ), $ipsec_match, "-j $frwd_ref->{name}" )
); );
} }
@ -1566,7 +1566,7 @@ sub generate_matrix() {
my %needbroadcast; my %needbroadcast;
if ( $complex ) { if ( $complex ) {
$frwd_ref = $filter_table->{"${zone}_frwd"}; $frwd_ref = $filter_table->{4}{"${zone}_frwd"};
my $dnat_ref = ensure_chain 'nat' , dnat_chain( $zone ); my $dnat_ref = ensure_chain 'nat' , dnat_chain( $zone );
if ( @$exclusions ) { if ( @$exclusions ) {
insert_exclusions $dnat_ref, $exclusions if $dnat_ref->{referenced}; insert_exclusions $dnat_ref, $exclusions if $dnat_ref->{referenced};
@ -1592,10 +1592,10 @@ sub generate_matrix() {
if ( $chain1 ) { if ( $chain1 ) {
if ( @$exclusions ) { if ( @$exclusions ) {
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" ); add_rule $filter_table->{4}{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" );
add_rule $filter_table->{"${zone}_output"} , "-j $chain1"; add_rule $filter_table->{4}{"${zone}_output"} , "-j $chain1";
} else { } else {
add_rule $filter_table->{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" ); add_rule $filter_table->{4}{output_chain $interface} , join( '', $dest, $ipsec_out_match, "-j $chain1" );
} }
} }
@ -1605,14 +1605,14 @@ sub generate_matrix() {
if ( $chain2 ) { if ( $chain2 ) {
if ( @$exclusions ) { if ( @$exclusions ) {
add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j ${zone}_input" ); add_rule $filter_table->{4}{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j ${zone}_input" );
add_rule $filter_table->{"${zone}_input"} , "-j $chain2"; add_rule $filter_table->{4}{"${zone}_input"} , "-j $chain2";
} else { } else {
add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $chain2" ); add_rule $filter_table->{4}{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $chain2" );
} }
} }
add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" ) add_rule $filter_table->{4}{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
if $complex && $hostref->{ipsec} ne 'ipsec'; if $complex && $hostref->{ipsec} ne 'ipsec';
$needbroadcast{$interface}{$source} = 1 if get_interface_option $interface, 'detectnets'; $needbroadcast{$interface}{$source} = 1 if get_interface_option $interface, 'detectnets';
@ -1624,11 +1624,11 @@ sub generate_matrix() {
if ( $chain1 ) { if ( $chain1 ) {
for my $interface ( keys %needbroadcast ) { for my $interface ( keys %needbroadcast ) {
if ( $capabilities{ADDRTYPE} ) { if ( $capabilities{ADDRTYPE} ) {
add_rule $filter_table->{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1"; add_rule $filter_table->{4}{output_chain $interface} , "-m addrtype --dst-type BROADCAST -j $chain1";
} else { } else {
my $interfaceref = find_interface( $interface ); my $interfaceref = find_interface( $interface );
my $chain = output_chain $interface; my $chain = output_chain $interface;
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{4}{$chain};
if ( $interfaceref->{broadcasts} ) { if ( $interfaceref->{broadcasts} ) {
for my $address ( @{$interfaceref->{broadcasts}} , '255.255.255.255' ) { for my $address ( @{$interfaceref->{broadcasts}} , '255.255.255.255' ) {
@ -1644,7 +1644,7 @@ sub generate_matrix() {
} }
} }
add_rule $filter_table->{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1"; add_rule $filter_table->{4}{output_chain $interface} , "-d 224.0.0.0/4 -j $chain1";
} }
} }
# #
@ -1659,7 +1659,7 @@ sub generate_matrix() {
ZONE1: ZONE1:
for my $zone1 ( non_firewall_zones ) { for my $zone1 ( non_firewall_zones ) {
my $zone1ref = find_zone( $zone1 ); my $zone1ref = find_zone( $zone1 );
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; my $policy = $filter_table->{4}{"${zone}2${zone1}"}->{policy};
next if $policy eq 'NONE'; next if $policy eq 'NONE';
@ -1709,7 +1709,7 @@ sub generate_matrix() {
ZONE1: ZONE1:
for my $zone1 ( @dest_zones ) { for my $zone1 ( @dest_zones ) {
my $zone1ref = find_zone( $zone1 ); my $zone1ref = find_zone( $zone1 );
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy}; my $policy = $filter_table->{4}{"${zone}2${zone1}"}->{policy};
next if $policy eq 'NONE'; next if $policy eq 'NONE';
@ -1728,8 +1728,8 @@ sub generate_matrix() {
while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) { while ( my ($interface, $sourceref) = ( each %needbroadcast ) ) {
if ( get_interface_option( $interface, 'bridge' ) ) { if ( get_interface_option( $interface, 'bridge' ) ) {
for my $source ( keys %$sourceref ) { for my $source ( keys %$sourceref ) {
add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-d 255.255.255.255 -j $chain3"; add_rule $filter_table->{4}{forward_chain $interface} , "-o $interface ${source}-d 255.255.255.255 -j $chain3";
add_rule $filter_table->{forward_chain $interface} , "-o $interface ${source}-d 224.0.0.0/4 -j $chain3"; add_rule $filter_table->{4}{forward_chain $interface} , "-o $interface ${source}-d 224.0.0.0/4 -j $chain3";
} }
} }
} }
@ -1740,7 +1740,7 @@ sub generate_matrix() {
next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge}; next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
} }
my $chainref = $filter_table->{$chain}; my $chainref = $filter_table->{4}{$chain};
my $exclusions1 = $zone1ref->{exclusions}; my $exclusions1 = $zone1ref->{exclusions};
my $dest_hosts_ref = $zone1ref->{hosts}; my $dest_hosts_ref = $zone1ref->{hosts};
@ -1787,7 +1787,7 @@ sub generate_matrix() {
for my $typeref ( values %$source_hosts_ref ) { for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( keys %$typeref ) { for my $interface ( keys %$typeref ) {
my $arrayref = $typeref->{$interface}; my $arrayref = $typeref->{$interface};
my $chain3ref = $filter_table->{forward_chain $interface}; my $chain3ref = $filter_table->{4}{forward_chain $interface};
for my $hostref ( @$arrayref ) { for my $hostref ( @$arrayref ) {
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
for my $type1ref ( values %$dest_hosts_ref ) { for my $type1ref ( values %$dest_hosts_ref ) {
@ -1826,7 +1826,7 @@ sub generate_matrix() {
for my $typeref ( values %$source_hosts_ref ) { for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( keys %$typeref ) { for my $interface ( keys %$typeref ) {
my $arrayref = $typeref->{$interface}; my $arrayref = $typeref->{$interface};
my $chain2ref = $filter_table->{forward_chain $interface}; my $chain2ref = $filter_table->{4}{forward_chain $interface};
for my $hostref ( @$arrayref ) { for my $hostref ( @$arrayref ) {
for my $net ( @{$hostref->{hosts}} ) { for my $net ( @{$hostref->{hosts}} ) {
add_rule $chain2ref, match_source_net($net) . "-j $last_chain"; add_rule $chain2ref, match_source_net($net) . "-j $last_chain";
@ -1842,32 +1842,32 @@ sub generate_matrix() {
# Now add the jumps to the interface chains from FORWARD, INPUT, OUTPUT and POSTROUTING # Now add the jumps to the interface chains from FORWARD, INPUT, OUTPUT and POSTROUTING
# #
for my $interface ( @interfaces ) { for my $interface ( @interfaces ) {
add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface; add_rule $filter_table->{4}{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface;
add_rule $filter_table->{INPUT} , match_source_dev( $interface ) . "-j " . input_chain $interface; add_rule $filter_table->{4}{INPUT} , match_source_dev( $interface ) . "-j " . input_chain $interface;
add_rule $filter_table->{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' ); add_rule $filter_table->{4}{OUTPUT} , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface ); addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
} }
my $fw = firewall_zone; my $fw = firewall_zone;
my $chainref = $filter_table->{"${fw}2${fw}"}; my $chainref = $filter_table->{4}{"${fw}2${fw}"};
add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' ); add_rule $filter_table->{4}{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT'; add_rule $filter_table->{4}{INPUT} , '-i lo -j ACCEPT';
my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] , my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] , nat=> [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
filter=> [ qw/INPUT FORWARD OUTPUT/ ] ); filter=> [ qw/INPUT FORWARD OUTPUT/ ] );
complete_standard_chain $filter_table->{INPUT} , 'all' , firewall_zone; complete_standard_chain $filter_table->{4}{INPUT} , 'all' , firewall_zone;
complete_standard_chain $filter_table->{OUTPUT} , firewall_zone , 'all'; complete_standard_chain $filter_table->{4}{OUTPUT} , firewall_zone , 'all';
complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all'; complete_standard_chain $filter_table->{4}{FORWARD} , 'all' , 'all';
if ( $config{LOGALLNEW} ) { if ( $config{LOGALLNEW} ) {
for my $table qw/mangle nat filter/ { for my $table qw/mangle nat filter/ {
for my $chain ( @{$builtins{$table}} ) { for my $chain ( @{$builtins{$table}} ) {
log_rule_limit log_rule_limit
$config{LOGALLNEW} , $config{LOGALLNEW} ,
$chain_table{$table}{$chain} , $chain_table{$table}{4}{$chain} ,
$table , $table ,
$chain , $chain ,
'' , '' ,
@ -1883,7 +1883,7 @@ sub setup_mss( ) {
my $clampmss = $config{CLAMPMSS}; my $clampmss = $config{CLAMPMSS};
my $option; my $option;
my $match = ''; my $match = '';
my $chainref = $filter_table->{FORWARD}; my $chainref = $filter_table->{4}{FORWARD};
if ( $clampmss ) { if ( $clampmss ) {
if ( "\L$clampmss" eq 'yes' ) { if ( "\L$clampmss" eq 'yes' ) {
@ -1906,7 +1906,7 @@ sub setup_mss( ) {
# #
# Send all forwarded SYN packets to the 'settcpmss' chain # Send all forwarded SYN packets to the 'settcpmss' chain
# #
add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN -j settcpmss"; add_rule $filter_table->{4}{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN -j settcpmss";
my $in_match = ''; my $in_match = '';
my $out_match = ''; my $out_match = '';

View File

@ -570,21 +570,21 @@ sub setup_tc() {
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF'; $mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
for my $interface ( @routemarked_interfaces ) { for my $interface ( @routemarked_interfaces ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre"; add_rule $mangle_table->{4}{PREROUTING} , "-i $interface -j tcpre";
} }
} }
add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre"; add_rule $mangle_table->{4}{PREROUTING} , "$mark_part -j tcpre";
add_rule $mangle_table->{OUTPUT} , "$mark_part -j tcout"; add_rule $mangle_table->{4}{OUTPUT} , "$mark_part -j tcout";
if ( $capabilities{MANGLE_FORWARD} ) { if ( $capabilities{MANGLE_FORWARD} ) {
add_rule $mangle_table->{FORWARD} , '-j tcfor'; add_rule $mangle_table->{4}{FORWARD} , '-j tcfor';
add_rule $mangle_table->{POSTROUTING} , '-j tcpost'; add_rule $mangle_table->{4}{POSTROUTING} , '-j tcpost';
} }
if ( $config{HIGH_ROUTE_MARKS} ) { if ( $config{HIGH_ROUTE_MARKS} ) {
for my $chain qw(INPUT FORWARD POSTROUTING) { for my $chain qw(INPUT FORWARD POSTROUTING) {
insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark 0xFF'; insert_rule $mangle_table->{4}{$chain}, 1, '-j MARK --and-mark 0xFF';
} }
} }
} }

View File

@ -55,7 +55,11 @@ our @EXPORT = qw( NOTHING
firewall_zone firewall_zone
defined_zone defined_zone
zone_type zone_type
zone_ipv
all_zones all_zones
all_ipv4_zones
all_ipv6_zones
all_ipvN_zones
complex_zones complex_zones
non_firewall_zones non_firewall_zones
single_interface single_interface
@ -567,10 +571,27 @@ sub defined_zone( $ ) {
$zones{$_[0]}; $zones{$_[0]};
} }
sub zone_ipv( $ ) {
find_zone( $_[0] )->{type} & ZT_FIREWALL;
}
sub all_zones() { sub all_zones() {
@zones; @zones;
} }
sub all_ipv4_zones() {
grep ( $zones{$_}{type} & ZT_IPV4 , @zones );
}
sub all_ipv6_zones() {
grep ( $zones{$_}{type} & ZT_IPV4 , @zones );
}
sub all_ipvN_zones($) {
my $ipv = $_[0];
grep ( ( $zones{$_}{type} & ZT_FIREWALL ) == $ipv , @zones );
}
sub non_firewall_zones() { sub non_firewall_zones() {
grep ( $zones{$_}{type} != ZT_FIREWALL , @zones ); grep ( $zones{$_}{type} != ZT_FIREWALL , @zones );
} }