From 5fabfc4ba408e0e9ac27f573a12ff1ca3d59f455 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 11 Sep 2007 17:29:41 +0000 Subject: [PATCH] Back out chain table partitioning git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7317 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Actions.pm | 2 +- Shorewall-perl/Shorewall/Chains.pm | 118 +++++++++++----------------- Shorewall-perl/Shorewall/Rules.pm | 6 +- Shorewall-perl/Shorewall/Zones.pm | 16 ++-- 4 files changed, 54 insertions(+), 88 deletions(-) diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm index 6fb10e804..55856beac 100644 --- a/Shorewall-perl/Shorewall/Actions.pm +++ b/Shorewall-perl/Shorewall/Actions.pm @@ -266,7 +266,7 @@ sub createlogactionchain( $$ ) { $chain = substr $chain, 0, 28 if ( length $chain ) > 28; - while ( $chain_table->{'%' . $chain . $actionref->{actchain}} ) { + while ( $chain_table{'%' . $chain . $actionref->{actchain}} ) { $chain = substr $chain, 0, 27 if $actionref->{actchain} == 10 and length $chain == 28; } diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index a9493be33..8b2ed2af2 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -118,8 +118,7 @@ our @EXPORT = qw( STANDARD create_netfilter_load create_chainlist_reload - $chain_table - $ipv + %chain_table $nat_table $mangle_table $filter_table @@ -133,28 +132,27 @@ our $VERSION = '4.04'; # # Chain Table # -# %chains { <4|6> => { => { => { name => -# table =>
-# is_policy => 0|1 -# is_optional => 0|1 -# referenced => 0|1 -# log => -# policy => -# policychain => -- self-reference if this is a policy chain -# policypair => [ , ] -- Used for reporting duplicated policies -# loglevel => -# synparams => -# synchain => -# default => -# cmdlevel => -# rules => [ -# -# ... -# ] -# } , -# => ... -# } -# } +# %chain_table {
=> { => { name => +# table =>
+# is_policy => 0|1 +# is_optional => 0|1 +# referenced => 0|1 +# log => +# policy => +# policychain => -- self-reference if this is a policy chain +# policypair => [ , ] -- Used for reporting duplicated policies +# loglevel => +# synparams => +# synchain => +# default => +# cmdlevel => +# rules => [ +# +# ... +# ] +# } , +# => ... +# } # } # # 'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be @@ -164,10 +162,7 @@ our $VERSION = '4.04'; # # 'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains. # - -our %chains; -our $ipv; -our $chain_table; +our %chain_table; our $nat_table; our $mangle_table; our $filter_table; @@ -234,13 +229,14 @@ our $mode; # sub initialize() { - %chains = ( 4 => { raw => {} , - mangle => {} , - nat => {} , - filter => {} } , - 6 => { raw => {} , - mangle => {} , - filter => {} } ); + %chain_table = ( raw => {} , + mangle => {}, + nat => {}, + filter => {} ); + + $nat_table = $chain_table{nat}; + $mangle_table = $chain_table{mangle}; + $filter_table = $chain_table{filter}; # # These get set to 1 as sections are encountered. @@ -312,31 +308,8 @@ sub initialize() { %interfacebcasts = (); } -sub switch_to_ipv4() { - $ipv = 4; - - $chain_table = $chains{4}; - - $nat_table = $chain_table->{nat}; - $mangle_table = $chain_table->{mangle}; - $filter_table = $chain_table->{filter}; - -} - -sub switch_to_ipv6() { - $ipv = 6; - - $chain_table = $chains{6}; - - $nat_table = undef; - $mangle_table = $chain_table->{mangle}; - $filter_table = $chain_table->{filter}; - -} - INIT { initialize; - switch_to_ipv4; } # @@ -601,15 +574,14 @@ sub new_chain($$) { my ($table, $chain) = @_; - warning_message "Internal error in new_chain()" if $chain_table->{$table}{$chain}; + warning_message "Internal error in new_chain()" if $chain_table{$table}{$chain}; - $chain_table->{$table}{$chain} = { name => $chain, - rules => [], - table => $table, - ipv => $ipv, - loglevel => '', - log => 1, - cmdlevel => 0 }; + $chain_table{$table}{$chain} = { name => $chain, + rules => [], + table => $table, + loglevel => '', + log => 1, + cmdlevel => 0 }; } # @@ -629,7 +601,7 @@ sub ensure_chain($$) { my ($table, $chain) = @_; - my $ref = $chain_table->{$table}{$chain}; + my $ref = $chain_table{$table}{$chain}; return $ref if $ref; @@ -763,7 +735,7 @@ sub finish_section ( $ ) { for my $zone ( all_zones ) { for my $zone1 ( all_zones ) { - my $chainref = $chain_table->{'filter'}{"${zone}2${zone1}"}; + my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"}; if ( $chainref->{referenced} ) { finish_chain_section $chainref, $sections; } @@ -1992,7 +1964,7 @@ sub create_netfilter_load() { # iptables-restore seems to be quite picky about the order of the builtin chains # for my $chain ( @builtins ) { - my $chainref = $chain_table->{$table}{$chain}; + my $chainref = $chain_table{$table}{$chain}; if ( $chainref ) { fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; emit_unindented ":$chain $chainref->{policy} [0:0]"; @@ -2002,8 +1974,8 @@ sub create_netfilter_load() { # # First create the chains in the current table # - for my $chain ( grep $chain_table->{$table}{$_}->{referenced} , ( sort keys %{$chain_table->{$table}} ) ) { - my $chainref = $chain_table->{$table}{$chain}; + for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) { + my $chainref = $chain_table{$table}{$chain}; unless ( $chainref->{builtin} ) { fatal_error "Internal error in create_netfilter_load()" if $chainref->{cmdlevel}; emit_unindented ":$chainref->{name} - [0:0]"; @@ -2086,7 +2058,7 @@ sub create_chainlist_reload($) { ( $table , $chain ) = split ':', $chain if $chain =~ /:/; fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/; - fatal_error "No $table chain found with name $chain" unless $chain_table->{$table}{$chain}; + fatal_error "No $table chain found with name $chain" unless $chain_table{$table}{$chain}; $chains{$table} = [] unless $chains{$table}; @@ -2098,7 +2070,7 @@ sub create_chainlist_reload($) { emit_unindented "*$table"; - my $tableref=$chain_table->{$table}; + my $tableref=$chain_table{$table}; @chains = sort @{$chains{$table}}; diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index 8f5f2f4ca..e606b32c6 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -756,7 +756,7 @@ sub setup_mac_lists( $ ) { fatal_error "No hosts on $interface have the maclist option specified"; } - my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; + my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; $mac = '' unless $mac && ( $mac ne '-' ); $addresses = '' unless $addresses && ( $addresses ne '-' ); @@ -802,7 +802,7 @@ sub setup_mac_lists( $ ) { } } else { for my $interface ( @maclist_interfaces ) { - my $chainref = $chain_table->{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; + my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )}; my $chain = $chainref->{name}; if ( $level ne '' || $disposition ne 'ACCEPT' ) { @@ -1867,7 +1867,7 @@ sub generate_matrix() { for my $chain ( @{$builtins{$table}} ) { log_rule_limit $config{LOGALLNEW} , - $chain_table->{$table}{$chain} , + $chain_table{$table}{$chain} , $table , $chain , '' , diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm index b3b00f6a6..4d666f91f 100644 --- a/Shorewall-perl/Shorewall/Zones.pm +++ b/Shorewall-perl/Shorewall/Zones.pm @@ -129,7 +129,7 @@ our %reservedName = ( all => 1, # Zone Types # use constant { ZT_IPV4 => 1, - ZT_IPV6 => 2, + ZT_IPV6 => 2 ZT_FIREWALL => 3, #ZT_IPV4 + ZT_IPV6 ZT_IPSEC => 4, ZT_IPSEC4 => 5, #ZT_IPV4 + ZT_IPSEC @@ -156,10 +156,7 @@ our %zonetypes = ( 1 => 'ipv4' , # options => { = , # ... # } -# zone => { { => , -# { => , -# ... -# } +# zone => # bridge => # broadcasts => 'none', 'detect' or [ , , ... ] # } @@ -496,7 +493,7 @@ sub add_group_to_zone($$$$$) my $arrayref; my $zoneref = $zones{$zone}; my $zonetype = $zoneref->{type}; - my $ifacezone = $interfaces{$interface}{$zonetype}{zone}; + my $ifacezone = $interfaces{$interface}{zone}; $zoneref->{interfaces}{$interface} = 1; @@ -809,12 +806,9 @@ sub validate_interfaces_file( $ ) @networks = allipv4; } - my $zonetype = $zoneref->{type}; + add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks; - add_group_to_zone( $zone, $zonetype, $interface, \@networks, $optionsref ) if $zone && @networks; - - $interfaces{$interface}{$zonetype}{zone} = $zone; #Must follow the call to add_group_to_zone() - $interfaces{$interface}{zone} = 1; + $interfaces{$interface}{zone} = $zone; #Must follow the call to add_group_to_zone() progress_message " Interface \"$currentline\" Validated";